Joomla! Remember Me Cookie Encryption Issues

Posted in Joomla!
2011-09-29 04:11:31 +0000 UTC

There is a serious problem with the way Joomla! handles the "remember me" login cookie. It is possible to decrypt the contents of this cookie and alter the serialized data inside, which could possibly lead to exploitation. Versions 1.5 through 1.7.1 are affected.

Sites running unpatched versions of PHP already vulnerable to the "SplObjectStorage Deserialization Use-After-Free Vulnerability" should be exploitable, and possibly other situations/scenarios depending upon the installed extensions and available classes at the time of deserialization.

The prerequisites for testing this issue:

Here's how it works: visit the target site with a user agent of JLOGIN_REMEMBER and log in with a valid account, checking the "remember me" checkbox. Doing so results in 2 cookies - a session cookie and a "remember me" cookie.

If you have done this correctly, the 2nd cookie will have an md5 hash for the name and a JSimpleCrypt encrypted serialized array for the value. With the user agent of JLOGIN_REMEMBER, the cookie name is the decryption key. Using modified code from JSimpleCrypt, you can use this key to decrypt the cookie value, alter the serialized string, re-encrypt it, and change the cookie's value.

Once the "remember me" cookie is changed with the malicious encrypted data, delete the 1st cookie and revisit the target site to have Joomla! parse the "remember me" cookie and unserialize the injected string. On installations that are patched against the above-mentioned SplObjectStorage vulnerability, there still exists at the very least an issue of information disclosure.

When the "remember me" cookie's name is created, it uses an md5sum of the user agent + the site secret (which is why having a user agent of JLOGIN_REMEMBER allows you to decrypt the cookie). By following the login steps above, but instead with a completely blank user agent, your cookie name will give you an md5sum of the site secret by itself. Combining this with utilities such as JtR or Hashcat could allow an attacker to reverse-engineer the site secret.

Additional information can be gained if display_errors is enabled. The "username" value in the cookie is passed raw into mysql_real_escape_string, which will throw an error if given a non-string value. Passing a serialized instance of an undeclared class can result in a __PHP_Incomplete_Class error. The "password" variable is particularly interesting in part because it is converted to a string if the "username" value is valid, thus errors can be thrown if it is handed an object with no __toString method (or abused as part of a POP chain if any interesting classes with usable __toString methods are available via 3rd party extensions).

This issue was patched 17 October 2011.