Joomla exposes the high-risk 0-day vulnerability and can be remotely executed.

Source: Internet
Author: User
Tags sucuri sucuri security

Joomla exposes the high-risk 0-day vulnerability and can be remotely executed.

The Joomla security team urgently released version 3.4.6 to fix a high-risk 0-day vulnerability. It is reported that the vulnerability has been detected for more than two days and has been circulating through other channels. You can imagine how many Joomla sites will be infiltrated.
After Joomla was found to have the Joomla 3.x SQL injection vulnerability analysis, it was recently revealed that the remote command execution 0day vulnerability exists. It is reported that the affected Joomla versions include from 1.5 to 3.4. Currently, the Joomla security team fixes the old CMS version by releasing new versions and security patches.
The vulnerability has been used for more than two days.
It is even more worrying that the vulnerability has been used for more than two days through various channels. We need to repeat it here: the vulnerability lasted for two days as a zero-day vulnerability before the patch was released.
Vulnerability Source: User proxy string
FreeBuf encyclopedia
First, let's take a look at the user proxy string:
The user proxy string is used to identify the browser version and provide certain system information details to the server of the website you visit. When you browse a webpage, your browser will send a user proxy string to the server of the website you visit. This string indicates which browser you are using, its version number, and details of your system, such as the operating system and its version. In this way, the browser will use this information to provide specific content that matches your browser.
In simple terms, the vulnerability allows attackers to implant code into the Joomla database and then execute it. The entry point of the malicious code is the user proxy string. From the exploitation of the vulnerability, we can know that the string is actually stored in the Joomla database, but no verification is performed to detect malicious code. Therefore, using custom applications and scripts, attackers can easily create Custom User proxy strings, implant malicious code in them, and broadcast forged user proxy strings. When the server receives the string and stores it in its own database, attackers can implant malicious code.
Vulnerability discovery
The Sucuri security team first detected the intrusion using the vulnerability. According to the reports, the first time the vulnerability was detected on, January 1, December 12. You can view the following log information:
2015 Dec 12 16:49:07 clienyhidden. access. log
Src IP: 74.3.170.33/CAN/Alberta
74.3.170.33--[12/Dec/2015: 16: 49: 40-0500] "GET/contact/HTTP/1.1" 403 5322 "http://google.com/"" "}__ test | O: 21: \ x22JDatabaseDriverMysqli \ x22: 3 :..
{S: 2: \ x22fc \ x22; O: 17: \ x22JSimplepieFactory \ x22: 0 :.. {} s: 21: \ x22 \ x5C0 \ x5C0 \ x5C0disconnectHandlers \ x22; a: 1: {I: 0; a: 2: {I: 0; O: 9: \ x22SimplePie \ x22: 5 :..
{S: 8: \ x22sanitize \ x22; O: 20: \ x22JDatabaseDriverMysql \ x22: 0 :{} s: 8: \ x22feed_url \ x22; s: 60 :..
The Sucuri security team monitored the intrusion attack and modified the payload to block its effective execution. However, the attacker quickly responded that he injected the object through the HTTP user proxy as a breakthrough, implement remote command execution. This vulnerability is discovered.
According to the Sucuri Security Team:
We will detect more vulnerability exploitation events, all of which come from the same IP address "74.3.170.33 ". As nearly vulnerabilities were exploited in, they attempted to connect "146.0.72.83" and "194.28.174.106.
Protect your site from now on
If you are a Joomla user, check your server logs immediately. Check whether there are requests from 146.0.72.83, 74.3.170.33, and 194.28.174.106. At the same time, you can search the "JDatabaseDriverMysqli" or "O:" keyword in the log. If you can find them, you can think that your website is no longer secure, immediate emergency response is required.

The Joomla security team urgently released version 3.4.6 to fix a high-risk 0-day vulnerability. It is reported that the vulnerability has been detected for more than two days and has been circulating through other channels. You can imagine how many Joomla sites will be infiltrated.
After Joomla was found to have the Joomla 3.x SQL injection vulnerability analysis, it was recently revealed that the remote command execution 0day vulnerability exists. It is reported that the affected Joomla versions include from 1.5 to 3.4. Currently, the Joomla security team fixes the old CMS version by releasing new versions and security patches.
The vulnerability has been used for more than two days.
It is even more worrying that the vulnerability has been used for more than two days through various channels. We need to repeat it here: the vulnerability lasted for two days as a zero-day vulnerability before the patch was released.
Vulnerability Source: User proxy string
FreeBuf encyclopedia
First, let's take a look at the user proxy string:
The user proxy string is used to identify the browser version and provide certain system information details to the server of the website you visit. When you browse a webpage, your browser will send a user proxy string to the server of the website you visit. This string indicates which browser you are using, its version number, and details of your system, such as the operating system and its version. In this way, the browser will use this information to provide specific content that matches your browser.
In simple terms, the vulnerability allows attackers to implant code into the Joomla database and then execute it. The entry point of the malicious code is the user proxy string. From the exploitation of the vulnerability, we can know that the string is actually stored in the Joomla database, but no verification is performed to detect malicious code. Therefore, using custom applications and scripts, attackers can easily create Custom User proxy strings, implant malicious code in them, and broadcast forged user proxy strings. When the server receives the string and stores it in its own database, attackers can implant malicious code.
Vulnerability discovery
The Sucuri security team first detected the intrusion using the vulnerability. According to the reports, the first time the vulnerability was detected on, January 1, December 12. You can view the following log information:
2015 Dec 12 16:49:07 clienyhidden. access. log
Src IP: 74.3.170.33/CAN/Alberta
74.3.170.33--[12/Dec/2015: 16: 49: 40-0500] "GET/contact/HTTP/1.1" 403 5322 "http://google.com/"" "}__ test | O: 21: \ x22JDatabaseDriverMysqli \ x22: 3 :..

{S: 2: \ x22fc \ x22; O: 17: \ x22JSimplepieFactory \ x22: 0 :.. {} s: 21: \ x22 \ x5C0 \ x5C0 \ x5C0disconnectHandlers \ x22; a: 1: {I: 0; a: 2: {I: 0; O: 9: \ x22SimplePie \ x22: 5 :..
{S: 8: \ x22sanitize \ x22; O: 20: \ x22JDatabaseDriverMysql \ x22: 0 :{} s: 8: \ x22feed_url \ x22; s: 60 :..
The Sucuri security team monitored the intrusion attack and modified the payload to block its effective execution. However, the attacker quickly responded that he injected the object through the HTTP user proxy as a breakthrough, implement remote command execution. This vulnerability is discovered.
According to the Sucuri Security Team:
We will detect more vulnerability exploitation events, all of which come from the same IP address "74.3.170.33 ". As nearly vulnerabilities were exploited in, they attempted to connect "146.0.72.83" and "194.28.174.106.
Protect your site from now on
If you are a Joomla user, check your server logs immediately. Check whether there are requests from 146.0.72.83, 74.3.170.33, and 194.28.174.106. At the same time, you can search the "JDatabaseDriverMysqli" or "O:" keyword in the log. If you can find them, you can think that your website is no longer secure, immediate emergency response is required.
 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.