New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Request] Critical 0day RCE in Joomla (CVE-2015-8562) #6347
Comments
Thank you, @madmike33. Looks much better, lol. |
Agree |
@wvu-r7 how about some labels |
Changes from this version: |
This seems to be the payload: https://github.com/joomla/joomla-cms/blob/3.4.5/libraries/joomla/database/driver/mysqli.php#L83 |
@firefart tu,interesting its alla bout uploading the payload in the tokens,if iam not wrong |
This seems to be the raw payload:
cc @brandonprry |
I am very close, give me an hour or so. |
@brandonprry waiting to be the firsr one to test it :) |
@brandonprry great! i need to get some sleep will check it tomorrow morning in about 6 hours |
It takes two requests; One to put the tainted data in the db. (I think) I have not gotten full RCE yet, but sending this request a few times will yield a 500 error. GET / HTTP/1.1 The error in the log is: [Mon Dec 14 18:06:35.518826 2015] [:error] [pid 11184] [client 192.168.0.10:51041] PHP Warning: session_start(): Failed to decode session object. Session has been destroyed in /var/www/html/libraries/joomla/session/session.php on line 665 Still working on getting the payload to work correctly. It is obvious the intent, but something seems to be missing... |
Ah, extra info, the data you are manipulating is in the *_session table in the 'data' column. Also, that payload should sleep for 5 seconds on the second request if it worked. |
@brandonprry wait your info. |
The 500 error I am getting seems completely unrelated and is a Duplicate entry exception.
Still working. Not sure if they are related or not, but one (the error.log session error) always happens with the other (SQL exception for duplicate value). I think they are related in that the session is not being deserialized correctly coming out of the DB so Joomla decides to write the cookie again, but it already exists. |
They are not related. EDIT: I might have spoken too soon. |
@brandonprry so exactly how far I got :( |
I poked at this on my own... and got equally as far, lol. |
Think I got it. |
so it seems the exploit works like some session injection. It puts in a new session identifier |
Gonna put together a PoC... hope it's not a fluke! |
@wvu-r7 |
Doh! Looks like a false alarm. Perhaps using a time-based attack wasn't ideal, since I happened to get the expected delay repeatedly. :( |
So anything new so far guys,the thing is in the payload according to sucuri they modified the payload, @wchen-r7 any idea from ur side too? |
Yeah, we're missing some critical details here, so there's a lot of code reading and experimentation going on. Wonder how close @brandonprry is now. |
Anybody with good knowledge of OOP's can execute this , I'm still trying.. anyone using skype..?? |
ye its a good idea we can make a group and evryone give his idea in skype @icehteam |
@shargon Do you mean that the next time you reload that page, session info is read from the databse and deserialized and the object is executed? |
@cyadron yes,i thought is like this, for run the exploit, Its necessary make 2 calls, one per poison, two per execution The execution part its simple, joomla deserialize the session and run the poison... The hard work its do the correct payload for exploit it |
yes what @cyadron said is true we need to cals also as @brandonprry perry stated earlier |
guys please use IRC or Skype for discussing this exploit this issue is getting too big and too offtopic |
My skype is base64_decode('bXIuY2h1cmNobDMzdA=='); , Let me know urs folks. |
http://www.freebuf.com/vuls/89754.html <- Solved |
|
The code from freebuf gives an error: |
edit: |
@borismattijssen What's the purpose of posting a screenshot but no technical details? |
@jstnkndy I feel like the vulnerability is too young to share the technical details on the internet.. |
lol |
so the screenshot is just.... bragging? |
just showing it isn't that hard.. |
@borismattijssen I see vulnerable in user agent or xfowarder, why do you hidden URI? |
@falconz my guess, it is not a private address lol |
closing this because the details are public available and a module is also ready |
@firefart In your commit, I recommend just do |
Module merged in #6355. Btw, here's why we were failing: #6355 (comment). :-) |
Does not work with me... |
Does not work to version below 3.x , need find other trick |
Try one of the generic/shell or php/exec payloads. Do those work for you? I can get those to work, but not the php meterpreter variants on the three systems I built to test this on. |
If this needs CODE to be solved, then I WANT TO TAKE FULL RESPONSIBILITY So... tell me exactly what you need me to code. On Saturday 19 December 2015 09:08 PM, bgeesaman wrote:
|
@ggg4566 X-Forward working in 3x , You need use user agent for some versions. @JohnMartinelli your late at the party fff... |
I've read that a session_decode() bug is needed for this to work....? Anyone can please tell me what's that bug about? |
Is this error harmful for other frameworks like codeigniter or core php websites? Have found these logs in such frameworks. I do not use Joomla for most of the sites, however, still find this logs. If yes, what steps to be taken to prevent? |
madmike33 commentedDec 14, 2015
@jvoisin r u interested mate
This is a serious vulnerability that can be easily exploited and is already in the wild. http://hubs.ly/H01B2K20
The text was updated successfully, but these errors were encountered: