Security hole and exploit for Joomla and ZigChat.

Bit in spanish…

A mis lectores asiduos, este mensaje va en inglés porque es el lenguaje más extendido en Internet y me hace falta para dar explicaciones a los portales a los que estoy advirtiendo de lo que he encontrado.

End of spanish…

This Blog has been always written in Spanish. Today I made an exception so more people will be able to beneficiate from this post as I consider it is quite important. Sorry for my English...

• Introduction

I want to clarify that I haven’t found any bug in Joomla! But in the module called ZigChat. This bug is especially important as you can run any arbitrary php code inside the server. (For example you can create new archives with new code, or simply read the configuration file, and then enter in the data base and so on…)

Joomla! Is is one of the most powerful Open Source Content Management Systems on the planet. It is used all over the world for everything from simple websites to complex corporate applications. Joomla! is easy to install, simple to manage, and reliable.

ZigChat is a joomla shout box module using player Flash 6. - visual and sound settings fully customizable (colours, transparency, size, choice of the beep, volume,...) - automatic generation of links ' clickable ': URL or email...

• My History

I am the webmaster of the Spanish webpage (SondasEspaciales.com) dedicated to the science, astronomy and especially the space probes. Recently we have committed a migration from php-nuke to joomla 1.0.12. During this process we found the ZigChat module and my colleagues and me fall in love with this small chat. Simple, fast and clear. However two days later we were very worried as we found spam that we couldn’t moderate easily. So as always, I entered into the code and I created my own commands. From now on we can do simple things in ZigChat like delete SPAM, don’t allowing anyone writing 2 messages in less than 10 seconds etc. During this development I realised that the messages are stored in a file called zigchat.txt.php. At the beginning I thought that being a php file was a very clever idea as this file can have only text (as it usually has) or commands for reading a text file or contacting to the database. You can do these changes own your own and you don’t need to change the client piece of software made in flash…

And then I had an idea, zigchat.txt.php has an extension php, what if someone tries to introduce a piece of code inside and runs the file?.

So I made my first try, trying to write this in the chat box…

<?php echo 'hello world' ?>

The result:

No success :(

If we check inside the file we find that the the ‘<’ symbol was correctly parsed to the html code ‘%26lt;’, very good, then none can introduce html or php code in the file… Are we sure?

Then… how can we continue? Sniffing the network with ‘ethereal’ when using the chat gave me the trick (from the php code it would have been even easier to figure out but I am very complicated…). The flash chat client connects to the web server each second to search for new messages in the file http://yourvictimwebpage/modules/mod_zigchat/zigchat.txt.php
and connects to the file http://yourvictimwebpage/modules/mod_zigchat/zigchat.php
for writing new messages in zigchat.txt.php.

If we try to run the zigchat.php we get no messages. Having a look into the code we found 2 interesting things:

Ummm POST... :)

The message and the pseudo (nick) is sent by Post method. So we create the following code in HTML and we store it in a local file with extension html (for example c:\lola.html) to simulate the behaviour of the client of the ZigChat:

<html>
 <body>
  <FORM METHOD=POST ACTION="http://victimserverwithzigchat.com/modules/mod_zigchat/zigchat.php">
   Pseudo:<br />
   <INPUT TYPE="text" NAME="pseudo" VALUE="" SIZE="20"><br />
   Text:<br />
   <textarea cols="40" rows="5" name="usertext">
   </textarea>
   <br />
   <INPUT TYPE="submit" VALUE="Submit">
  </FORM>
 </body>
</html>

Aspect of the small exploit

And we test it writing random values. When submitting we get a blank screen again. If we check in the chat box we can see we succeeded in our purposes. What if we try to insert the php code from here?

<?php echo time(); ?>

And… voilá! It worked, in the chat box we can see the UNIX time… the ‘<’ symbol was filtered in the client and not in the server as it should have been… If we refresh the chatbox we can see the time changes. We introduced code inside the server!.

So we did the most difficult part, now we know we can write php code in the remote server. But, why is this useful?. Well this is just the starting point, from here you can do lots of things, from deleting all the files from the server, up to make an image of the data base of the victim. Now you have a complete control of the server, it is even more powerful than having the account of the administrator of the CMS as you can edit all the files at your choice and upload all the code you want. Just use your imagination my friend!

Let’s make a powerful small example. Let’s try to read the configuration file of the CMS. He he he (evil’s laughs).

The following code should give us the content of the configuration file:

<?php echo file_get_contents('../../configuration.php'); ?>

However if why try this, we will destroy our possibilities of getting the control of the server as there is a parser that destroys our code and also we destroy the board, (there is a way of solving this yet if you make this mistake, you have to submit at least 50 (depending on the configuration file of your server victim) new clean an plain text messages until our erroneous code disappears).

Message if we did something wrong...

This is because there is a parsing of the character ‘'’ with the escape character ‘\’. D’Oh! And now what? Well, lets make the square round. We change the character ‘'’ for a ‘"’ and we get the same result, but if we put the html parser: ‘%22’ we get no error, but indeed it works!. So the final code would be:

<?php echo file_get_contents(%22../../configuration.php%22); ?>

And in the chat box… we see nothing, but we can call to the file http://webpage/modules/mod_zigchat/zigchat.txt.php directly and clicking in “View source” we can perfectly see the content of the configuration file of the CMS, and between all those parameters we can see the parameters for connecting with the database! So your next step should be creating a connection to the data base and get all what you want. :-)

• Resolving the problem

Enter in the zigchat.php file and put the following code after the line 50:

$usertext = str_replace("<", "%26lt;", $usertext);
$pseudo = str_replace("<", "%26lt;", $pseudo);
$pseudo = str_replace("[INFERIEUR]", "%26lt;", $pseudo);

Warning! they can introduce the code inside the nick! ;-)

I am not a php or security expert so these changes probably are not enough for your web page, I hope some of you contribute to this message so we can properly fix the bug.

Thank you for reading me!

My email:

Bultza

UPDATE* Security version released
Only 1 hour after this publication, the affected version 1.3.5 of zigChat dissapeared and none could download the affected version. 12 hours later a new version was released. 1.3.6. fixing this security hole. I just want to thank all the people involved in this kind of actions. Especially Syan the creator of ZigChat. You can download the newest version here: http://extensions.joomla.org/component/...

In any case, there are lots of websites that have the version 1.3.5 installed yet...