Story about JCE and hack attempt

[PhilD]

I did some digging this morning.

The exploit affects the JCE Extension versions less than or equal to (<=) 2.0.10 The hack exploits or attempts to exploit any of these plugins for JCE. The Image Manager, Media Manager, Template Manager, and File Manager plugins.

An Auto Shell Uploader exploit is available in the wild that uploads a shell exploit script as a gif file using a vulnerable version of JCE, changing the extension to php upon successful upload. Typical use would be to load the exploit into a bot, and test any sites run against for an exploitable version, then if an exploitable version is found, upload the shell script and rename it.
The shell script is what is usually uploaded using the exploit which leads to the hacker owning the entire domain account (all sites under a master account) even if other sites are not vulnerable; no passwords or usernames required. So, if you have multiple sites under one account or you tend to sell space to multiple clients from the same account then all sites are exposed to the risk of being hacked.

For those who are unfamiliar with a shell script, it shows the exploited account on a hackers computer in a file manager type layout of the entire account. The script enables uploads, downloads, file manipulation and editing, time stamp manipulation, and command line execution of server commands and other possibly more specific or custom things.

By default JCE only allows authors or above access from the front end to the editor. Though the hack likely bypasses this requirement directly.

The patch while apparently effective (I did not attempt the actual hack after applying the patch) does not do what the patch code says it does. The code says that admins and super admins would have full access to the editors image manager button (which is one avenue the hack uses), etc. from the front end and block all other lower user level access, but this is not the case. The code blocks everyone from front end access to things like the image manager button. If that was the intent, a simple die statement would work without first getting the user level.


The code below would allow admins and super admins front end full access to the editor (able to use the image manager, etc.), while blocking front end full access from all other user levels including the back end lower level (manager) users, or it did in my test environment (J! 1.5.26 and JCE 1.5.7.4). The code replaces all of what is in the jce_patch.php file.

Code: Select all

<?php

  // by Phil DeGruy, patch 
  // -----------------------------------------------------------------------------------------------
  // no direct access

  defined( '_JEXEC' ) or die( 'Restricted access' );
// get user
   $user = &JFactory::getUser();  
   if ((@$_GET['option'] == 'com_jce') || (@$_POST['option'] == 'com_jce')) 
   {
 // test user level and do something 
	if (($user->usertype == "Super Administrator") ||
   	    ($user->usertype == "Administrator")) {
        return;
        } 
	else
	echo "<h3><div style='text-align:center; color:red'>", $user->usertype, " user level access to this JCE Editor function has been Denied</div></h3>";
		die;	
   }
?>

[skuran]

The JCE exploit is also used for DDOS attacks targeting US banks.

[ahmad]

[removed url] aggregator just published that yesterday. A little bit late maybe? It was discovered since August 2011!

Just because it was [removed url] published by Metasploit it gets to the list? I wont trust that aggregator anymore. Is there a way we get feeds from Vulnerable Extensions List using RSS or e-mail instead of visiting the page from time to time?

[mandville]

Is there a way we get feeds from Vulnerable Extensions List using RSS or e-mail instead of visiting the page from time to time?

as documented, and as shown in the big red letters in the forums http://feeds.joomla.org/JoomlaSecurityV ... Extensions

[syndicate604]

Just an FYI even the latest version of JCE does NOT stop this hack

I am on the newest Versions of both Joomla 2.5 and JCE 2.3.2.4 and today I got this message

Scanning web upload script file...
Time : Sun May 5 07:53:38 2013 -0700
Web referer URL : http://www.example.net
Local IP : 198.101.xxx.xx
Web upload script user : nobody (99)
Web upload script owner: tphd (510)
Web upload script path : /home/xxxx/public_html/index.php
Web upload script URL : http://www.xxxx.com/index.php?option=co ... 64e0da7743
Remote IP : 148.246.81.80
Deleted : No
Quarantined : Yes [/home/quarantine/xxxx/20130505-075338-UYZycsZlzVMAAH2rPe8AAAAG-file-eFyEX2.1367765618_1]

So I have created a new profile called FRONT END for JCE and disabled all uploads etc from this profile and assume this will work as we don't do any front end editing anyways.

Sad to see this hack still works

[mandville]

please submit your report with poc to http://vel.joomla.org

[syndicate604]

Done, but I got a warning "failed to move file" on submit, so I don't think the attachment worked but post did.

[mandville]

thanks for the info. if you want to email the file direct to [email protected] in the mean time or provide download location for it. did you use a scanning script to get the error?

