forked from google/tsunami-security-scanner-plugins
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'google:master' into torchserve_rce_new
- Loading branch information
Showing
8 changed files
with
996 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
# Magento / Adobe Commerce CosmicSting XXE (CVE-2024-34102) | ||
|
||
## Description | ||
|
||
Adobe Commerce and Magento v2.4.7 and earlier are vulnerable to a critical | ||
unauthenticated XXE (XML External Entity) vulnerability that can lead to | ||
arbitrary code execution on unpatched systems. The vulnerability can be | ||
exploited by sending an unauthenticated HTTP request with a crafted XML file | ||
that references external entities; when the request payload is deserialized, the | ||
attacker can extract sensitive files from the system and gain administrative | ||
access to the software. | ||
|
||
### Impact | ||
|
||
The CosmicSting XXE vulnerability by itself can be exploited to perform | ||
Arbitrary File Reads and Server-Side Request Forgeries (SSRF). Effectively, this | ||
allows attackers to leak sensitive information from files in the target system | ||
or from internal network endpoints. For example, an attacker could leak | ||
Magento's configuration files to gain administrative access to the software, or | ||
leak an SSH key to log onto the system itself. | ||
|
||
### Remote Code Execution | ||
|
||
On unpatched systems, Remote Code Execution can be achieved by combining the | ||
CosmicSting XXE vulnerability with the | ||
[PHP iconv RCE](https://www.ambionics.io/blog/iconv-cve-2024-2961-p1) (aka | ||
CNEXT). A very reliable public exploit for Magento that leverages both | ||
vulnerabilities and achieves RCE was released by @cfreal, the author of the | ||
iconv research, and can be found | ||
[here](https://github.com/ambionics/cnext-exploits/blob/main/cosmicsting-cnext-exploit.py). | ||
|
||
### Detector's implementation | ||
|
||
This detector only exploits the XXE vulnerability to perform a simple Arbitrary | ||
File Read (leaking `/etc/passwd`) and a SSRF (calling back to the Tsunami | ||
Callback Server). It was not possible to implement the full RCE exploit due to | ||
the current limitations of the Callback Server. Specifically, the RCE exploit | ||
requires leaking the process memory map and the system's libc binary, in order | ||
to properly calculate the memory addresses needed for the final exploit step. | ||
Even if the Callback Server allows us to check whether a callback was received, | ||
it doesn't allow us to fetch any extra data attached to the request (such as URL | ||
parameters or the POST body), thus it makes it impossible for us to retrieve the | ||
leaked data needed for the full exploit. | ||
|
||
## Affected Versions | ||
|
||
- 2.4.7 and earlier | ||
- 2.4.6-p5 and earlier | ||
- 2.4.5-p7 and earlier | ||
- 2.4.4-p8 and earlier | ||
- 2.4.3-ext-7 and earlier* | ||
- 2.4.2-ext-7 and earlier* | ||
|
||
*These versions are only applicable to customers participating in the Extended | ||
Support Program | ||
|
||
## References | ||
|
||
- [CosmicSting: critical unauthenticated XXE vulnerability in Adobe Commerce | ||
and Magento | ||
(CVE-2024-34102)](https://www.vicarius.io/vsociety/posts/cosmicsting-critical-unauthenticated-xxe-vulnerability-in-adobe-commerce-and-magento-cve-2024-34102) | ||
- [NIST: CVE-2024-34102](https://nvd.nist.gov/vuln/detail/CVE-2024-34102) | ||
- [Adobe Security Bulletin APSB24-40](https://helpx.adobe.com/security/products/magento/apsb24-40.html) | ||
