Joomla high-risk vulnerability scanning event analysis-vulnerability warning-the black bar safety net

2015-12-18T00:00:00
ID MYHACK58:62201570144
Type myhack58
Reporter 佚名
Modified 2015-12-18T00:00:00

Description

  1. Summary 1 2 on 1 4 May, the Joomla official website emergency issued a due to the security vulnerability to cause a version update 3.4.6, according to security company sucuri released information, this scan time is to use the Joomla deserialization characteristics of the problem causes the command to perform the high-risk vulnerabilities. From China Time 1 2 on 1 3 am start, 3 IP for the global website, conducted a large-scale scanning. According to the white cap sinks a security team's analysis, the scan has two characteristics: one is for the Chinese website, scan the less, a large number of amount for foreign sites; the second is scan and there is no trigger substantial destruction of the work. Although this scan and there is no substantial damage, but the vulnerability itself is highly harmful, a successful attack will cause loss of sensitive data, the server is controlled, and even service interruption. Recommended use a Joomla site as soon as possible to the official website for patch updates, in the latest version 3. 4. 6 all prior versions are affected. Through 6 global 0 million using the Joomla website, for further analysis, as at 1 2 on 1 5 day 2 3 points 3 0 points, the vulnerability affects at least more than 4 9 0 0 0 home site, the vast majority concentrated in the abroad, the United States ranked first, the current domestic surveillance to more than 6 0 0 home website vulnerability exists, we will in the subsequent continuous updates and further developments.
  2. Event back 1 2 on 1 3 May, by the IP 74.3.170.33 initiated small-scale vulnerability scanning; 1 2 on 1 4, to 1 5, by the IP 146.0.72.83 and 1 9 4. 2 8. 1 7 4. 1 0 6 to initiate more large-scale full network scan. 1 2 on 1 5 May, security company sucuri's official blog released a message, expressed in Chinese Time 1 2 on 1 3 may have intercepted coming from 3 IP's large-scale scanning events. 1 2 on 1 5, joomla the official release of the latest version 3. 4. 6 fix the vulnerability. 1 2 on 1 5 August, the domestic security team on the Internet for a fierce competition scan for the domestic Internet traffic growth continues to contribute value. After technical analysis, the exploit need to be in a session the session twice within the contract, and in fact we passed a large number of security log analysis only saw the first POC of sending and did not see the second use of the process, to which we compare do not understand. So we also did not see the substantial destruction of the work, which is unfortunate in the midst of it.
  3. Technology restore Through the Diff to the latest patch found in the patch to remove the User-Agent acquisition: ! This vulnerability exists in the deserialized session in the process, 在libraries/joomla/session/session.php file, the _validate function by set the User-Agent data stored into the database: ! joomla does not use php's own session handling mechanism, but write your own stored session container(storage), which is stored in the format of"button name plus a vertical line plus go through the serialize() function to reverse the sequence of processing the value of", here and did not properly handle a plurality of vertical lines of the case. So, the attacker can by injecting a"|"symbol, it will be the front part all think is the name, and|back I can insert any of the serialize string to trigger a deserialization exploit. We can construct an exp insert User-Agent: User-Agent: }__test|O:2 1:"JDatabaseDriverMysqli":3:{s:2:"fc";O:1 7:"JSimplepieFactory":0:{}s:2 1:"disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:2 0:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:3 7:”phpinfo();JFactory::getConfig() ;exit;";s:1 and 9:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:1 1:"cache_class";O:2 0:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:1 3:"connection";b:1;}D To access the site, the malicious User-Agent is inserted into the database, then this Access site to successfully use that cookie to ensure consistent ! More technical details
  4. Impact hazards Easy to attack objects: Using Joomla system Versions lower than 3. 4. 6 that is 1 2 on 1 5 day before the All version
  5. Patch reinforcement recommendations This event exploited a vulnerability affecting a very wide range, so please all use the Joomla website as soon as possible to upgrade to 3. 4. 6 version, or install the official patch:
  6. x version to the following address to download
  7. x version to the following address to download Note: download the patch a direct replacement for the\libraries\joomla\session\session. php file. In addition, by adding some security cloud protection class product to be protected, such as 3 6 0 site guards, Baidu cloud acceleration, know Chong Yu, accelerated music, etc., their vulnerability after the occurrence of the first period adds to the protection rules.
  8. FAQ FAQ Joomla is what? Joomla is set in a foreign country is quite well-known content management system or CMS using PHP language and MySQL database development, can be in Linux, Windows, MacOSX, etc. a variety of different platforms. In domestic practice the scene not too much. This scan event what's the harm? Successful invasion can result in loss of sensitive data, the server is full control, and even service interruption. The scope of the impact? Worldwide there are approximately 6 0 million the use of Joomla for building of websites, the Chinese Internet about a 1 1 0 0 0 home website. By the white cap sinks a security team to monitor, at least 4 9 0 0 0 site affected, mainly in the United States, the domestic real impact of the number of sites more than 6 2 7 Home. Where to download the patch?
  9. x version to the following address to download: https://github.com/joomla/joomla-cms/releases/tag/3.4.6
  10. x version to the following address to download: https://github.com/joomla/joomla-cms/releases/download/3.4.6/SessionFix25v1.zip How should I do? Reference repair recommendations, and direct an updated version or patch. If you find the intrusion traces, but also to have invaded the success of the back door to clear.
  11. The impact of part of the site The vulnerability of the site is mainly concentrated in the overseas, the global vulnerability ranking of the top ten countries are: 1 1 7 8 1 United States 6 5 2 2 Germany 3 6 2 2 Poland 3 4 7 4 Netherlands 2 4 2 7 Russia 2 4 2 3 France 1 7 5 1 UK 1 3 9 2 Italy 1 2 3 2 Australia 1 0 4 9 Canada The domestic impact of some well-known website: The State Forestry administration

[1] [2] next