Understanding Joomla! Component JE Auto Local File Inclusion (LFI) Vulnerability (2010)

What this paper is

This paper details a Local File Inclusion (LFI) vulnerability found in the Joomla! component com_jeauto. The vulnerability, discovered by Sid3^effects, allows an attacker to include and execute arbitrary files on the web server by manipulating a specific parameter in the URL. This can lead to unauthorized access, information disclosure, or even remote code execution.

Simple technical breakdown

The core of the vulnerability lies in how the com_jeauto component handles user input for its view parameter. Instead of sanitizing or validating this input properly, the component directly uses it to construct a file path. By appending a null byte (%00) to a crafted path, an attacker can trick the application into ignoring the intended file extension and instead include a different, potentially malicious, file.

Complete code and payload walkthrough

The provided exploit is a URL. There is no explicit code or payload in the Exploit-DB entry beyond the URL itself. The "code" is the crafted URL that triggers the vulnerability.

• Exploit URL: http://server/jeauto/index.php?option=com_jeauto&view=[LFI]%00

  • http://server/jeauto/index.php: This is the base URL to the Joomla! installation and the com_jeauto component.
  • option=com_jeauto: This parameter tells Joomla! which component to load.
  • view=[LFI]: This is the vulnerable parameter. The [LFI] placeholder represents the attacker-controlled input.
  • %00: This is the URL-encoded null byte. In PHP, a null byte can terminate a string. When the view parameter is processed, the null byte tells the application to stop reading the string at that point.

How it works:

The com_jeauto component likely takes the value of the view parameter and uses it to include a PHP file. For example, if the view parameter was category, the component might try to include components/com_jeauto/views/category/view.html.php.

When an attacker crafts the URL as http://server/jeauto/index.php?option=com_jeauto&view=../../../../etc/passwd%00, the view parameter becomes ../../../../etc/passwd%00.

The component, when processing this, might attempt to include a file based on this string. However, due to the null byte, the effective string becomes ../../../../etc/passwd. This bypasses any intended file extension or path that the component might have expected, allowing the attacker to include the /etc/passwd file (or any other readable file on the server).

Mapping:

• http://server/jeauto/index.php?option=com_jeauto&view=[LFI]%00 -> Exploitation URL that leverages the LFI vulnerability.
• [LFI] -> Placeholder for the path traversal and file to be included. This is the attacker-controlled input.
• %00 -> Null byte terminator. This is crucial for bypassing intended file extensions and allowing arbitrary file inclusion.

Shellcode/Payload:

There is no explicit shellcode or payload provided in this paper. The "payload" is the content of the file the attacker chooses to include. For example, if the attacker includes a PHP file containing <?php system($_GET['cmd']); ?>, they could then execute commands via http://server/index.php?option=com_jeauto&view=../../path/to/backdoor.php%00&cmd=ls.

Practical details for offensive operations teams

• Required Access Level: Low (unauthenticated user with access to the public-facing Joomla! site).
• Lab Preconditions:
  • A vulnerable Joomla! installation with com_jeauto component installed.
  • A web server environment (e.g., Apache, Nginx) running PHP.
  • Knowledge of common file paths on the target system (e.g., /etc/passwd, /var/log/apache2/access.log, configuration files).
  • Ability to upload a malicious PHP file to the server if aiming for remote code execution (RCE).
• Tooling Assumptions:
  • Web browser for manual testing.
  • Burp Suite or OWASP ZAP for intercepting and modifying requests.
  • A dedicated LFI scanner or a custom script for automated discovery.
  • A tool like nmap with relevant NSE scripts for initial reconnaissance.
• Execution Pitfalls:
  • File Permissions: The attacker can only include files that the web server process has read permissions for. Sensitive files might not be readable.
  • Null Byte Filtering: Some web application firewalls (WAFs) or server configurations might filter out null bytes, rendering the %00 bypass ineffective. Alternative bypasses might be needed.
  • PHP Configuration: If disable_functions in php.ini is restrictive, executing commands via included PHP shells might be limited.
  • Path Traversal Depth: The number of ../ needed depends on the depth of the com_jeauto component within the Joomla! installation.
  • Component Version: This vulnerability is specific to a particular version of com_jeauto. Newer versions might have patched it.
• Tradecraft Considerations:
  • Reconnaissance: Use search engine dorks (inurl:com_jeauto) to find potential targets.
  • Enumeration: Identify the Joomla! installation path and the com_jeauto component's location.
  • Payload Staging: For RCE, consider uploading a small, stealthy backdoor first, then using LFI to include it.
  • Log Analysis: If successful, the attacker's presence might be logged in web server access logs.
• Telemetry:
  • Unusual requests to index.php with option=com_jeauto and a view parameter containing path traversal sequences (../).
  • Requests containing %00 or other null byte representations.
  • Requests attempting to include common sensitive files (e.g., passwd, configuration files).
  • If RCE is achieved, subsequent requests might show executed commands or attempts to download further tools.
  • Web server access logs showing the inclusion of unexpected files.

