Friday, August 14

My Journey to find out Joomla’s CVE(Part 2)

Analysis of CVE-2020-10239

Requirement:

  • A user with Manager group
  • Joomla core from 3.7.0 to 3.9.15

Exploitation:

A user with Manager group quick acesses:

domain/administrator/index.php?option=com_fields&context=com_content.article

Select New , at Type field as below picture and result :

Fill in anything and result after  selecting Save button:

Error: Only a Super User can create an SQL field!

Scenario: Create a new field with allowed fields as text. After, intercept this request and change to sql field. Expected result: A new SQL field instead of text field.

Create a new field with allowed fields as text as below picture:

And Save button.

Save again, intercept this request and change as above scenario:

From request, having  jform%5Btype%5D=text parameter, change to jform%5Btype%5D=sql

Forward and result:

Scroll to add a new SQL query:

SQL query:

UPDATE #__user_usergroup_map SET group_id = 8 WHERE user_id=76 AND group_id=6

Table user_usergroup_map will assign a user with a group user. 8 is Super User group.

76 is the user’s id. 

Some ideas about trigger RCE.

  • Get Super User‘s session: Only trigger RCE when having Super User‘s session
  • SQL query to RCE:  Only trigger RCE when it was dba.
  • I have chosen by changing me to Super User then trigger RCE: Independence

Result:

After saving, How to trigger it?

Go to New a Article, it will trigger:

Refresh:

Now, you are Super User then trigger RCE as:

Root cause:

Error code in:

plugins/fields/sql/sql.php

At onContentBeforeSave  function checks wrong condition. isNew parameter to check it whether new or not. But, as the above scenario, Joomla hasn’t checked for updating a field in com_field. 

To fix it, Joomla has removed isNew parameter as above picture.

Result:

CVE -2020 -10239 allows RCE

Recommendation:

Update to 3.9.16 or latest

Exploit automatically:

https://github.com/HoangKien1020/CVE-2020-10239

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *