CVE-2016-8869
published 2016-11-04CVE-2016-8869: The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain…
PriorityP189critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
97.43%
99.9th percentile
The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain privileges by leveraging incorrect use of unfiltered data when registering on a site.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joomla | joomla_! | <= 3.6.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST data containing the `user` array name in registration requests directed at the secondary controller, as this is the required parameter format for the vulnerable UsersControllerUser register method. ↗
- →Alert on uploads of `.pht` files to the Joomla `/images/` directory, as the exploit uploads a PHP-executable file with a `.pht` extension to achieve remote code execution post-privilege-escalation. ↗
- →Use Fortinet IPS signature `Joomla.Core.Account.Creation.Elevated.Privileges` to detect exploitation attempts for both CVE-2016-8870 and CVE-2016-8869. ↗
- →The Metasploit auxiliary module `auxiliary/admin/http/joomla_registration_privesc` targets Joomla versions 3.4.4 through 3.6.3; presence of this module in use should be treated as an active exploitation indicator. ↗
- ·The privilege escalation (CVE-2016-8869) is only exploitable via the secondary `UsersControllerUser` register method; the default `UsersControllerRegistration` path correctly filters the `groups` parameter. Detection logic must distinguish between the two task values. ↗
- ·If an email server is configured in Joomla, a confirmation email is sent and the created account is disabled by default until activated; detection should also cover account activation requests following suspicious registrations. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v4hj-3rpq-j2ch: The register method in the UsersModelRegistration class in controllers/user
ghsa_unreviewed·2022-05-17
CVE-2016-8869 [CRITICAL] CWE-20 GHSA-v4hj-3rpq-j2ch: The register method in the UsersModelRegistration class in controllers/user
The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain privileges by leveraging incorrect use of unfiltered data when registering on a site.
VulnCheck
Joomla! Joomla! Improper Input Validation
vulncheck·2016·CVSS 9.8
CVE-2016-8869 [CRITICAL] Joomla! Joomla! Improper Input Validation
Joomla! Joomla! Improper Input Validation
The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain privileges by leveraging incorrect use of unfiltered data when registering on a site.
Affected: Joomla! Joomla!
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.sucuri.net/2016/10/joomla-mass-exploits-privilege-vulnerability.html; https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/
No detection rules found.
Exploit-DB
Joomla! 3.4.4 < 3.6.4 - Account Creation / Privilege Escalation
exploitdb·2016-10-27
CVE-2016-8869 Joomla! 3.4.4 < 3.6.4 - Account Creation / Privilege Escalation
Joomla! 3.4.4
SetHandler application/x-httpd-php
Usage
Choose the username, password and e-mail address to use and point it at the URL for your Joomla website. Use the -x and -s options to customise exploit behaviour, -s searches for the given string in the output after running the PHP file (specified in -x), an example is provided which proves remote code execution.
$ ./joomraa.py -u hacker -p password -e [email protected] http://localhost:8080/joomla
@@@ @@@@@@ @@@@@@ @@@@@@@@@@ @@@@@@@ @@@@@@ @@@@@@ @@@
@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ @@@
@@! @@! @@@ @@! @@@ @@! @@! @@! @@! @@@ @@! @@@ @@! @@@ @@!
!@! !@! @!@ !@! @!@ !@! !@! !@! !@! @!@ !@! @!@ !@! @!@ !@
!!@ @!@ !@! @!@ !@! @!! !!@ @!@ @!@!!@! @!@!@!@! @!@!@!@! @!@
!!! !@! !!! !@! !!! !@! ! !@! !!@!@!
Metasploit
Joomla Account Creation and Privilege Escalation
metasploit
Joomla Account Creation and Privilege Escalation
Joomla Account Creation and Privilege Escalation
This module creates an arbitrary account with administrative privileges in Joomla versions 3.4.4 through 3.6.3. If an email server is configured in Joomla, an email will be sent to activate the account (the account is disabled by default).
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
Fortinet
Joomla – From Nowhere to High Privilege
blogs_fortinet·2016-10-27·CVSS 9.8
CVE-2016-8870 [CRITICAL] Joomla – From Nowhere to High Privilege
FORTIGUARD LABS THREAT RESEARCH
Joomla – From Nowhere to High Privilege
By Tien Phan | October 27, 2016
Joomla, a popular free and open-source content management system, just released version 3.6.4 that fixed two critical vulnerabilities:
[CVE-2016-8870] - Core - Account Creation: attackers can exploit this vulnerability to create any account in a Joomla system regardless of whether its registration has been disabled.
[CVE-2016-8869] - Core - Elevated Privileges: with the vulnerability above, an attacker not only can register an account in a vulnerable system, but also register with the highest privilege – Administrator.
We took a deeper dive to see how these exploits tick and would like to congratulate Davide Tampellini on his first CVE discovery.
CVE-2016-8870 - From no one to havin
Bugzilla
CVE-2015-8869 ocaml: sizes arguments are sign-extended from 32 to 64 bits
bugzilla·2016-05-02·CVSS 9.1
CVE-2015-8869 [CRITICAL] CVE-2015-8869 ocaml: sizes arguments are sign-extended from 32 to 64 bits
CVE-2015-8869 ocaml: sizes arguments are sign-extended from 32 to 64 bits
OCaml versions 4.02.3 and earlier have a runtime bug that, on 64-bit platforms, causes sizes arguments to an internal memmove call to be sign-extended from 32 to 64-bits before being passed to the memmove function.
This leads arguments between 2GiB and 4GiB to be interpreted as larger than they are (specifically, a bit below 2^64), causing a buffer overflow.
Arguments between 4GiB and 6GiB are interpreted as 4GiB smaller than they should be, causing a possible information leak.
References:
http://seclists.org/oss-sec/2016/q2/165
Upstream fix:
https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#diff-a97df53e3ebc59bb457191b496c90762
Discussion:
Created ocaml tracking bugs for this is
http://www.rapid7.com/db/modules/auxiliary/admin/http/joomla_registration_priveschttp://www.securityfocus.com/bid/93883http://www.securitytracker.com/id/1037108https://blog.sucuri.net/2016/10/details-on-the-privilege-escalation-vulnerability-in-joomla.htmlhttps://developer.joomla.org/security-centre/660-20161002-core-elevated-privileges.htmlhttps://github.com/joomla/joomla-cms/commit/bae1d43938c878480cfd73671e4945211538fdcfhttps://medium.com/%40showthread/joomla-3-6-4-account-creation-elevated-privileges-write-up-and-exploit-965d8fb46fa2#.rq4qh1v4rhttps://www.exploit-db.com/exploits/40637/http://www.rapid7.com/db/modules/auxiliary/admin/http/joomla_registration_priveschttp://www.securityfocus.com/bid/93883http://www.securitytracker.com/id/1037108https://blog.sucuri.net/2016/10/details-on-the-privilege-escalation-vulnerability-in-joomla.htmlhttps://developer.joomla.org/security-centre/660-20161002-core-elevated-privileges.htmlhttps://github.com/joomla/joomla-cms/commit/bae1d43938c878480cfd73671e4945211538fdcfhttps://medium.com/%40showthread/joomla-3-6-4-account-creation-elevated-privileges-write-up-and-exploit-965d8fb46fa2#.rq4qh1v4rhttps://www.exploit-db.com/exploits/40637/
2016-11-04
Published
Exploited in the wild