Where this was used and when

• Context: This vulnerability was relevant to websites using the Joomla! CMS with the com_jeauto component installed.
• Approximate Years/Dates: The paper was published in December 2010. This indicates the vulnerability was actively exploitable around that time. It's likely that com_jeauto was a popular component in the years leading up to 2010.

Defensive lessons for modern teams

• Input Validation and Sanitization: Always validate and sanitize user-supplied input, especially when it's used in file paths or database queries. Never trust user input directly.
• Secure Coding Practices: Developers should be trained on secure coding principles, including avoiding direct use of user input in file operations.
• Component Updates: Keep all CMS components, plugins, and themes updated to the latest versions to patch known vulnerabilities.
• Web Application Firewalls (WAFs): Implement and properly configure WAFs to detect and block common attack patterns like LFI and null byte injection.
• Least Privilege: Ensure the web server process runs with the minimum necessary privileges to limit the impact of a successful file inclusion.
• File Inclusion Prevention: Configure web servers to prevent direct execution of files in upload directories or other untrusted locations.
• Regular Audits and Scans: Conduct regular security audits and vulnerability scans of web applications.

ASCII visual (if applicable)

This vulnerability is primarily about manipulating a URL to include a file. A simple flow diagram can illustrate this:

+-------------------+     +-------------------+     +---------------------+     +-------------------+
| Attacker's Browser| --> | Web Server (HTTP) | --> | Joomla! Application | --> | Target File on    |
| (Crafted Request) |     | (Request Received)|     | (com_jeauto)        |     | Server (e.g.,     |
+-------------------+     +-------------------+     +----------+----------+     | /etc/passwd)      |
                                                               |                +-------------------+
                                                               | (Vulnerable Parameter)
                                                               v
                                                        +-----------------+
                                                        | File Inclusion  |
                                                        | Logic (No      |
                                                        | Sanitization)   |
                                                        +-----------------+

Explanation:

1. The attacker crafts a malicious HTTP request.
2. The web server receives the request and passes it to the Joomla! application.
3. The com_jeauto component processes the request, specifically the view parameter.
4. Due to a lack of sanitization, the component uses the attacker-provided path (e.g., ../../../../etc/passwd%00) directly in its file inclusion logic.
5. The null byte (%00) terminates the string, allowing the component to include the intended file (e.g., /etc/passwd) instead of a file expected by the component.
6. The content of the target file is then returned to the attacker in the HTTP response.

Source references

• Paper Title: Joomla com_jeauto LFI Vulnerability
• Author: Sid3^effects
• Published: 2010-12-19
• Exploit-DB Paper ID: 15779
• Exploit-DB URL: https://www.exploit-db.com/papers/15779

Original Exploit-DB Content (Verbatim)

#Name : Joomla com_jeauto LFI Vulnerability
#Date : Dec,7 2010
#Vendor Url :http://joomlaextensions.co.in/jeauto
#Dork:inurl:com_jeauto
#Author : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>
#Big hugs : Th3 RDX,Hanan_butt,
#special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,SeeMe,MaYur,MA1201,KeDar,Sonic,gunslinger_,Sn!pEr.S!

Te,n4pst3rr,tranquiller
#greetz to :!Op3x_ninjato team,www.topsecure.net ,trent Dillman,All ICW members and my friends :) luv y0 guyz
#######################################################################################################
Description:
User can also see the category at the front page. Category wise items (cars) are displayed in it. Click on the

particular category it will display that category item. If user wants to see that item (car) then click on that

item (car) then it will display the item full description.
User can see the item’s in the Google Map. User can also rate the particular item (car). We have put the Ajax

rating control to rate the item (car). Admin can set the design of category page, item (car) page and item (car)

detail page from the back end. Admin can also create the fields dynamically from the back end.

###############################################################################################################
Exploit:
http://server/jeauto/index.php?option=com_jeauto&view=[LFI]%00

###############################################################################################################
Fix:
   N/a
###############################################################################################################
# 0day no more
# Sid3^effects
# 1337day.com