- [CosmicSting CNEXT RCE exploit](https://github.com/ambionics/cnext-exploits/blob/main/cosmicsting-cnext-exploit.py) | ||
|
||
## Build jar file for this plugin | ||
|
||
Using `gradlew`: | ||
|
||
```shell | ||
./gradlew jar | ||
``` | ||
|
||
The Tsunami identifiable jar file is located at `build/libs` directory. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
plugins { | ||
id 'java-library' | ||
} | ||
|
||
description = 'Magento / Adobe Commerce CosmicSting XXE (CVE-2024-34102)' | ||
group = 'com.google.tsunami' | ||
version = '0.0.1-SNAPSHOT' | ||
|
||
repositories { | ||
maven { // The google mirror is less flaky than mavenCentral() | ||
url 'https://maven-central.storage-download.googleapis.com/repos/central/data/' | ||
} | ||
mavenCentral() | ||
mavenLocal() | ||
} | ||
|
||
java { | ||
sourceCompatibility = JavaVersion.VERSION_11 | ||
targetCompatibility = JavaVersion.VERSION_11 | ||
|
||
jar.manifest { | ||
attributes('Implementation-Title': name, | ||
'Implementation-Version': version, | ||
'Built-By': System.getProperty('user.name'), | ||
'Built-JDK': System.getProperty('java.version'), | ||
'Source-Compatibility': sourceCompatibility, | ||
'Target-Compatibility': targetCompatibility) | ||
} | ||
|
||
javadoc.options { | ||
encoding = 'UTF-8' | ||
use = true | ||
links 'https://docs.oracle.com/javase/8/docs/api/' | ||
} | ||
|
||
// Log stacktrace to console when test fails. | ||
test { | ||
testLogging { | ||
exceptionFormat = 'full' | ||
showExceptions true | ||
showCauses true | ||
showStackTraces true | ||
} | ||
maxHeapSize = '1500m' | ||
} | ||
} | ||
|
||
ext { | ||
tsunamiVersion = 'latest.release' | ||
junitVersion = '4.13.1' | ||
mockitoVersion = '2.28.2' | ||
truthVersion = '1.0.1' | ||
guiceVersion = '4.2.3' | ||
} | ||
|
||
dependencies { | ||
implementation "com.google.tsunami:tsunami-common:${tsunamiVersion}" | ||
implementation "com.google.tsunami:tsunami-plugin:${tsunamiVersion}" | ||
implementation "com.google.tsunami:tsunami-proto:${tsunamiVersion}" | ||
|
||
testImplementation "junit:junit:${junitVersion}" | ||
testImplementation "org.mockito:mockito-core:${mockitoVersion}" | ||
testImplementation "com.google.inject:guice:${guiceVersion}" | ||
testImplementation "com.google.truth:truth:${truthVersion}" | ||
testImplementation "com.google.inject.extensions:guice-testlib:${guiceVersion}" | ||
testImplementation "com.google.truth.extensions:truth-java8-extension:${truthVersion}" | ||
testImplementation "com.google.truth.extensions:truth-proto-extension:${truthVersion}" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
rootProject.name = 'magento_cosmicsting_xxe_cve-2024-34102' |
36 changes: 36 additions & 0 deletions
36
...xxe/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202434102/Annotations.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
/* | ||
* Copyright 2024 Google LLC | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
package com.google.tsunami.plugins.detectors.cves.cve202434102; | ||
|
||
import static java.lang.annotation.ElementType.FIELD; | ||
import static java.lang.annotation.ElementType.METHOD; | ||
import static java.lang.annotation.ElementType.PARAMETER; | ||
|
||
import java.lang.annotation.Retention; | ||
import java.lang.annotation.RetentionPolicy; | ||
import java.lang.annotation.Target; | ||
import javax.inject.Qualifier; | ||
|
||
/** Annotation for {@link MagentoCosmicStingXxe}. */ | ||
final class Annotations { | ||
@Qualifier | ||
@Retention(RetentionPolicy.RUNTIME) | ||
@Target({PARAMETER, METHOD, FIELD}) | ||
@interface OobSleepDuration {} | ||
|
||
private Annotations() {} | ||
} |
Oops, something went wrong.