CVE-2014-7228
published 2014-11-03CVE-2014-7228: Akeeba Restore (restore.php), as used in Joomla! 2.5.4 through 2.5.25, 3.x through 3.2.5, and 3.3.0 through 3.3.4; Akeeba Backup for Joomla! Professional 3.0.0…
PriorityP270high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
55.13%
98.9th percentile
Akeeba Restore (restore.php), as used in Joomla! 2.5.4 through 2.5.25, 3.x through 3.2.5, and 3.3.0 through 3.3.4; Akeeba Backup for Joomla! Professional 3.0.0 through 4.0.2; Backup Professional for WordPress 1.0.b1 through 1.1.3; Solo 1.0.b1 through 1.1.2; Admin Tools Core and Professional 2.0.0 through 2.4.4; and CMS Update 1.0.a1 through 1.0.1, when performing a backup or update for an archive, does not delete parameters from $_GET and $_POST when it is cleansing $_REQUEST, but later accesses $_GET and $_POST using the getQueryParam function, which allows remote attackers to bypass encryption and execute arbitrary code via a command message that extracts a crafted archive.
Affected
45 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otherO:9:"AKFactory":1:{s:18:"\x00AKFactory\x00varlist";a:2:{s:27:"kickstart.security.password";s:0:"";s:26:"kickstart.setup.sourcefile";s:<len>:"<srv_uri>";}}↗
- →Monitor HTTP requests to /administrator/components/com_joomlaupdate/restore.php or restoration.php with GET parameters 'task=stepRestore' and 'factory=' (base64-encoded PHP serialized object), which are the attack vectors for this exploit. ↗
- →Detect PHP unserialization of AKFactory objects via the 'factory' GET/POST parameter; the serialized payload contains the string 'AKFactory' and keys 'kickstart.security.password' and 'kickstart.setup.sourcefile'. ↗
- →Alert on HTTP 200 responses from restoration.php or restore.php during non-update periods; the exploit is only triggerable during a Joomla! CMS update, so requests to these endpoints outside of maintenance windows are highly suspicious. ↗
- →Look for a crafted ZIP archive being fetched by the Joomla server from an attacker-controlled URL (the 'kickstart.setup.sourcefile' value in the serialized object), followed by a .php file being written and executed under /administrator/components/com_joomlaupdate/. ↗
- →Detect modification of the 'currentPartNumber' field in the returned AKFactory serialized object from i:0 to i:-1, which is used to trigger the malicious archive extraction step. ↗
- →The exploit bypasses encryption by setting 'kickstart.security.password' to an empty string in the serialized AKFactory object; detect requests where this parameter is blank alongside a remote sourcefile URL. ↗
- ·The vulnerability is only exploitable during an active Joomla! CMS update process; detection rules targeting restore.php/restoration.php will have a higher true-positive rate if scoped to non-maintenance windows. ↗
- ·The root cause is that $_GET and $_POST are not sanitized when $_REQUEST is cleansed, and getQueryParam later reads from them directly — WAF rules must block the 'factory' parameter in both GET and POST to be effective. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Joomla! Component Akeeba Kickstart - Unserialize Remote Code Execution (Metasploit)
exploitdb·2014-10-21
CVE-2014-7228 Joomla! Component Akeeba Kickstart - Unserialize Remote Code Execution (Metasploit)
Joomla! Component Akeeba Kickstart - Unserialize Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex/zip'
require 'json'
class Metasploit3 "Joomla Akeeba Kickstart Unserialize Remote Code Execution",
'Description' => %q{
This module exploits a vulnerability found in Joomla! through 2.5.25, 3.2.5 and earlier
3.x versions and 3.3.0 through 3.3.4 versions. The vulnerability affects the Akeeba
component, which is responsible for Joomla! updates. Nevertheless it is worth to note
that this vulnerability is only exploitable during the update of the Joomla! CMS.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Johannes Dahse', # Vulnerability dis
Metasploit
Joomla Akeeba Kickstart Unserialize Remote Code Execution
metasploit
Joomla Akeeba Kickstart Unserialize Remote Code Execution
Joomla Akeeba Kickstart Unserialize Remote Code Execution
This module exploits a vulnerability found in Joomla! through 2.5.25, 3.2.5 and earlier 3.x versions and 3.3.0 through 3.3.4 versions. The vulnerability affects the Akeeba component, which is responsible for Joomla! updates. Nevertheless it is worth to note that this vulnerability is only exploitable during the update of the Joomla! CMS.
No writeups or analysis indexed.
http://developer.joomla.org/security/595-20140903-core-remote-file-inclusion.htmlhttp://websec.wordpress.com/2014/10/05/joomla-3-3-4-akeeba-kickstart-remote-code-execution-cve-2014-7228/https://www.akeebabackup.com/home/news/1605-security-update-sep-2014.htmlhttp://developer.joomla.org/security/595-20140903-core-remote-file-inclusion.htmlhttp://websec.wordpress.com/2014/10/05/joomla-3-3-4-akeeba-kickstart-remote-code-execution-cve-2014-7228/https://www.akeebabackup.com/home/news/1605-security-update-sep-2014.html
2014-11-03
Published