Home > Client News, Company News, Website Security > Dangerous Joomla Remote Code Execution Zero-Day Exploit Announced Last Week – Proof of Concept Attacks Already Exist Prior to Discovery

Dangerous Joomla Remote Code Execution Zero-Day Exploit Announced Last Week – Proof of Concept Attacks Already Exist Prior to Discovery

December 21, 2015

Joomla, one of the Web’s most popular content management systems has again been compromised. This Joomla zero-day exploit has the potential to affect millions of users worldwide (CVE-2015-8562). If your website uses Joomla as your CMS then you should immediately find and install the security patch depending on the version you are using. The exploit allows hackers to take over any Joomla websites that are not using adequate firewalls for protection and are using outdated versions of PHP. Reports are already coming out that attacks on this particular exploit are widespread and worldwide and many sites were already compromised even before the patch was announced.

As of October 2015, Joomla was estimated to have a 6.6 percent share of the market for website CMSs according to W3Techs. This is second only to WordPress and it is estimated that as many as 2.8 million websites worldwide use Joomla. Joomla has been downloaded more than 50 million times and is used by well know companies such as Barnes and Noble, The United Nations and eBay.

Quoting the front man from one of the top website security firms, Daniel Cid of Sucuri, “This is a serious vulnerability that can be easily exploited and is already in the wild. If you are using Joomla, you have to update it right now. The wave of attacks is even bigger, with basically every site and honeypot we have being attacked [which] means that probably every other Joomla site out there is being targeted as well.”

The Sucuri blog documents that the vulnerability, which affects Joomla versions 1.5 to 3.4.5, involves the user agent string, which is information transmitted by a browser to a web server when a user visits a web page. The user agent string includes the browser type and version and the computer’s operating system and version. It is used by web servers to deliver an appropriate version of a website, such as a mobile versus a desktop version.

Attackers are “doing an object injection via the HTTP user agent that leads to a full remote command execution,” says Daniel Cid. Because many websites use Joomla, it presents an attractive target. If a Joomla site is compromised, attackers may be able to plant malicious code on pages or redirect users to other malicious sites.

One of the many ways to tell if your site has been successfully hacked by this exploit, is to try the two URLs below and if either one does not return a 404 page not found error you may want to investigate further or give us a call. Keep in mind you are not necessarily safe if you do get a 404 error for either of these two URLs. There are other modes of infection and others have seen code injected into some of the core Joomla files like /includes/defines.php and /includes/framework.php

  • www.your-domain-name.com/components/com_media/ajax.php
  • www.your-domain-name.com/libraries/joomla/exporter.php

You should also check your server logs files starting around Dec. 12th using the below regex rule:

“O:\d+:.*:\d+:\{(s|S):\d+:.*;.*\}”

If this comes back with any hits in your server logs prior to when you put in your patch and you were using an outdated PHP version that is susceptible to the longstanding utf8 charset exploit in MySQL and PHP then you should probably assume your site has been compromised.

The GET request using the exploit stores the User-Agent string in the Joomla session data which now contains code that can be used to run remote code execution on your website. Your logs may have a subsequent POST request from the same IP address with the payload. The exploit is successful, when Joomla reloads the session data.

Below are just some of the POST payloads we have seen:

December 2015 has been one of the biggest months of hacker activity that SlickRockWeb, Inc can recall in the last several years… and we haven’t even seen the end of the month. Are you prepared? Have you patched your Joomla site yet? Have you ever had the security of your business website audited?

Feel free to contact SlickRockWeb with questions or concerns. We have already patched a few sites and analyzed and removed some backdoors installed from this attack. Let us help you protect your valuable online company assets with a private consultation today! We can help you with patching and/or fixing your compromised site.

Call us at 1(800) 975-5695
www.slickrockweb.com
https://www.facebook.com/SlickRockWeb/

Client News, Company News, Website Security

  1. No comments yet.
  1. No trackbacks yet.