Vulnerabilities > CVE-2017-14596 - LDAP Injection vulnerability in Joomla Joomla!

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
joomla
CWE-90
nessus

Summary

In Joomla! before 3.8.0, inadequate escaping in the LDAP authentication plugin can result in a disclosure of a username and password.

Vulnerable Configurations

Part Description Count
Application
Joomla
119

Common Attack Pattern Enumeration and Classification (CAPEC)

  • LDAP Injection
    An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.

Nessus

  • NASL familyCGI abuses
    NASL idJOOMLA_382.NASL
    descriptionAccording to its self-reported version number, the Joomla! installation running on the remote web server is 1.5.0 or later but prior to 3.8.2. It is, therefore, affected by an authentication bypass and multiple information disclosure vulnerabilities. Note that Nessus has not attempted to exploit these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id104478
    published2017-11-09
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104478
    titleJoomla! 1.5.0 < 3.8.2 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(104478);
      script_version("1.6");
      script_cvs_date("Date: 2019/11/12");
    
      script_cve_id("CVE-2017-14596", "CVE-2017-16633", "CVE-2017-16634");
      script_bugtraq_id(101701, 101702);
    
      script_name(english:"Joomla! 1.5.0 < 3.8.2 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of Joomla!.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server contains a PHP application that is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the Joomla!
    installation running on the remote web server is 1.5.0 or later but
    prior to 3.8.2. It is, therefore, affected by an authentication bypass
    and multiple information disclosure vulnerabilities.
    
    Note that Nessus has not attempted to exploit these issues but has
    instead relied only on the application's self-reported version number.");
      # https://developer.joomla.org/security-centre/714-20171101-core-ldap-information-disclosure.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0bfe3781");
      # https://developer.joomla.org/security-centre/713-20171102-core-2-factor-authentication-bypass.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?44542f6b");
      # https://developer.joomla.org/security-centre/715-20171103-core-information-disclosure.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d551f20d");
      # https://www.joomla.org/announcements/release-news/5716-joomla-3-8-2-release.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?80b9ab84");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Joomla! version 3.8.2 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:X");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-16634");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/11/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/09");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:joomla:joomla\!");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("joomla_detect.nasl");
      script_require_keys("installed_sw/Joomla!", "www/PHP", "Settings/ParanoidReport");
      script_require_ports("Services/www", 80);
    
      exit(0);
    }
    
    include("http.inc");
    include("vcf.inc");
    
    port = get_http_port(default:80, php:TRUE);
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    app_info = vcf::get_app_info(app:"Joomla!", port:port, webapp:TRUE);
    
    vcf::check_granularity(app_info:app_info, sig_segments:3);
    
    constraints = [
      { "min_version" : "1.5.0", "fixed_version" : "3.8.2" }
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
    
  • NASL familyCGI abuses
    NASL idJOOMLA_380.NASL
    descriptionAccording to its self-reported version number, the Joomla! installation running on the remote web server is 1.5.0 or later but prior to 3.8.0. It is, therefore, affected by the following vulnerabilities : - A flaw exists related to SQL query handling that allows disclosure of article introduction text when such articles are in the archived state. Note that only versions 3.7.0 through 3.7.5 are affected by this flaw. (CVE-2017-14595) - An input-validation flaw exists in the LDAP authentication plugin that allows disclosure of usernames and passwords. Note that Joomla! must be configured for LDAP authentication to be affected. (CVE-2017-14596) Note that Nessus has not attempted to exploit these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id103383
    published2017-09-21
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103383
    titleJoomla! 1.5.0 < 3.8.0 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(103383);
      script_version("1.7");
      script_cvs_date("Date: 2019/11/12");
    
      script_cve_id("CVE-2017-14595", "CVE-2017-14596");
      script_bugtraq_id(100898, 100900);
    
      script_name(english:"Joomla! 1.5.0 < 3.8.0 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of Joomla!.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server contains a PHP application that is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the Joomla!
    installation running on the remote web server is 1.5.0 or later but
    prior to 3.8.0. It is, therefore, affected by the following
    vulnerabilities :
    
