{"id":82813,"date":"2016-05-04T11:40:55","date_gmt":"2016-05-04T06:10:55","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=82813"},"modified":"2016-05-04T11:40:55","modified_gmt":"2016-05-04T06:10:55","slug":"joomla-exploit-cve-2015-8562-still-at-large","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/joomla-exploit-cve-2015-8562-still-at-large\/","title":{"rendered":"Joomla exploit \u2018CVE-2015-8562\u2019 still at large"},"content":{"rendered":"

Back in December 2015, <\/strong>Joomla, the well-known content management system (CMS) was hit with a serious zero day vulnerability called CVE-2015-8562<\/a>. Joomla versions 1.5.x, 2.x, and 3.x before 3.4.6 were affected by it. Many public exploits were seen in the wild which were exploiting this vulnerability before the CVE was assigned to it. Interestingly, even after 4 months of the security patch being released for this vulnerability, we are seeing active exploitation of this vulnerability in the wild. In this blog post, we will discuss what this vulnerability was and the recent threat actors who were seen to be exploiting this vulnerability in the wild.<\/p>\n

The CVE-2015-8562 Vulnerability
\n<\/strong>The affected versions of Joomla were vulnerable because of improper input validation on the values of \u2018X-Forwarded-For\u2019 <\/strong>and \u2018User-Agent\u2019<\/strong> HTTP headers. The attacker was able to inject malicious code into these headers resulting into remote code execution. The root cause of the vulnerability lies in handling of the browser session values where browser information was not validated properly while saving session values into the database.<\/p>\n

Let\u2019s take a look at the vulnerable Joomla code which is available in github. The below code snippets highlight the vulnerable code of handling the \u2018X-Forwarded-For\u2019 <\/strong>and \u2018User-Agent\u2019<\/strong> HTTP header values.<\/p>\n

\"Figure<\/a>Figure 1<\/p>\n

As shown in figure 1, the value of \u2018X-Forwarded-For\u2019 <\/strong>header is set to a session parameter \u2018session.client.forwarded<\/em>\u2019 which is not sanitized properly.<\/p>\n

The same applies to the \u2018User-Agent\u2019 <\/strong>header.<\/p>\n

\"Figure<\/a>Figure 2<\/p>\n

As shown in figure 2, the value of \u2018User-Agent\u2019 <\/strong>header is set to a session parameter \u2018session.client.browser<\/em>\u2019 which is again, not sanitized properly.<\/p>\n

Due to the absence of input sanitization on both of these HTTP headers, the attacker sends a crafted request to Joomla servers with a malicious payload to carry out remote code execution.<\/p>\n

Malicious crafted request for \u2018X-Forwarded-For\u2019<\/strong> header:<\/strong><\/p>\n

\"Figure<\/a>Figure 3<\/p>\n

Malicious crafted request for \u2018User-Agent\u2019 <\/strong>header:<\/strong><\/p>\n

\"Figure<\/a><\/p>\n

Figure 4<\/p>\n

Many exploits are available in the wild for this vulnerability.<\/p>\n

Recent Threat Actors
\n<\/strong>We have recently observed the following IPs to be exploiting the CVE-2015-8562 vulnerability in the wild. The observed IPs have been reported to be carrying out malicious activities on various online malicious IP scanners such as www.abuseipdb.com.<\/p>\n\n\n\n\n\n\n\n
IP<\/td>\nabuseipdb Report<\/td>\n<\/tr>\n
77.243.183.89<\/td>\nLink<\/a><\/td>\n<\/tr>\n
79.141.160.51<\/td>\nLink<\/a><\/td>\n<\/tr>\n
79.141.161.12<\/td>\nLink<\/a><\/td>\n<\/tr>\n
192.187.114.11<\/td>\nLink<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Below is the \u2018whois\u2019 information for a couple of IPs:
\nwhois information for 79.141.160.51:<\/p>\n

\"Figure<\/a>Figure 5<\/p>\n

whois information for 77.243.183.89:<\/p>\n

\"Figure<\/a>Figure 6<\/p>\n

Quick Heal Detection<\/strong><\/p>\n

Quick Heal has released below the IPS detection for the CVE-2015-8562 vulnerability.<\/p>\n