Nytro Posted July 13, 2012 Report Share Posted July 13, 2012 Magento eCommerce Platform XXE InjectionAuthored by Kestutis Gudinavicius | Site sec-consult.com Magento eCommerce platform uses a vulnerable version of Zend framework which is prone to XML eXternal Entity Injection attacks. The SimpleXMLElement class of Zend framework (SimpleXML PHP extension) is used in an insecure way to parse XML data. External entities can be specified by adding a specific DOCTYPE element to XML-RPC requests. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.SEC Consult Vulnerability Lab Security Advisory < 20120712-0 >======================================================================= title: Local file disclosure via XXE injection product: Magento eCommerce Platform Enterprise & Community Edition vulnerable version: Magento eCommerce Platform Enterprise Edition <= v1.12.0.1 Magento eCommerce Platform Community Edition <= v1.7.0.1 fixed version: Magento eCommerce Platform Enterprise Edition <= v1.12.0.2 Magento eCommerce Platform Community Edition <= v1.7.0.2 impact: Critical homepage: http://www.magentocommerce.com/ found: 2012-06-18 by: K. Gudinavicius SEC Consult Vulnerability Lab https://www.sec-consult.com=======================================================================Vendor description:-------------------"Magento eCommerce Platforms provide the scalability, flexibility and featuresfor business growth. Magento provides feature-rich eCommerce platforms thatoffer merchants complete flexibility and control over the presentation,content, and functionality of their online channel."Source: http://www.magentocommerce.com/product/featuresVulnerability overview/description:-----------------------------------Magento eCommerce platform uses a vulnerable version of Zend framework whichis prone to XML eXternal Entity Injection attacks. The SimpleXMLElement classof Zend framework (SimpleXML PHP extension) is used in an insecure way toparse XML data. External entities can be specified by adding a specificDOCTYPE element to XML-RPC requests. By exploiting this vulnerability anapplication may be coerced to open arbitrary files and/or TCP connections.Proof of concept:-----------------Magento uses a vulnerable Zend_XmlRpc_Server() class (Zend\XmlRpc\Server.php)to handle XML-RPC requests. Hence it is possible to disclose arbitrary localfiles from the remote system. The following HTTP POST request to thevulnerable XmlRpc server application illustrates the exploitation of thisvulnerability:POST /index.php/api/xmlrpc HTTP/1.1Host: $host<?xml version="1.0"?> <!DOCTYPE foo [ <!ELEMENT methodName ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><methodCall> <methodName>&xxe;</methodName></methodCall>Vulnerable / tested versions:-----------------------------Magento eCommerce Platform Enterprise Edition v1.10.1.1Magento eCommerce Platform Community Edition v1.7.0.0 & v1.7.0.1Earlier versions are probably affected too!Vendor contact timeline:------------------------2012-06-18: Contacting vendor through the contact form on the webpage as no email addresses or security contacts are to be found http://www.magentocommerce.com/company/contact-us2012-06-20: No reply so far, hence trying again by choosing a different contact reason.2012-06-21: Creating a bug tracking entry, asking for security contact http://www.magentocommerce.com/bug-tracking.2012-06-21: Vendor reply: security@magento.com should be used.2012-06-22: Sending advisory draft.2012-06-22: Vendor reply: Testing workaround for customers to disable XMLRPC functionality, patch in progress; vendor will improve website to provide a clearer, more direct method for researchers.2012-06-25: Asking for affected versions and release timeline.2012-06-26: Informing Magento about Zend framework advisory.2012-06-27: Vendor: sending more information to SEC Consult soon.2012-07-04: Asking vendor about status.2012-07-05: Vendor releases new versions and patches.2012-07-12: SEC Consult releases detailed advisory.Solution:---------Magento Community Edition* 1.7.0.0+ - Upgrade to the latest version, currently v1.7.0.2: http://www.magentocommerce.com/download* 1.4.0.0 - 1.4.1.1 - Apply the patch http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.4.0.0-1.4.1.1.patch* 1.4.2.0 - Apply the patch http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.4.2.0.patch* 1.5.0.0 - 1.7.0.1 - Apply the patch http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.5.0.0-1.7.0.1.patchMagento Enterprise Edition* 1.12.0.0+ - Upgrade to the latest version, currently v1.12.0.2: https://www.magentocommerce.com/products/customer/account/index/* 1.8.0.0 – 1.11.X.X - Apply the Zend Security Upgrades patch https://www.magentocommerce.com/products/customer/account/index/Magento Professional Edition* All versions - Apply the Zend Security Upgrades patch https://www.magentocommerce.com/products/customer/account/index/More information can be found at:http://www.magentocommerce.com/blog/comments/update-zend-framework-vulnerability-security-update/Workaround:-----------Detailed steps can be found at:http://www.magentocommerce.com/blog/comments/update-zend-framework-vulnerability-security-update/Advisory URL:-------------https://www.sec-consult.com/en/advisories.html~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Unternehmensberatung GmbHOffice ViennaMooslackengasse 17A-1190 ViennaAustriaTel.: +43 / 1 / 890 30 43 - 0Fax.: +43 / 1 / 890 30 43 - 25Mail: research at sec-consult dot comhttps://www.sec-consult.comEOF K. Gudinavicius, J. Greil / @2012Sursa: Magento eCommerce Platform XXE Injection ? Packet Storm Quote Link to comment Share on other sites More sharing options...
cyadron Posted July 14, 2012 Report Share Posted July 14, 2012 Ati avut ceva noroc ? Nu prea poti sa faci mare lucru, merge sa vezi /etc/passwd dar cam atat... Quote Link to comment Share on other sites More sharing options...
SirGod Posted July 14, 2012 Report Share Posted July 14, 2012 E doar un PoC. Modifica-l si citeste ce fisier vrei si ai permisiuni sa citesti (e.g. config.php). E un Local File Disclosure. Quote Link to comment Share on other sites More sharing options...
cyadron Posted July 14, 2012 Report Share Posted July 14, 2012 Am reusit sa vad /etc/passwd. Dar cam atat. Cred ca nu am permisii sa vad alte fisiere... Quote Link to comment Share on other sites More sharing options...
SirGod Posted July 14, 2012 Report Share Posted July 14, 2012 Ce fisiere ai incercat sa citesti? Poti citi doar ce poate apache/www citi. De obicei toate fisierele din directorul htdocs/www + cateodata si altele (depinde de permisiunile setate de catre sysadmin si din moment ce citesti etc/passwd probabil poti citi si alte fisiere de sistem). Quote Link to comment Share on other sites More sharing options...
cyadron Posted July 18, 2012 Report Share Posted July 18, 2012 Stiu ca asa ar trebui dar totusi imi da eroare daca incerc sa citesc de exemplu index.php. Stiu ca fisierul exista pentru ca pot de exemplu sa citesc din acelasi folder .htaccess. Eroarea care o am este 631 - failed to parse request. Quote Link to comment Share on other sites More sharing options...
cyadron Posted July 18, 2012 Report Share Posted July 18, 2012 ok, am gasit problema. Incercam sa vizualizez fisierul direct si bineinteles ca nu mergea. Am gasit un workaround sa il encodez intai cu base64 si apoi sa il decodez. Quote Link to comment Share on other sites More sharing options...