[syndicate604]

yes I used CXS watch , live scanning of any uploads caught it

http://configserver.com/cp/cxs.html

And confirmed by CLAM AV

[mandville]

In which case I would check with the scanner developer the results

[happy_noodle_boy]

Just an FYI even the latest version of JCE does NOT stop this hack

I am on the newest Versions of both Joomla 2.5 and JCE 2.3.2.4 and today I got this message

Scanning web upload script file...
Time : Sun May 5 07:53:38 2013 -0700
Web referer URL : http://www.example.net
Local IP : 198.101.xxx.xx
Web upload script user : nobody (99)
Web upload script owner: tphd (510)
Web upload script path : /home/xxxx/public_html/index.php
Web upload script URL : http://www.xxxx.com/index.php?option=co ... 64e0da7743
Remote IP : 148.246.81.80
Deleted : No
Quarantined : Yes [/home/quarantine/xxxx/20130505-075338-UYZycsZlzVMAAH2rPe8AAAAG-file-eFyEX2.1367765618_1]

So I have created a new profile called FRONT END for JCE and disabled all uploads etc from this profile and assume this will work as we don't do any front end editing anyways.

Sad to see this hack still works

This is a "false positive", ie: an attempt made at an exploit detected and intercepted by the scanner based only on the contents of the file in the upload attempt. The URL used in the upload attempt will not work in JCE 2.x as the methods called in the URL apply to JCE 1.5 only. You can test this by logging into your site and initiating an edit (thus creating a JCE session), then pasting the URL into the browser. This should result in a redirect to index.php and an error message.

Joomla has a single point of entry in the index.php file which is used by all Joomla extensions to access the component and API. When index.php is accessed, Joomla routes the request based on the URL variables to the appropriate component, which can then use the rest of the variables to execute the required functions etc.

The scanner intercepts the exploit attempt at the point the request is made to the server, ie : index.php, quarantines the file and logs the attempt. The file does not reach the JCE component because of this, and even without the quarantine it would not be uploaded because the URL does not access any JCE upload routine, and the session check would fail.

[PhilD]

as happy_noodle_boy has said, the exploit fails and Joomla redirects to index.php.

JCE developers have this to say on recent events with JCE and Joomla.
http://www.joomlacontenteditor.net/news ... s-security

One issue I see all the time is a site gets hacked and then is "updated to the latest"after the fact. This will not rid a site of the hack, and the hack will continue to affect the site in almost all cases.

[happy_noodle_boy]

as happy_noodle_boy has said, the exploit fails and Joomla redirects to index.php.

Thanks for confirming this.

JCE developers have this to say on recent events with JCE and Joomla.
http://www.joomlacontenteditor.net/news ... s-security

I wrote that some time ago yes, in an effort to encourage users to upgrade to the latest version. This article acknowledges issues in early versions of JCE 2.0 (although not related to the exploit attempt discussed here) and JCE 1.5.

One issue I see all the time is a site gets hacked and then is "updated to the latest"after the fact. This will not rid a site of the hack, and the hack will continue to affect the site in almost all cases.

I don't believe syndicate604 has experienced a successful hack here, just an arbitrary attempt which was blocked by the scanner based on the contents of the file the exploit was attempting to upload, not the existence of any vulnerability. I'd wager that changing the URL to another component, eg: http://www.xxxx.com/index.php?option=com_content&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743 - would still result in the scanner quarantining the file and logging the attempt.

As I have said in my previous post, the URL used in this exploit is a dead-end in JCE 2.x

[almooj-craig]

I had a problem with jce_152 and jce_2019 so I downloaded the newest version jce_2324. It would not install so I unzipped it and took a look at the directory structure. Then renamed the existing jce directories to something like jce-old. Then created new empty directories and copied the files over. For really old versions that do not use the current table, it includes a link to make the table.

The new 2324 version creates a "wf" security token and does not allow you to do anything that I can tell unless the correct security token is in your session data.

Here is an example of some of the post data that jce uses to list, upload, rename and delete files.

