A Core Remote Code Execution Vulnerability (CVE-2015-8562) in the popular content management system (CMS) Joomla! was recently discovered. The vulnerability affects all versions of Joomla! prior to 3.4.6, and while updating the CMS to the latest version will patch the bug, there are still plenty of unpatched targets out there and Symantec has observed attackers actively scanning for and attacking vulnerable servers.
With over 50 million downloads Joomla! is one of the most widely used content management platforms and is used by some very popular websites, meaning the vulnerability potentially puts millions of users at risk. In an attack scenario, an attacker can use this vulnerability to execute commands on the server, tamper with the website or database contents, host malware on the server, or even redirect visitors to other malicious websites.
How attackers find and exploit vulnerable servers
The exploit code is relatively easy to deploy and doesn’t require much skill, all that is needed is a single HTTP request. According to our telemetry, the methods attackers are using to scan for vulnerable versions of Joomla! is similar to methods we covered in a recent blog on an RCE vulnerability in the vBulletin platform. Attackers are scanning for servers running vulnerable versions of Joomla! by attempting to call a phpinfo() function or printing out an MD5 of a predetermined value. As with the vBulletin RCE exploit attacks, it is likely attackers are scanning and documenting vulnerable web servers for exploitation at a later time.
Let’s take a look at how attackers are doing this.
In one method used by attackers, if the targeted server is vulnerable, the MD5 hash for the value 233333 is printed in the response sent by the server.
Figure 1. MD5 hash printed in the server response
Another method involves the attacker attempting to execute the eval(char()) function and waiting for any output from the die(pi()); function in the response. If this response is received it tells the attacker that the server is vulnerable.
Figure 2. Server response from eval(char()) function
System administrators can look for the methods described previously as possible indicators of attack (IoA) or indicators of compromise (IoC). By examining web access logs, administrators can look for the requests and, if found, compare the time they were made to the time the server was patched to determine if the system was likely to have been breached.
Malicious script injection
Once a system is found to be vulnerable, the attackers can then proceed to the main attack. This usually involves the installation of a back door to enable the attackers to gain full access to the compromised computer.
The section of code shown in Figure 3 is part of an encoded PHP back door which is used against vulnerable Joomla! servers. Once the back door is established on the server, the attacker can execute commands, tamper with websites hosted on the server, or upload and download files at will.
Figure 3. Section of code from back door threat used on vulnerable servers
Malicious uses of compromised servers
Because the Joomla! CMS software is used by many popular websites cybercriminals know that if they can compromise the servers running these sites they can use it to attack the site’s visitors. The compromised servers can be used for a host of malicious activities. We have observed many infected servers being used to redirect visitors to exploit kits. It is also possible that compromised servers are hosting malware.
As we’ve observed before, another option for attackers is to sell or hire compromised servers on underground markets for illegal activities such as distributed denial of service (DDoS) attacks. In addition to this, information that may be stolen from compromised servers can be a valuable commodity in the criminal world.
Since the Joomla! RCE vulnerability was discovered, servers running vulnerable versions of the CMS are actively being scanned for and attacked. On average, we are detecting more than 16,600 attacks per day on vulnerable Joomla! servers.
Figure 4. Attacks on vulnerable Joomla! servers
Mitigation
Any Website using Joomla! (1.5 to 3.4) is vulnerable to this attack. Administrators are advised to upgrade their Joomla! CMS software to the latest version as soon as possible. For end of life (EOL) versions of Joomla! security hotfixes are available to patch the vulnerability.
For general advice, a good source for security tips and best practices in relation to server installations is the OWASP PHP Security Cheat Sheet.
In addition, Symantec advises administrators to follow these best practices to stay safe:
- Keep security software, as well as all other software, up to date
- Make frequent and multiple backups of important data
- Monitor logs and respond promptly if a threat is found
- Never store passwords in plaintext
Protection
Norton Security, Symantec Endpoint Protection, and other Symantec security products protect users against this threat with the following detections:
Intrusion Protection System