      - A flaw exists related to SQL query handling that allows
        disclosure of article introduction text when such articles
        are in the archived state. Note that only versions
        3.7.0 through 3.7.5 are affected by this flaw.
        (CVE-2017-14595)
    
      - An input-validation flaw exists in the LDAP
        authentication plugin that allows disclosure of usernames
        and passwords. Note that Joomla! must be configured for
        LDAP authentication to be affected. (CVE-2017-14596)
    
    Note that Nessus has not attempted to exploit these issues but has
    instead relied only on the application's self-reported version number.");
      # https://developer.joomla.org/security-centre/711-20170902-core-ldap-information-disclosure
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d2d49f37");
      # https://developer.joomla.org/security-centre/710-20170901-core-information-disclosure
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f49184a2");
      # https://www.joomla.org/announcements/release-news/5713-joomla-3-8-0-release.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3c8b295a");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Joomla! version 3.8.0 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:X");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-14596");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/09/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/09/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/21");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:joomla:joomla\!");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("joomla_detect.nasl");
      script_require_keys("installed_sw/Joomla!", "www/PHP", "Settings/ParanoidReport");
      script_require_ports("Services/www", 80);
    
      exit(0);
    }
    
    include("http.inc");
    include("vcf.inc");
    
    port = get_http_port(default:80, php:TRUE);
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    app_info = vcf::get_app_info(app:"Joomla!", port:port, webapp:TRUE);
    
    vcf::check_granularity(app_info:app_info, sig_segments:3);
    
    constraints = [
      { "min_version" : "1.5.0", "max_version" : "3.7.5", "fixed_version" : "3.8.0" }
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
    