Code: Select all

Post: Request Data (get listing)
json = {"fn":"getItems","args":["repairs","all","0"]}
format = raw
wf0f3238ff5640ee67f9405a46645a7f01 = 1
option = com_jce

Post: Request Data (upload file)
name = garblk-l.jpg
action = upload
format = raw
wf0f3238ff5640ee67f9405a46645a7f01 = 1
upload-dir = repairs
option = com_jce

Post: Request Data (get listing)
json = {"fn":"getItems","args":["repairs","all","0"]}
format = raw
wf0f3238ff5640ee67f9405a46645a7f01 = 1
option = com_jce

Post: Request Data (rename file)
json = {"fn":"renameItem","args":["repairs/garblk-l.jpg","garblk-l-77","",""]}
format = raw
wf0f3238ff5640ee67f9405a46645a7f01 = 1
option = com_jce

Post: Request Data (get listing)
json = {"fn":"getItems","args":["repairs","all","0"]}
format = raw
wf0f3238ff5640ee67f9405a46645a7f01 = 1
option = com_jce

Post: Request Data (delete file)
json = {"fn":"deleteItem","args":"repairs/garblk-l-77.jpg"}
format = raw
wf0f3238ff5640ee67f9405a46645a7f01 = 1
option = com_jce

Post: Request Data (get listing)
json = {"fn":"getItems","args":["repairs","all","0"]}
format = raw
wf0f3238ff5640ee67f9405a46645a7f01 = 1
option = com_jce

Just to be on the safe side, I also put that hack into the \administrator\components\com_jce\jce.php file because everything of importance ends up going through that file.

Code: Select all

defined('_JEXEC') or die('RESTRICTED');
$user = &JFactory::getUser();
if (($user->usertype != "Super Administrator") &&
	($user->usertype != "Administrator"))
{
	header("HTTP/1.0 403 Forbidden");
	echo 'Contact Administrator';
	die;
}

Then in the apache virtual host I did a quick mod_rewrite:

Code: Select all

RewriteCond %{REQUEST_URI} ^/(images|cache|t|logs)/.*\.(phps?|html?)$ [NC]
RewriteRule ^(.*)$ /shim.gif [L,F]

I also went through the jce code and made sure that every place that stops a post because of an incorrect security token that it generates a 403 code so that they are easier to spot in the log files.

[ahmad]

Kudos for that last snippet about using mod_rewrite to redirect php/html files from unnecessary location.

I don't know why I didn't use that before. Definitely gonna use that.

[keithyoung89]

gregzem: the line you quote after which to insert the include statement to call the .php file to block the JCE hack does not exist in index.php (Joomla v2.5.16). Can you clarify please? Thank you

[keithyoung89]

I've resorted to uninstalling JCE and using TinyMCE. No more hacks - yet.

[LouFlo]

I have many attempts to /images/stories/ in my logs I would like to block. My goal is to stop entries in Redirect component.
I hope this could work :

Code: Select all

SetEnvIf Request_URI "/images/stories/" bad_bot
<Limit GET POST HEAD>
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</Limit>

Of course, I don't have such folder /images/stories/ on my site and I use other rules to block bad bots that limit is made for.
Is that right ?

[LouFlo]

At least it works.
I added these rules after to look to my logs :

Code: Select all

SetEnvIf Request_URI "/components/com_alphacontent/assets/phpThumb/" bad_bot
SetEnvIf Request_URI "//index.php" bad_bot

I hope it will help to don't enter long list of

Code: Select all

Deny from xxx.xxx.xxx.xxx

[muddauber]

Looks like the JCE exploit is still quite common. I have been getting continual attacks from all over the world with attacks like:
http://www.mywebsite.comm//index.php?op ... ion=upload

has there been any development to stop this attack from being successful

[mandville]

Sure they not just trying old exploits that may fail on updated sites /

[BSmith1199]

We got hit. We are running Joomla 3.4.2. Here is the information from logs.

"POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 200 71 "-" "BOT/0.1 (BOT for JCE)"
"POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 200 36 "-" "BOT/0.1 (BOT for JCE)"
"GET //images/stories/create.pHp?bajak HTTP/1.1" 200 5277 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"200.109.230.177 - - [06/Apr/2015:04:31:01 -0500]
"GET //images/stories/create.pHp?baca HTTP/1.1" 200 7182 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
200.109.230.177 - - [06/Apr/2015:04:31:02 -0500]
"GET //images/stories/create.pHp?clone HTTP/1.1" 200 5277 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
"GET //images/stories/source.pHp HTTP/1.1" 200 47100 "-" "Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0"

Found the PHP files they created and removed them, along with the malware files they installed, which infected every client who came to the site due to the image files they modified.

They also setup a GMail phishing site. Not sure what that was about, but it also contained a program/virus/spyware/malware program in it.

We are running JCE 2.4.6. I see nothing in the JCE changelogs suggesting they have done anything to stop this. in the latest releases. If anyone has any ideas, I am all ears.

In the mean time, we have removed JCE from our installation, marked all files and folders in the "images" directory as read-only, and restored the original files which got damaged.