- Get link
- Other Apps
Featured post
- Get link
- Other Apps
CVE-2016-9838 - Joomla! Account Takeover & Remote Code Execution
Introduction
Joomla! has been the target of several critical vulnerabilities during last year:- [20161001] - Core - Account Creation
- [20161002] - Core - Elevated Privileges
- [20161003] - Core - Account Modifications
- [20161201] - Core - Elevated Privileges
- CVE-2012-1563: Privilege Escalation: Programming error allows privilege escalation in some cases.
- CVE-2016-9838: Privilege Escalation: Incorrect use of unfiltered data stored to the session on a form validation failure allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments.
Analysis
The behaviour for user registration is:- The registration controller is invoked, and the register() method is called.
- Form data is fetched from the jform POST array.
- The controller verifies that data is coherent: username is not taken already, passwords match... and displays error(s) otherwise. Additionally, extraneous fields are silently removed.
- If the original data is erroneous, the controller saves it in session, and redirects back to the form.
- Otherwise, the model tries to register the data.
- The method is called with VALID data in $temp.
- If present, the errorneous form data is fetched from the session. Some of it is filtered.
- Both array are merged (!).
- User is created and saved.
The problem arises from the fact that potentially invalid or
malicious data is merged with valid data before being inserted in DB.
From these, we can design a generic exploitation:
The exploitation on Joomla 2.5.2 and below takes advantage of the fact that user groups are not checked upon registration: one can add a jform[groups] value to the form, and get elevated privileges.
It was fixed by resetting the groups array() in UsersModelRegistration's getData() method.
This time, it was fixed properly, by only merging the fields if they exist in the form.
From these, we can design a generic exploitation:
- Submit the registration form with invalid data and additional malicious fields; the form gets rejected, and the data is saved in session
- Correct errors and send the form again -> Valid and invalid forms are merged. Additional malicious fields are kept and inserted in the user table.
Exploitation
Joomla! 2.5.2
The exploitation on Joomla 2.5.2 and below takes advantage of the fact that user groups are not checked upon registration: one can add a jform[groups] value to the form, and get elevated privileges.
Joomla! 3.6.4 and below
The latest exploitation is a bit more complex. By setting an additional field, jform[id], the attacker tricks Joomla into modifying an already registered user: it is possible to modify his password and email, along with other things. By picking the ID of an administrator, this allows complete access to the administration panel.Fixes
Both bugs were fixed by hardening the getData() method.Joomla! 2.5.2
The bug affects Joomla! versions 2.5.2, 2.5.1 and 2.5.0.Joomla! 3.6.4 and below
The second bugs affects versions 1.6.0 through 3.6.4.This time, it was fixed properly, by only merging the fields if they exist in the form.
Comments
Post a comment