Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Exploiting Serialized XSS in Joomla! (return of the undead CVE)

While reviewing Joomla! Vulnerabilities I felt a glitch in the matrix. Deja vu had set in and I was working on the same XSS vulnerability that I had written a test for month's prior. The same attack returned to life to claim more developer time and possibly victim websites.

The two CVE's were CVE-2012-1117 and CVE-2013-3267 ; they had similar data (or lack thereof) in their vulnerability reports. They were both XSS attacks via "Unspecified vectors" in the highlight functionality in Joomla! up to 2.5.1 (and again in 2.5.9.) While this is very little data, it was just enough to dig into it and re-create the vulnerability. In this little post I will cover the process of reversing PHP to identify 'unspecified' vulnerabilities and in doing so show you a little about PHP object serialization attacks.

Using the data about the attack we know, "highlight" plugin and was first fixed in 2.5.1. So we start by diffing the files to see what changed in the new version and find this:

BSL_12025_d56c0923-48d6-4c84-8b53-a9918502ed2e

We now see some questionable code that pulls in the highlight value from the GET request, which it expects to be a base64 string. It will then decode the base64, and unserialize() that value and assign it to terms. The $terms values are what are getting passed directly into JavaScript code at the top of the page (and thus where the vulnerability is).

Before we continue, I feel I may need to explain what unserialize()does. It is the sister function for serialize(), which converts a PHP value into a basic string. This PHP value can be anything (an object, an array, a hash etc…) unseriialize() simply takes a valid serialized string and converts it back into a PHP object value. In this case, converts the serialized string for an array back into a usable array value for PHP.

Now we know where the vulnerability exists, exploiting it is as easy as stepping back through the process. We just need to make a malicious base64-encoded-serialized-string to assign to the highlight key value pair.

The easiest way to do this is to write your own PHP script that handles each step for you, as shown below:

9449_5a320473-c912-4cc7-b330-eab0142707c0

Sending the new malicious base64 encoded string to the site we're attacking shows that it works!

BSL_10910_9f67085c-01d6-43c8-b6eb-4634155633b8

Here is the applicable HTML source:

10275_80e53902-f224-47c3-bdb2-7e4290b2190e

Joomla! developers fixed this in CVE-2012-1117, by adding a check that would sanitize all input through highlight by removing anything that looked like an HTML tag.

The same attack no longer works, and now produces this HTML:

12877_fd7b873e-5221-4966-bc80-63c5c7a47512

There was an oversight with this fix though. Since we're already within a <script> tag, we don't need to inject more HTML tags. In order to resurrect this vulnerability back from the dead, we just work around the JavaScript code to make it execute cleanly, with our newly added functions.

Here is a breakdown of what the injected code would look like, first as the array, then serialized and base64 encoded:

9463_5aca8f54-0fe3-469e-8aac-4e6aa6878bb8

And the resulting HTML will look like this (note the "window.addEvent( …" is part of the attack, it is what keeps the JavaScript from failing):

11143_aaed9b46-b349-4e79-90ad-7578c1391a7f

Which works wonders:

11892_ce819062-d281-4059-8128-6e320d695346

The fix pushed to address this looks a lot more solid this time, as they've done away with the serialization and are using html special chars() now. This may be the last we hear of this zombie-esque vulnerability, but we shall see.

11080_a7b29e9b-bf8d-40b8-bb27-8bbdf8cf7f91

I hope this post shows you that exploiting even "unspecified" vulnerabilities is not that hard to reverse, and sometimes vulnerabilities can easily come back from the dead if the fix is not exactly correct. I should have also unveiled a little about how serialization() attacks work, and for those of you who didn't know … hiding in the shadows, just few lines away from this vulnerability there existed a remote code execution attack, but that is a story for another time.

 

 

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More