Friday, August 14

My Journey to find out Joomla's CVE(Part 1)

Some of my CVEs :

  1. CVE-2020-10238: Incorrect Access Control in com_templates (This blog) CVSS 2.0:5.0 and CVSS 3.x :7.5
  2. CVE-2020-10239: Incorrect Access Control in com_fields SQL field CVSS 2.0:6.5 and CVSS 3.x :8.8
  3. CVE-2020-10241: CSRF in com_templates image actions CVSS 2.0:6.8 and CVSS 3.x :8.8
  4. And more.

—————————————————————————————————————————————–

I have participated in my project company to pentest the customer’s website. And this website used Joomla CMS.

Before starting, the definition of some concepts:

1. CVE?

Common Vulnerabilities and Exposures (CVE) is a dictionary-type list of standardized names for vulnerabilities and other information related to security exposures. CVE aims to standardize the names for all publicly known vulnerabilities and security exposures. The goal of CVE is to make it easier to share data across separate vulnerable databases and security tools.

2. CMS?

CMS stands for  Content  Management  System, to help manage and edit content easily. The contents could be electronic news, newspapers or photo media, videos, and other materials.

CMS saves time management, operating and maintenance costs, so many companies use it now. Not only companies use, but also blogs are being launched in small numbers, and they choose to use CMS to easily build websites and manage content, in addition to saving money, website construction fee.

Among them, Joomla is a part, after WordPress.

Starting

When testing this website, they used Joomla version 1.5. Multi-CVE about it, but not to be able to exploit. I decided to scan Joomla’s components. This website used AllVideos Reloaded component, which is SQL injection vulnerable(I find out it by manual because the tool’s response was 200 OK but it is 404 not found. From SQLi, I got the username and password. But, the password is md5().salt.Fortunately, it can be brute force.

I used website online hash to get to find out collision about the manager and super-admin rights. With the manager’s right, you only create any articles. With super-admin right, I need to pay it by bitcoin, but I didn’t have. I decided to with the manager’s right to bypass upload the shell.

You know, bypass to upload shell doesn’t easily in CMS But, I still decided to bypass. By searching google: “PHP extension”, but it did work. I have an idea: add a dot “.” after file. Oh, successfully.

Find out

I wanted to get CVE, but when I find to a new version, the issue was fixed and it was assigned CVE (CVSS-v2 6.8). What a pity!

I still find out to bypass in the first workday after Lunar new year, but it didn’t work. And, I know, I choose the wrong way. I chose a new way to privilege escalation.

Joomla has 3 admin rights: manger, admin and super admin. If you are super admin, you can do anything. In this case, the admin account with limited permissions.

In com_template allows  super admin add, delete, edit template’s code from website inteface such as:

super admin’s template interface

Affected Installs <= 3.9.15.

Link access :

yourdomain/administrator/index.php?option=com_templates&view=template&id=506&file=aG9tZQ==

When I logged in with an admin account such as:

admin’s template interface

Two interfaces are different.

I have an idea: Using the admin account to edit index.php file to RCE.

By capturing request chỉnh with index.php file editing using super-admin as:

Add some code PHP shell into index.php file:

Add PHP code shell to RCE

Save button and use Burpsuite to capture this request:

To see easily, I delete index.php’s content and only keep PHP code shell :

super admin’s token

Yellow highlight is the super admin ‘s token. Joomla used a token to prevent CSRF.

Keep this request in Bupsuite Repeater mode.

Logged in with the admin account.

To get admin’s token :

Edit button and use Burpsuite to capture this request:

Finding admin’s token

Yellow highlight is the admin’s token.

Replacing super admin’s token by admin’s token and edit URI:

Request to RCE

Foward and Result :

File saved

Done, the PHP code shell was saved. Where is my shell?

Simply, you go to the homepage :

RCE

When I found it, I reported it to JSST. And the last result:

Joomla assigned my issue with CVE.

Automation, I wrote a tool to exploit it easily :

Exploiting by tool

Video :

https://vimeo.com/396947804

Github:

https://github.com/HoangKien1020/Joomla-CVE/tree/master/CVE-2020-10238

CVEs have been assigned:

https://developer.joomla.org/security-centre/804-20200303-core-incorrect-access-control-in-com-templates.html

Source for the concept :

  1. https://www.webopedia.com/TERM/C/CVE.html

Leave a Reply

Your email address will not be published. Required fields are marked *