Joomla Remote Code Execution - CVE-2015-8562

kalakai — Wed, 16 Dec 2015 18:21:36 GMT

Hello,

I created a custom vulnerability signature that helps to detect and block the recently discovered Joomla RCE zero day which has since been patched by the vendor. I've opened a case with an engineer and he suggesed some additional protections until an official signature is released. The engineer suggested I post it here so that other people may benefit.

It checks for the following http headers in a GET request:

JDatabaseDriverMysqli

JSimplepieFactory

disconnectHandlers

eval(base64_decode($_POST[111]))

I don't see an option to upload the .xml so here is the full xml code, sorry for the length:

<vulnerability-threat version="6.1.0">
  <entry name="41001">
    <signature>
      <standard>
        <entry name="Suspicious HTTP Header">
          <and-condition>
            <entry name="And Condition 1">
              <or-condition>
                <entry name="Or Condition 1">
                  <operator>
                    <pattern-match>
                      <qualifier>
                        <entry name="http-method">
                          <value>GET</value>
                        </entry>
                      </qualifier>
                      <pattern>((JDatabaseDriverMysqli)|(JSimplepieFactory)|(disconnectHandlers))</pattern>
                      <context>http-req-headers</context>
                    </pattern-match>
                  </operator>
                </entry>
                <entry name="Or Condition 2">
                  <operator>
                    <pattern-match>
                      <qualifier>
                        <entry name="http-method">
                          <value>GET</value>
                        </entry>
                      </qualifier>
                      <pattern>eval(base64_decode($_POST[111]))</pattern>
                      <context>http-req-headers</context>
                    </pattern-match>
                  </operator>
                </entry>
              </or-condition>
            </entry>
          </and-condition>
          <order-free>no</order-free>
          <scope>protocol-data-unit</scope>
          <comment>User agent strings identified in the reference link</comment>
        </entry>
      </standard>
    </signature>
    <default-action>
      <drop-packets/>
    </default-action>
    <cve>
      <member>CVE-2015-8562</member>
    </cve>
    <reference>
      <member>https://wp.me/p3AjUX-u58</member>
    </reference>
    <vendor>
      <member>Joomla</member>
    </vendor>
    <threatname>Joomla CVE-2015-8562</threatname>
    <severity>critical</severity>
    <direction>client2server</direction>
    <comment>Remote Code Execution Vulnerability. This signature is only a band-aid per the link in the reference below.</comment>
    <affected-host>
      <server>yes</server>
    </affected-host>
  </entry>
</vulnerability-threat>

Re: Joomla Remote Code Execution - CVE-2015-8562

kalakai — Wed, 23 Dec 2015 21:14:26 GMT

FYI, content release 547 which was released today (12/23/2015) contains dections for this vulnerability. ID 38640 & 38638.

topic Re: Joomla Remote Code Execution - CVE-2015-8562 in Custom Signatures

Joomla Remote Code Execution - CVE-2015-8562

Re: Joomla Remote Code Execution - CVE-2015-8562