Exploiting Serialized XSS in Joomla! (return of the undead CVE)

While reviewing Joomla! Vulnerabilities I felt a glitch in the matrix. Deja vu had set in and I was working on the same XSS vulnerability that I had written a test for month's prior. The same attack returned to life to claim more developer time and possibly victim websites.

The two CVE's were CVE-2012-1117 and CVE-2013-3267 ; they had similar data (or lack thereof) in their vulnerability reports. They were both XSS attacks via "Unspecified vectors" in the highlight functionality in Joomla! up to 2.5.1 (and again in 2.5.9.) While this is very little data, it was just enough to dig into it and re-create the vulnerability. In this little post I will cover the process of reversing PHP to identify 'unspecified' vulnerabilities and in doing so show you a little about PHP object serialization attacks.

Using the data about the attack we know, "highlight" plugin and was first fixed in 2.5.1. So we start by diffing the files to see what changed in the new version and find this:

We now see some questionable code that pulls in the highlight value from the GET request, which it expects to be a base64 string. It will then decode the base64, and unserialize() that value and assign it to terms. The $terms values are what are getting passed directly into JavaScript code at the top of the page (and thus where the vulnerability is).

Before we continue, I feel I may need to explain what unserialize()does. It is the sister function for serialize(), which converts a PHP value into a basic string. This PHP value can be anything (an object, an array, a hash etc…) unseriialize() simply takes a valid serialized string and converts it back into a PHP object value. In this case, converts the serialized string for an array back into a usable array value for PHP.

Now we know where the vulnerability exists, exploiting it is as easy as stepping back through the process. We just need to make a malicious base64-encoded-serialized-string to assign to the highlight key value pair.

The easiest way to do this is to write your own PHP script that handles each step for you, as shown below:

Sending the new malicious base64 encoded string to the site we're attacking shows that it works!

Here is the applicable HTML source:

Joomla! developers fixed this in CVE-2012-1117, by adding a check that would sanitize all input through highlight by removing anything that looked like an HTML tag.

The same attack no longer works, and now produces this HTML:

There was an oversight with this fix though. Since we're already within a