JCE Joomla Extension Attacks in the Wild

Our friends from SpiderLabs, issued a warning today on their blog about increased activity on their honeypots looking to exploit the old JCE (Joomla Content Editor) vulnerability.

JCE is a very popular component that can be found enabled on almost any Joomla site. It has had a few serious vulnerabilities in the past (around 2011 and 2012), and unfortunately we still see thousands of unpatched sites out there. In fact, we get to clean and disinfect many sites compromised through it every single day.

You can read SpiderLabs’ full analysis here:

[Honeypot Alert] JCE Joomla Extension Attacks

And an old one we did on UnmaskParasites about the increased scans we started to see for it a few months ago:

Unmask: Invasion of JCE Bots

If you run a Joomla site and haven’t patched your site lately, please do it as soon as possible. If you are still on the Joomla 1.5.x branch, you need to do it today. There are exploits live in the wild for it, and if you have been lucky and didn’t get hacked yet, it will happen soon.


Read More

Joomla Security Updates – Version 2.5.19 and 3.2.3 Released

The Joomla team just released 2 security updates and pushed out the stable versions for Joomla 2.5.19 and 3.2.3. If you run your site on Joomla, you need to update and apply these patches ASAP to ensure that your site continues to run securely.

If you are behind our CloudProxy Firewall, we will virtually patch these for you so you’re protected even if you do not upgrade. The Joomla website has more details on the security updates.

Issues fixed

On Joomla 2.5.19, these two issues were listed fixed:

Medium Priority – Core XSS Vulnerability More information
Medium Priority – Core XSS Vulnerability More information

But on Joomla 3.2.3, the following issues were fixed:

High Priority – Core SQL Injection More information
Medium Priority – Core XSS Vulnerability More information
Medium Priority – Core XSS Vulnerability More information
Medium Priority – Core Unauthorised Logins More information

As you can see, there are some high priority SQL injection vulnerabilities along with some unauthorized login vulnerabilities in their Gmail login module (disabled by default).

The SQL injection seems to be related to an exploit released almost a month ago on the weblinks-categories id that was not escaped properly, and seems very easy to exploit.

Our team is still investigating the impact of this one and other vulnerabilities, and we will post more details as we identify them.

Highly Effective Joomla Backdoor with Small Profile

It feels like every day we’re finding gems, or what appear to be gems to us. We try to balance the use of the term, but I can’t lie, these are truly gems. The things they are doing, and by they I mean the attackers, are in some instance ingenious. I think you’ll agree that this case falls into that category.

In short, this is a highly effective backdoor that carries little profile, making it Hight Speed Low Drag.

Understanding Attackers

As we’ve discussed in the past, most attackers have a pretty standard workflow when compromising websites. Here’s that process in it’s simplest form:

  1. Identify point of entry / weakness
  2. Exploit the entry / weakness
  3. Ensure that they can retain access
  4. Cover your tracks

I agree, nothing earth shattering, but it does help us understand what it is we need to be looking for.

Many will make the argument that a site is not clear if you haven’t performed some level of forensics to understand what happened. Often this same analysis will lend itself to items 3 and 4 in the list. Reverse engineering their attempts to clean up their traces and finding those backdoors, diamonds in the ruff.

Unfortunately, this level of forensics is not for everyone and contrary to popular belief it’s not as simple as looking for simple obfuscation. No, these days the backdoors are becoming highly sophisticated, making use of built-in functions and carry little trace of what you might consider to be traditional backdoors.

What many also don’t realize is how important the third step is. If done correctly, the attacker is able to bypass all your access control mechanisms, i.e., logins like administrator and FTP, and work right off your server with little hesitation.

This post is an example of that, for instance take into consideration these two images:

Image #1

Sucuri-Joomla-Backdoor-I

Image #2

Sucuri-Joomla-Backdoor-II

Can you pinpoint the difference or the backdoor? Is there a backdoor?

Joomla Specific Backdoor

The images above are an example of what we recently found and the purpose of this post.

Yes, I agree, it’s unfair for us to ask you to pinpoint the difference in the images; besides, the total change is no greater than 304 bytes.

But for those keen eyes, you probably noticed the difference in the if-clause, here specifically:

if (!in_array($format, $allowable) && !in_array($format,$ignored))

Versus this:

if ($format == '' || $format == false || (!in_array($format, $allowable) && !in_array($format,$ignored)))

For those that are completely lost, it all comes down to how the $format variable is created. For that we have to look here:

$format = strtolower(JFile::getExt($file['name']));

This tell us that the variable is getting the file’s extension using a Joomla native function called getExt. This function does this:

function getExt($file) {
$chunks = explode('.', $file);
$chunksCount = count($chunks) - 1;

if($chunksCount > 0) {
return $chunks[$chunksCount];
}

return false;
}

This in turn breaks the file name into pieces based on the positions of the dot, returning false if there are not dots. If everything is ok it returns the latest group after the last dot, i.e., the extension.

This is where the canUpload function will check if the extension is part of the allowed ones or not. This goes back to the very first if clause shared above.