Seebug

bulletinFamilyexploit
description## Joomla! 3.7.5 - Takeover in 20 Seconds with LDAP Injection With over 84 million downloads, Joomla! is one of the most popular content management systems in the World Wide Web. It powers about 3.3% of all websites’ content and articles. Our code analysis solution RIPS detected a previously unknown LDAP injection vulnerability in the login controller. This one vulnerability could allow remote attackers to leak the super user password with blind injection techniques and to fully take over any Joomla! &lt;= 3.7.5 installation within seconds that uses LDAP for authentication. Joomla! has fixed the vulnerability in the latest version 3.8. ### Requirements - Who is affected Installations with the following requirements are affected by this vulnerability: * Joomla! version 1.5 &lt;= 3.7.5 is installed * Joomla! is configured to use LDAP for authentication This is not a configuration flaw, and an attacker does not need any privileges to exploit this vulnerability. ### Impact - What can an attacker do By exploiting a vulnerability in the login page, an unprivileged remote attacker can efficiently extract all authentication credentials of the LDAP server that is used by the Joomla! installation. These include the username and password of the super user, the Joomla! administrator. An attacker can then use the hijacked information to login to the administrator control panel and to take over the Joomla! installation, as well as potentially the web server, by uploading custom Joomla! extensions for remote code execution. ### Vulnerability Analysis - CVE-2017-14596 Our code analysis solution RIPS automatically identified the vulnerability that spans over the following nested code lines. First, in the `LoginController ` the Joomla! the application receives the user-supplied credentials from the login form. `/administrator/components/com_login/controller.php` `class LoginController extends JControllerLegacy { public function login() { ⋮ $app = JFactory::getApplication(); ⋮ $model = $this->getModel('login'); $credentials = $model->getState('credentials'); ⋮ $app->login($credentials, array('action' => 'core. login. admin')); } }` The credentials are passed on to the `login ` method which then invokes the `authenticate ` method. `/libraries/cms/application/cms.php` `class JApplicationCms extends JApplicationWeb { public function login($credentials, $options = array()) { ⋮ $authenticate = JAuthentication::getInstance(); $authenticate->authenticate($credentials, $options); } }` `/libraries/joomla/authentication/authentication.php` `class JAuthentication extends JObject { public function authenticate($credentials, $options = array()) { ⋮ $plugin->onUserAuthenticate($credentials, $options, $response); } }` Based on the plugin that is used for authentication, the `authenticate ` method passes the credentials to the `onUserAuthenticate ` method. If Joomla! is configured to use LDAP for authentication, the LDAP plugin's method is invoked. `/plugins/authentication/ldap/ldap.php` `class PlgAuthenticationLdap extends JPlugin { public function onUserAuthenticate($credentials, $options, &$response) { ⋮ $userdetails = $ldap->simple_search( str_replace( '[search]', $credentials['username'], $this->params->get('search_string') ) ); } }` In the LDAP plugin, the `username ` credential is embedded into the LDAP query specified in the `search_string ` option. According to the official [Joomla! documentation](<https://docs.joomla.org/LDAP_Authentication>), the `search_string ` configuration option is “a query string used to search for the user, where [search] is directly replaced by the search text from the login field”, for example “uid=[search]“. The LDAP query is then passed to the `simple_search ` method of the `LdapClient ` which connects to the LDAP server and performs the `ldap_search`. `/libraries/vendor/joomla/ldap/src/LdapClient.php` `` class LdapClient { public function simple_search($search) { $results = explode(';', $search); foreach ($results as $key =&gt; $result) { $results[$key] = '(' . $result . ')'; } return $this-&gt;search($results); } public function search(array $filters, ...) { foreach ($filters as $search_filter) { $search_result = @ldap_search($res, $dn, $search_filter, $attr); ⋮ } } } `` Even if RIPS is unaware of the exact LDAP query that is loaded from an external configuration file, RIPS detects and reports successfully the root cause of this vulnerability: User input is mixed unsanitized with the LDAP query markup that is passed to the sensitive `ldap_search ` function. The vulnerability was detected within 7 minutes in half a million lines of Joomla! code. The truncated analysis results are available in our RIPS demo application. Please note that we limited the results to the issues described in this post in order to ensure a fix is available. [See RIPS report](<https://demo.ripstech.com/projects/joomla_3.7.5>) ### Proof Of Concept - Blind LDAP Injection The lack of input sanitization of the username credential used in the LDAP query allows an adversary to modify the result set of the LDAP search. By using wildcard characters and by observing different authentication error messages, the attacker can literally search for the login credentials progressively by sending a row of payloads that guess the credentials character by character. `XXX;(&(uid=Admin)(userPassword=A*)) XXX;(&(uid=Admin)(userPassword=B*)) XXX;(&(uid=Admin)(userPassword=C*)) ... XXX;(&(uid=Admin)(userPassword=s*)) ... XXX;(&(uid=Admin)(userPassword=se*)) ... XXX;(&(uid=Admin)(userPassword=sec*)) ... XXX;(&(uid=Admin)(userPassword=secretPassword))` Each of these payloads yield exactly one out of two possible states which allow an adversary to abuse the server as an Oracle. A filter bypass is necessary for exploitation that is not covered in this blog post. With an optimized version of these payloads, one bit per request can be extracted from the LDAP server which results in a highly efficient blind LDAP injection attack. ### Time Line * 2017/07/27 Provided vulnerability details and PoC to vendor * 2017/07/29 Vendor confirmed the security issue * 2017/09/19 Vendor released fixed version ### Summary As one of the most popular open source CMS applications, Joomla! receives many code reviews from the security community. Yet alone one missed security vulnerability in the 500,000 lines of code can lead to a server compromise. With the help of [static code analysis](<https://www.ripstech.com/php-security-analysis/#static>), RIPS detected a critical LDAP injection vulnerability (CVE-2017-14596) that remained undiscovered for over 8 years. The vulnerability allows an attacker to steal login credentials from Joomla! installations that use LDAP authentication. We would like to thank the Joomla! Security Strike Team for an excellent coordination and remediation of this issue and recommend to update to the latest Joomla! version 3.8 immediately. #### Video demo address: http://v.youku.com/v_show/id_XMzAzNjQxNjM4MA==.html
idSSV:96561
last seen2017-11-19
modified2017-09-21
published2017-09-21
reporterRoot
titleJoomla! 3.7.5 LDAP injection vulnerability(CVE-2017-14596)