Jump to content
Login new information ×
Login new information

Critical 0-day Remote Command Execution Vulnerability in Joomla

Reefa

By Reefa
in Security & Privacy News

Recommended Posts

Reefa

Reefa

Posted
Posted

The Joomla security team have just released a new version of Joomla to patch a critical remote command execution vulnerability that affects all versions from 1.5 to 3.4.

 

This is a serious vulnerability that can be easily exploited and is already in the wild.

 

Zero day Exploits in the Wild

 

What is very concerning is that this vulnerability is already being exploited in the wild and has been for the last 2 days. Repeat: This has been in the wild as a 0-day for 2 days before there was a patch available.

 

We detected the first exploit targeting this vulnerability on Dec 12, at 4:49PM:

 

Quote

2015 Dec 12 16:49:07 clienyhidden.access.log
Src IP: 74.3.170.33 / CAN / Alberta
74.3.170.33 – – [12/Dec/2015:16:49:40 -0500] “GET /contact/ HTTP/1.1″ 403 5322 “http://google.com/” “}__test|O:21:\x22JDatabaseDriverMysqli\x22:3: ..
{s:2:\x22fc\x22;O:17:\x22JSimplepieFactory\x22:0: .. {}s:21:\x22\x5C0\x5C0\x5C0disconnectHandlers\x22;a:1:{i:0;a:2:{i:0;O:9:\x22SimplePie\x22:5:..
{s:8:\x22sanitize\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}s:8:\x22feed_url\x22;s:60:..

 

We modified the payload so it can’t be misused, but the attackers are doing an object injection via the HTTP user agent that leads to a full remote command execution.

 

We detected many more exploits from this same IP address “74.3.170.33” on Dec 12th, followed by hundreds more exploit attempts from 146.0.72.83 and 194.28.174.106 on Dec 13th.

 

Today (Dec 14th), the wave of attacks is even bigger, with basically every site and honeypot we have being attacked. That means that probably every other Joomla site out there is being targeted as well.

 

Protect Your Site Now

 

If you are a Joomla user, check your logs right away. Look for requests from 146.0.72.83 or 74.3.170.33 or 194.28.174.106 as they were the first IP addresses to start the exploitation. I also recommend searching your logs for “JDatabaseDriverMysqli” or “O:” in the User Agent as it has been used in the exploits. If you find them, consider your Joomla site compromised and move to the remediation / incident response phase.

 

If you use Joomla, update it now!

 

We are still monitoring this issue and will provide more updates as we learn more about it.

 

sucuri.net

 

 

Link to comment
Share on other sites
  • Views 855
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...