Notice: Monitoring services will be discontinued from March 31st, 2019.
Joomla
Joomla is an open source Content Management System which allows you to build web applications and control every aspect of the content of your website. Some of these resources include photos, videos, text, and documents to name just a few. As one can imagine, this is a high value target if an attacker can gain access to the admin control panel.
Remote Code Execution
Remote Code Execution or RCE has been one of the most preferred methods by hackers to infiltrate into a network/machines. In simple words, Remote Code Execution occurs when an attacker exploits a bug in the system and introduces a malware. The malware will exploit the vulnerability and help the attacker execute codes remotely. This is akin to actually handing over the control of your entire PC to someone else with all admin privileges.
A critical remote code execution(RCE) vulnerability was discovered in Joomla! websites. This is making a lot of noise because of the following reasons.
- It appears that attackers started exploiting this even before the disclosure(0-day).
- It is very easy to exploit this vulnerability.
- Almost all the versions of Joomla are vulnerable under with certain conditions.
This Vulnerability will happen like an attacker can inject arbitrary input using the X-FORWARDED-FOR or User-Agent header to achieve code execution.All versions of the Joomla! below 3.4.6 are known to be vulnerable. But exploitation is possible with PHP versions below 5.5.29, 5.6.13 and below 5.5. The attackers are doing an object injection via the HTTP user agent that leads to a full remote command execution. Accepting any untrusted serialized data is bad, but objects are most dangerous, as the PHP runtime will call wakeup and destructor functions on them, which possibly contain useful 'gadgets' to achieve RCE. By default, Joomla! stores users session in the site’s database.
PHP Serialized Hacking
PHP’s session serialization function is a bit different than the usual serialize() we’re used to, especially when it comes to array indexes. Here’s a comparison of the two for a given array, array( ‘a’ => ‘a’, ‘b’ => ‘b’):
A standard serialize() call would give us a:2:{s:1:”a”;s:1:”a”;s:1:”b”;s:1:”b”;}
Where as session_encode() is returning a|s:1:”a”;b|s:1:”b”;
As you can see, the second encoding still uses regular variable serialization but differ in the way it’s declaring indexes for the $_SESSION array. In this case, this is one of the thing that will allow attackers to store arbitrary session data inside the database. When it creates a new session, Joomla! takes the client’s user-agent and stores it in the session’s session.client.browser index, which will be saved later on the database. Meaning, one could in theory close the current serialized object/array they are into and start a new one, using a payload similar to “}__test|a:100:{some serialized data}. The problem with this approach, as some will have noticed, is that we leave an extra pipe ( | ) character, which breaks the resulting serialized payload. To get anything malicious in the session, an attacker needs to get rid of all the data located after the injected payload. From the moment the attacker can push an arbitrary serialized payload in its session, he’s conducting what is known as an Object Injection attack, which allows Remote Code Execution to occur on the victim’s site.
Prevention Methods
1) Update Joomla content management system (CMS) immediately .
2) If you are using the old and unsupported versions 1.5.x or 2.5.x, you have to apply hotfixes released by the Joomla development team.
3) Use Metasploit framework to find vulnerability in the hacked site.
Metasploit : Metasploit is used for hacking into systems for testing purposes. Metasploit provides useful information to people who perform penetration testing, IDS signature development, and exploit research. Using this framework we can test our site that is being hacked.
4) Update FTP password by alphanumeric or strong password.
Our 'Admin-ahead Server Security Monitoring' Service Intrution Detecing System have come with full protection for your server and it can prevent all high severity attacks.