Monday, February 4, 2013

Joomla vulnerability transforms web pages into ddosing tools?

In my very first post I've described PHP unserialize function and what are dangers of using it. During my research I've found out that Joomla has not sanitaze and validate serialized argument passing from request (CVE-2013-1453). Vulnerable code exists in Highlight system plugin which is enabled by default. Joomla 2.x and 3.x series are affected (<=2.5.8 and <=3.0.2), however 1.x is not vulnerable.

Exploitation with JStream class:

By using JStream class attacker can "chmod" any files with any mode with web server user, or use it to make connection (by ftp_connect function) to remote host. What is more, when we specify tcp port to 80 in connection string (ftp://u:p@host:80/), the php script will open connection which will last until php script time limit exceeded or connection to host is timeouted (because of differrent protocols). This can be used for DoS/DDoS attacks.


Video of using PoC exploit:


You can download exploit here.

PS. Cheers to Egidio Romano who found this bug week earlier than me and is credited in official joomla report :)

10 comments:

  1. So there's not sql/command execution object that can be created instead of JStream?

    ReplyDelete
    Replies
    1. During my *quick* research I haven't noticed such class in vanilla joomla package. However, some additional plugins may contain interesting destructors and/or __wakeup methods but I haven't checked it at all.

      Delete
  2. Eggix (Egidio Romano) mentioned something about JCategories class for sql injections, but there isn't any visible way to send a query to it. Maybe some input on this http://bit.ly/Y3lVF0 ?

    ReplyDelete
    Replies
    1. Interesting. So it seems it is theoretically possible to perform a blind sql injection for Joomla 3.0 (as Eggix pointed out) but not for 2.5 branch (which was actually my research subject). All you need is to craft serialized plgSystemDebug object where 'params' class attribute will be JCategories object. Then in JCategories->_load (which is triggered by JCategories->get() which is triggered by plgSystemDebug::_destruct()) function we can inject custom values by manipulating JCategories attributes such as _key, _table etc. etc (just take a look inside _load function body where sql query is built). Everything is well described in Egidios post though.

      Delete
  3. I'm sorry if i sound as a beginne, i've read (translated moe) your article on serialization issues, but looking at the JStream class i don't see where the object you are seniding is getting started and the ftp connection to $filename started... Is there some inherited __wakeup or magical method i am not seeing? Thank you!

    ReplyDelete
    Replies
    1. Well, when you look at JStream destructor you will see it's invoking close() method. In the body of close() method, another method chmod() is invoked which executes JFilesystemHelper::ftpChmod(). I hope it helps.

      Delete
    2. Oh thank you, that helps a lot !

      Delete
  4. Awesome. just awesome...i haven't any word to appreciate this post.....Really i am impressed from this post....the person who create this post he is a great human..thanks for shared this with us. i found this informative and interesting blog. Picking a content management system is highly vital I develop on Drupal. Because When I learned the most innovative media sites including Men's Health and Maxim use Durpal, my decision was easy For Drupal hosting I run GetPantheon including automated back-up retention.. which content management system is best in your opinion?


    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
  6. This comment has been removed by a blog administrator.

    ReplyDelete