There is a serialized object injection vulnerability in the Akeeba Joomla update component functionality in versions <= 2.5.25, 3.0-3.2.5, and 3.3.0-3.3.4 which can lead to remote code execution (RCE). The vulnerability exists as a result of flawed sanitization of superglobal variables which store request data. The functionality intended to prevent tampering of the setup parameters can be bypassed enabling a modified PHP serialized object to be passed via a user-controlled parameter. The serialized object causes a zip file containing a malicious file to be downloaded by the update script and extracted to the server. This malicious file can then be requested by the attacker resulting in RCE. The vulnerability requires the ‘restoration.php’ file to be present in the ‘com_joomlaupdate’ directory to be successfully exploited.
- An unauthenticated remote user sends a request containing a crafted serialized PHP object via the ‘factory’ parameter and a ‘task’ parameter value of ‘stepRestore’.
- The Joomla instance processes the request using the data contained within the serialized object to download and extract an external archive hosted by the attacker.
- The server responds with a ‘200’ response containing JSON-encoded status data indicating successful status of the update request.
- The unauthenticated remote attacker requests the extracted file.
The attacker must be able to send crafted packets to the victim host.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Upgrade to a non-vulnerable version to mitigate this vulnerability.