On Tuesday, December 14, Joomla development team had released a new version of security update to patch a critical 0-day remote command execution vulnerability. Hackers have already been trying to attack vulnerable websites.

This 0-day vulnerability is already being exploited by attackers — first attemts was detected on December 12. Log entries of websites that has been compromised contain the following information:

2015 Dec 12 16:49:07 clienyhidden.access.log Src IP: / CAN / Alberta – – [12/Dec/2015:16:49:40 –0500] “GET /contact/ HTTP/1.1″ 403 5322 “http://google.com/” “}__test|O:21:\x22JDatabaseDriverMysqli\x22:3: .. {s:2:\x22fc\x22;O:17:\x22JSimplepieFactory\x22:0: .. {}s:21:\x22\x5C0\x5C0\x5C0disconnectHandlers\x22;a:1:{i:0;a:2:{i:0;O:9:\x22SimplePie\x22:5:.. {s:8:\x22sanitize\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}s:8:\x22feed_url\x22;s:60:..

Joomla session handling code contains a vulnerability that allows to inject a line in serialized session syntax via HTTP User- Agent or X-Forwarded-For headers. Exploit works because of MySQL’s default behavior when it meets an UTF-8 character in the range U+010000 — U+10FFFF. MySQL will just truncate all the data if line with this character is injected. It allows to create a record with custom PHP-objects in a session table without any syntax violation. To deserialize an attacker session Joomla’s class destructors are being called, that leads to arbitrary code execution. You need to use utf8mb4 in MySQL to prevent data truncation.

Joomla 1.5 was released in January 2008. It means that the vulnerability has existed in this and later versions for almost eight years now. Today there are no information about how many websites and web resources have been compromised by this 0-day exploit.

 How to protect yourself from 0-day exploits

0-day vulnerability exploits on Joomla 1.5 – 3.4.5. All users need to update their system — you can do it here.
For those on the 1.5.x and 2.5.x branches, install patches using the link (hotfixes user guide is available here).

As a temporary measure of precaution Sucuri specialists recommend to replace potentially dangerous data in HTTP User-Agent header. Here is an example of Apache web server configuration:

RewriteCond %{HTTP_USER_AGENT} .*\{.* [NC]

RewriteRule .* – [F,L]

This was not the first time when security researchers find vulnerabilities in CMS Joomla. There was a release of a 3.4.5 version in October 2015, where all the significant vulnerabilities that discovered opportunities of SQL injections and others were removed (CVE-2015-7297, CVE-2015-7857, CVE-2015-7858).