Joomla (< 3.6.4) Account Creation/Elevated Privileges write-up and exploit

Yesterday Joomla published version 3.6.4, an update to patch security issues:

  • High Priority — Core — Account Creation (affecting Joomla! 3.4.4 through 3.6.3) More information »
  • High Priority — Core — Elevated Privileges (affecting Joomla! 3.4.4 through 3.6.3) More information »

Because I was curious to see how these vulnerabilies worked I decided to check out the patch and write an exploit. By looking at the changes, the issue had to be in the components/com_users/controllers/user.php file.

Turns out the register method of UsersControllerUser had been removed completely. Interesting. So I installed my own Joomla at version 3.6.3 and noticed that registations are usually done with the following request:

In Joomla, the option parameter is a reference to the Joomla component in the components directory, and the task parameter is a reference to the controller and method that has to be called. As you can see in the screenshot, a registration is processed by the Registration controller.

It became clear to me that the Registration controller could be bypassed by calling the removed register method of the User controller, so I switched off Allow User Registration and modified the request.

Because the method expects an array of user, I substituted jform with user in the request. Finally I modified the task parameter by changing registration.register into user.register. This is the final request:

When I went back to the Admin console I found a registered user there ☺︎

For Elevated Privileges, the newly created user can be added to a group of choice by including a user[groups][] parameter in the request. The default group ID of the Administrators group is 7.

So by combining these two vulnerabilities it is possible to create an Administrator user without any prior authentication. After that, you can upload a shell as an extension and get code excecution on the server 🎉

Final notes

  • For the request to work it needs to include a valid cookie and security token. You can grab a token from the login form. The security token can be weird and doesn’t always work. I’m still trying to find out how to reliably grab a working one.
  • The final request is available here: https://gist.github.com/melvinsh/4b28f78ace12ec0c02b183bbadc76da8.