In the second set, you see two additional conditions, if $format is false or if it’s empty. That’s then followed by another .OR. operator just before checking if the extension is allowed.

In these cases, if the extension is empty or if it’s false or allowed, the file can be uploaded. This and nothing is the same thing, right?

Wow, that one hurt my head too, sorry.. but hang in there.

In order to make the $format false, or empty, the attacker would need to add a trailing dot to the end of the file, like backdoor.php.. But it’s not that simple, the upload alone won’t make it useable.

That brings you to the next obvious question, “Fio, if it’s not usable why the heck did you take us down riddle man?” Glad you asked…

First, because I probably had one too many beers while writing this.

Second, it comes down to this code:

function makeSafe($file) {
// Remove any trailing dots, as those aren't ever valid file names.
$file = rtrim($file, '.');
$regex = array('#(\.){2,}#', '#[^A-Za-z0-9\.\_\- ]#', '#^\.#');
return preg_replace($regex, '', $file);
}

I mean seriously, have you ever seen code in better shape than this? The lines, the logic, even the commenting..

// Remove any trailing dots, as those aren’t ever valid file names.

And you have to appreciate the irony in the function name, makeSafe. Make safe a backdoor that is going to do anything but make your website safe.

Here is the kicker, for those that didn’t catch it, this is a valid function inside ./libraries/joomla/filesystem/file.php, a core file of Joomla. This function, by design, cleans out all odd characters from a filename and returns a safe filename. Sound familiar? Remember that trailing dot? Pretty sure that’s unsafe, Joomla core agrees with us, as such it does what it’s supposed to do, makes a previously unsafe file, safe. Ain’t that something?

Perfect example of a feature that gets abused for bad when it was designed for good.

The Ever Evolving Landscape

I chose to share this little gem with the world because it talks volumes to the evolution in the attacks that we’re seeing. The website security market has turned into a gold rush as of late, but with that growth we have seen new innovation in the way attackers are 1) attacking websites and 2) how they’re retaining control of those same websites.

This is forcing us to really look deep into the various detection and remediation technologies to better understand how to prevent scenarios like the one described in this post.

This attack specifically is not something a signature would have ever picked up, it’s tightly integrated and dependent on what most would categorize as “good” code, and by good I mean it’s part of core and designed to do a good thing. Now extend this line of thinking, think beyond core.

If attackers are starting to look at how “good” code functions and finding ways to manipulate its use, what is to stop them from extending that thought process to code found in your templates, themes, extensions, plugins? This is a real problem that extends far beyond Joomla and will soon plague other CMS applications, if they are not already.

If you have something to add or share on the post, use the comments we’d love to get your hear from you.

If you find yourself in a similar situation, suffering repeated attacks or infections be sure to contact us. Whether you’re infected and need to be cleared, or prefer not to have to deal with this at all, we have a complete security solution to keep your website clean and safe.

Not Just Pills or Payday Loans, It’s Essay SEO SPAM!

Remember back in school or college when you had to write pages and pages of long essays, but had no time to write them? Or maybe you were just too lazy? Yeah, good times. Well, it seems like some companies are trying to end this problem. They are offering services where clients pay them to write these essays for you.

Essay SEO SPAM

The problem is that this is not only wrong, but it’s also becoming a competitive market where some companies are leveraging SEO SPAM to gain better rankings on search engines (i.e., Google, Bing). They are also using popular sites like bleacherreport.com and joomlacode.org to add their spam links.

Here are a couple example URL’s from sites that got hit (URL’s are still showing SPAM):

Read More

Joomla JomSocial Remote Code Execution Vulnerability

The JomSocial team just released an update that fixes a very serious remote code execution vulnerability that affects any JomSocial version older than 3.1.0.4. From their hot-fix update:

Yesterday we released version 3.1.0.4 which fixes two vulnerabilities.

As a result of the first vulnerability, our own site was hacked. Thankfully, our security experts spotted the attack very quickly and our developers raced out a patch. The information of how to exploit this vulnerability can be found easily by hackers, so you should upgrade right away, to protect your site.

While we were blocking that attack, we also spotted another vulnerability: the opportunity to exploit CStringHelper::escape function to execute eval method. With this new fix, hackers will no longer be able to execute eval function. It’s all a bit technical, but the point is: it’s fixed and we were able to prevent a potential problem.

JomSocial is a widely used component on Joomla and there are thousands of sites vulnerable to it right now. Yes, there is currently an exploit being disseminated amongst the attackers and actively being used. All JomSocial site admins are encouraged to upgrade to this version as soon as possible!

Exploit in the Wild

The vulnerability is very recent, but we are already seeing thousands of requests looking for it on our website firewall. The exploit starts with a simple search (a POST request) for “option=com_community&view=frontpage”. That allows the attackers to see if the component is enabled or not depending on the return code (200 for success or 404 for not found).

If the component is available the attackers will proceed to the exploit phase with a code similar to this one:

&arg4=
 [\x22_d_\x22,\x22%7B%22call %22%3A%5B%22CStringHelper%22%2C%22
escape%22%2C%20%22%40exit%28%40eval %28%40base64_decode %28% ..

