Joomla! Account Takeover & Remote Code Execution

CVE-2016-9838 - Joomla! Account Takeover & Remote Code Execution

Introduction

Joomla! has been the target of several critical vulnerabilities during last year:

• [20161001] - Core - Account Creation
• [20161002] - Core - Elevated Privileges
• [20161003] - Core - Account Modifications
• [20161201] - Core - Elevated Privileges

As a new year comes, it is a good time to review two high impact vulnerabilities that were discovered four years apart, but that are in fact rooted in the same piece of code.

• CVE-2012-1563: Privilege Escalation: Programming error allows privilege escalation in some cases.
• CVE-2016-9838: Privilege Escalation: Incorrect use of unfiltered data stored to the session on a form validation failure allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments.

To understand how to exploit the bugs, we must first dive into Joomla!'s User module, responsible for every user-related operation, such as login in, or registering. We will focus on the latter, at it is where the magic happens.

Analysis

The behaviour for user registration is:

1. The registration controller is invoked, and the register() method is called.
2. Form data is fetched from the jform POST array.
3. The controller verifies that data is coherent: username is not taken already, passwords match... and displays error(s) otherwise. Additionally, extraneous fields are silently removed.
4. If the original data is erroneous, the controller saves it in session, and redirects back to the form.
5. Otherwise, the model tries to register the data.

The code's logic is perfectly valid. Nevertheless, the mistake happens in the Model's own register() method, which works like this:

1. The method is called with VALID data in $temp.
2. If present, the errorneous form data is fetched from the session. Some of it is filtered.
3. Both array are merged (!).
4. User is created and saved.

The problem arises from the fact that potentially invalid or malicious data is merged with valid data before being inserted in DB.
From these, we can design a generic exploitation:

• Submit the registration form with invalid data and additional malicious fields; the form gets rejected, and the data is saved in session
• Correct errors and send the form again -> Valid and invalid forms are merged. Additional malicious fields are kept and inserted in the user table.

Those two bugs are not the only ones that come from a programming mistake located in the user registration code, CVE-2016-8869 is another example. Here's the culprit:

Exploitation

Joomla! 2.5.2

The exploitation on Joomla 2.5.2 and below takes advantage of the fact that user groups are not checked upon registration: one can add a jform[groups] value to the form, and get elevated privileges.

Joomla! 3.6.4 and below

The latest exploitation is a bit more complex. By setting an additional field, jform[id], the attacker tricks Joomla into modifying an already registered user: it is possible to modify his password and email, along with other things. By picking the ID of an administrator, this allows complete access to the administration panel.

Fixes

Both bugs were fixed by hardening the getData() method.

Joomla! 2.5.2

The bug affects Joomla! versions 2.5.2, 2.5.1 and 2.5.0.

It was fixed by resetting the groups array() in UsersModelRegistration's getData() method.

Joomla! 3.6.4 and below

The second bugs affects versions 1.6.0 through 3.6.4.

This time, it was fixed properly, by only merging the fields if they exist in the form.