Evolution 1.1 and Prior Remote Execution

By Jay Stephen Gilmore
November 12, 2016
Evolution 1.1 and Prior Remote Execution

Product: MODX Evolution
Risk: Very High
Severity: Critical
Versions: <=1.1
Vulnerability Type: Remote Code Execution
Report Date: 2016-November-08
Fixed Date: 2016-November-12

Description
The following components distributed with all versions of MODX Evolution (and 0.9.x) contain a vulnerability, that allows remote code execution: Ajaxsearch, eForm and evoGallery

Affected Releases
All MODX 0.9.x/Evolution releases prior to and including MODX Evolution 1.1 (with AjaxSearch, eForm or evoGallery installed) are affected.

Solution
Determine if site is compromised. Remove any malicious files or database entries. Then, upgrade to MODX Evolution 1.2 or above. See instructions below.

Support
If you do not know how to upgrade your site and complete the steps below to locate and remove malicious files and database entries, there are options. You can contact the developer or builder of your site, ask for help in the MODX Forums, find a MODX Professional or get help from the MODX Services team.

One way to determine if your site has been compromised is a new tool called Evocheck . It can help identify malicious code in files or database. We recommend using it or a similar tool in case your site has been compromised. And even after your site is secured again, this tool can be useful to find any text/code in your installation.

Please note, no detection script is perfect and exploits may change over time to hide from such detection.
Cleaning and Upgrade Instructions for Compromised Installation:


  1. Logout from manager
  2. Download latest MODX 1.2
  3. Upload package to your server via FTP, explicitly overwrite any existing file
  4. Delete file cache/siteCache.idx.php manually by hand via FTP (do NOT rely on "Clear Cache"-button inside manager), because there is a malicious Plugin likely hidden in the database that will reinfect the site
  5. Use Evocheck to check for malicious Plugins and files you wish to delete. Inside the source-code you will find strange / suspicious code seen below these instructions
  6. Remember ID of this plugin, which is probably the last added one, and use phpMyAdmin or https://www.adminer.org/ to manually delete it from table "site_plugins"
  7. IMPORTANT: Repeat steps 4 + 5 just in case changes happened meanwhile
  8. IMPORTANT: In cases the upgrade/security-fix seems not to work, there are additionally uploaded files / backdoors left on the server. Evocheck can help but still you need technical expertise to know what you are doing, i.e. using the right RegEx-terms to find malicious code. It is no one-click-solution!
  9. If your site uses eForm or AjaxSearch on your site, test their functionality as there are changes to these Extras.


Samples of Malicious Code

    eval(base64_decode("cc6ebdef6a9f8fd3887455e23a2ec....
    eval("base".128/2."_dec"."ode(.....)"

IMPORTANT: Last but not least, watch your server for at least a week to assure you have already found and removed all backdoors / malicious files.

NOTE
A special thanks to community members pixelchutes, cipa and pbowyer for identifying the vector and yama for the resolution. And of course, everybody else involved in sorting out this compromise.