This allows the attackers to execute any command they want on the vulnerable site. We are collecting the attackers IP addresses and will provide better statistics on the growth of the attack over the coming days.

Sucuri Users Protected

One thing that gives us great joy is to be able to say that if you are using our web site firewall, you can be assured that you are protected already.

Our generic RCE (command execution) rules were already blocking this exploit, but we also added custom protection for this specific vulnerability and variations. If you are using this extension and are worried that you are vulnerable, try our firewall out.

The Hidden Backdoors to the City of Cron

An attackers key to creating a profitable malware campaign is its persistency. Malicious code that is easily detected and removed will not generate enough value for their creators. This is the reason why we are seeing more and more malware using creative backdoor techniques, different obfuscation methods, and using unique approaches to increase the lifespan of any given attack.

Cron Malware Backdoor

Today we found this malware: A simple, but heavily encoded SPAM injector that was prepended to a valid Joomla File. Yes, nothing new, we have thousands of blog posts that show this kind of malware:


Read More

Big Increase in Distributed Brute Force Attacks Against Joomla Websites

Update: Brute force protection now available: http://cloudproxy.sucuri.net/brute-force-protection


A few months ago, we discussed and published details about a very large brute force attack targeting WordPress sites.

The attackers (bad guys) had thousands of servers at their disposal, and were attempting all types of passwords on wp-admin (WordPress admin panel) to try to get access to as many WordPress sites as possible. The attacks lasted for a few weeks and then it calmed down. I can’t attest to their successes, but knowing how bad people are at choosing passwords, I guess it worked well for them.

Lately, we started to see the same thing happen to Joomla sites. While most of the sites we monitor would get a few brute force attempts per day in the past, the last couple of days all of them are getting thousands of requests daily.

Against one website, we saw 11,349 requests during the course of a few hours coming from 1,737 different IP addresses. Each IP address was trying to log in once or twice. And after a few hours, it would try again, making this type of attack very hard to detect and block.

Joomla Brute force timeline

We have seen an average of 6,000 brute force attempts against Joomla sites daily across our honeypots and CloudProxy networks. Some days the attacks increased to almost 13k, and dipped as low as 3k attempts. However, for the last 3 days, you can see a big increase, reaching almost 269,976 scans yesterday, September 2nd, 2013. That’s a very big increase out of nowhere.

We also started to see customers complaining about excessive resources utilization, similar to what happened with the WordPress attacks.

Joomla Brute Force Chart

Read More

Joomla Media Manager Attacks in the Wild

If you are using Joomla and didn’t update your site recently, you better stop doing whatever you are doing, and update it now. There is a very serious vulnerability in Joomla’s Media Manager component (included by default), that can allow malicious files to be uploaded to your site.

The only two safe versions of Joomla are 3.1.5 and 2.5.14. If you are not using either of them, you are at risk.


Read More

Joomla Hacks – Part I – Phishing

Joomla is a very popular open source CMS, dominating approximately 10% of the website market. While great for them, horrible for many others, as being popular often paints a big target on your back, at least when it comes to CMS applications.

Lately though, Joomla has had a bad spell, in which a vulnerability was found that was allowing for arbitrary PHP uploads via core. Any site that is not properly updated (or patched), can be an easily compromised. This applies to any website running Joomla 1.0.x, 1.5.x and the 1.6 and 1.7 branches, each one needs to be updated to the supported 2.5 or 3.0. Once that is supported, they need to be updated again to the latest 3.1.5 or 2.5.14 versions.

Unfortunately for Joomla users, the upgrade path is perhaps its weakest link. The reverse compatibility issues are so severe in the various branches that it plays right into the attackers objectives facilitating sever vulnerabilities, allowing them to have wider impacts across the website ecosystem. Because of this, we will share in this post one very specific method attackers are using to perform nefarious acts using the websites you visit or own, a little something known as Phishing.

  • Part I – Phishing injection


Read More

New WordPress and Joomla Updates Available

If you are a WordPress or Joomla user, you better start updating your sites now.

Joomla 2.5.14

Joomla 2.5.14 was released containing some critical security fixes. They didn’t provide much details, but by the summary is seems serious enough to allow users to bypass upload restrictions:

Project: Joomla!
Severity: Critical
Versions: 2.5.13 and earlier 2.5.x versions. 3.1.4 and earlier 3.x versions.
Exploit type: Unauthorised Uploads
Reported Date: 2013-June-25
Fixed Date: 2013-July-31
Description: Inadequate filtering leads to the ability to bypass file type upload restrictions.

More information on Joomla 2.5.14 update here: http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads

WordPress 3.6

WordPress 3.6 (a major release) was also announced with multiple new features and bug fixes. It doesn’t have any specific security fix, but keeping your site updated is a must, so we recommend all users to update.

More information on WordPress 3.6 is available here: http://codex.wordpress.org/Version_3.6


We recommend upgrading as soon as possible to reduce the risk of issue. Make sure you test your upgrades in a development environment before you go hot.

If you have any questions, feel free to drop an email.