Merge pull request #538 from doyensec:magento-cosmicsting-xxe

PiperOrigin-RevId: 702623968 Change-Id: I8ea3597b6608a6e9256797634bf8f72e019eccad
google · Dec 4, 2024 · 1bfe00c · 1bfe00c
2 parents 4d33236 + 18c91af
commit 1bfe00c
Show file tree

Hide file tree

Showing 8 changed files with 996 additions and 0 deletions.
diff --git a/doyensec/detectors/magento_cosmicsting_xxe/README.md b/doyensec/detectors/magento_cosmicsting_xxe/README.md
@@ -0,0 +1,74 @@
+# Magento / Adobe Commerce CosmicSting XXE (CVE-2024-34102)
+
+## Description
+
+Adobe Commerce and Magento v2.4.7 and earlier are vulnerable to a critical
+unauthenticated XXE (XML External Entity) vulnerability that can lead to
+arbitrary code execution on unpatched systems. The vulnerability can be
+exploited by sending an unauthenticated HTTP request with a crafted XML file
+that references external entities; when the request payload is deserialized, the
+attacker can extract sensitive files from the system and gain administrative
+access to the software.
+
+### Impact
+
+The CosmicSting XXE vulnerability by itself can be exploited to perform
+Arbitrary File Reads and Server-Side Request Forgeries (SSRF). Effectively, this
+allows attackers to leak sensitive information from files in the target system
+or from internal network endpoints. For example, an attacker could leak
+Magento's configuration files to gain administrative access to the software, or
+leak an SSH key to log onto the system itself.
+
+### Remote Code Execution
+
+On unpatched systems, Remote Code Execution can be achieved by combining the
+CosmicSting XXE vulnerability with the
+[PHP iconv RCE](https://www.ambionics.io/blog/iconv-cve-2024-2961-p1) (aka
+CNEXT). A very reliable public exploit for Magento that leverages both
+vulnerabilities and achieves RCE was released by @cfreal, the author of the
+iconv research, and can be found
+[here](https://github.com/ambionics/cnext-exploits/blob/main/cosmicsting-cnext-exploit.py).
+
+### Detector's implementation
+
+This detector only exploits the XXE vulnerability to perform a simple Arbitrary
+File Read (leaking `/etc/passwd`) and a SSRF (calling back to the Tsunami
+Callback Server). It was not possible to implement the full RCE exploit due to
+the current limitations of the Callback Server. Specifically, the RCE exploit
+requires leaking the process memory map and the system's libc binary, in order
+to properly calculate the memory addresses needed for the final exploit step.
+Even if the Callback Server allows us to check whether a callback was received,
+it doesn't allow us to fetch any extra data attached to the request (such as URL
+parameters or the POST body), thus it makes it impossible for us to retrieve the
+leaked data needed for the full exploit.
+
+## Affected Versions
+
+-   2.4.7 and earlier
+-   2.4.6-p5 and earlier
+-   2.4.5-p7 and earlier
+-   2.4.4-p8 and earlier
+-   2.4.3-ext-7 and earlier*
+-   2.4.2-ext-7 and earlier*
+
+*These versions are only applicable to customers participating in the Extended
+Support Program
+
+## References
+
+-   [CosmicSting: critical unauthenticated XXE vulnerability in Adobe Commerce
+    and Magento
+    (CVE-2024-34102)](https://www.vicarius.io/vsociety/posts/cosmicsting-critical-unauthenticated-xxe-vulnerability-in-adobe-commerce-and-magento-cve-2024-34102)
+-   [NIST: CVE-2024-34102](https://nvd.nist.gov/vuln/detail/CVE-2024-34102)
+-   [Adobe Security Bulletin APSB24-40](https://helpx.adobe.com/security/products/magento/apsb24-40.html)
+-   [CosmicSting CNEXT RCE exploit](https://github.com/ambionics/cnext-exploits/blob/main/cosmicsting-cnext-exploit.py)
+
+## Build jar file for this plugin
+
+Using `gradlew`:
+
+```shell
+./gradlew jar
+```
+
+The Tsunami identifiable jar file is located at `build/libs` directory.
diff --git a/doyensec/detectors/magento_cosmicsting_xxe/build.gradle b/doyensec/detectors/magento_cosmicsting_xxe/build.gradle
@@ -0,0 +1,68 @@
+plugins {
+    id 'java-library'
+}
+
+description = 'Magento / Adobe Commerce CosmicSting XXE (CVE-2024-34102)'
+group = 'com.google.tsunami'
+version = '0.0.1-SNAPSHOT'
+
+repositories {
+    maven { // The google mirror is less flaky than mavenCentral()
+        url 'https://maven-central.storage-download.googleapis.com/repos/central/data/'
+    }
+    mavenCentral()
+    mavenLocal()
+}
+
+java {
+    sourceCompatibility = JavaVersion.VERSION_11
+    targetCompatibility = JavaVersion.VERSION_11
+
+    jar.manifest {
+        attributes('Implementation-Title': name,
+                'Implementation-Version': version,
+                'Built-By': System.getProperty('user.name'),
+                'Built-JDK': System.getProperty('java.version'),
+                'Source-Compatibility': sourceCompatibility,
+                'Target-Compatibility': targetCompatibility)
+    }
+
+    javadoc.options {
+        encoding = 'UTF-8'
+        use = true
+        links 'https://docs.oracle.com/javase/8/docs/api/'
+    }
+
+    // Log stacktrace to console when test fails.
+    test {
+        testLogging {
+            exceptionFormat = 'full'
+            showExceptions true
+            showCauses true
+            showStackTraces true
+        }
+        maxHeapSize = '1500m'
+    }
+}
+
+ext {
+    tsunamiVersion = 'latest.release'
+    junitVersion = '4.13.1'
+    mockitoVersion = '2.28.2'
+    truthVersion = '1.0.1'
+    guiceVersion = '4.2.3'
+}
+
+dependencies {
+    implementation "com.google.tsunami:tsunami-common:${tsunamiVersion}"
+    implementation "com.google.tsunami:tsunami-plugin:${tsunamiVersion}"
+    implementation "com.google.tsunami:tsunami-proto:${tsunamiVersion}"
+
+    testImplementation "junit:junit:${junitVersion}"
+    testImplementation "org.mockito:mockito-core:${mockitoVersion}"
+    testImplementation "com.google.inject:guice:${guiceVersion}"
+    testImplementation "com.google.truth:truth:${truthVersion}"
+    testImplementation "com.google.inject.extensions:guice-testlib:${guiceVersion}"
+    testImplementation "com.google.truth.extensions:truth-java8-extension:${truthVersion}"
+    testImplementation "com.google.truth.extensions:truth-proto-extension:${truthVersion}"
+}
diff --git a/doyensec/detectors/magento_cosmicsting_xxe/settings.gradle b/doyensec/detectors/magento_cosmicsting_xxe/settings.gradle
@@ -0,0 +1 @@
+rootProject.name = 'magento_cosmicsting_xxe_cve-2024-34102'
diff --git a/...xxe/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202434102/Annotations.java b/...xxe/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202434102/Annotations.java
@@ -0,0 +1,36 @@
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.google.tsunami.plugins.detectors.cves.cve202434102;
+
+import static java.lang.annotation.ElementType.FIELD;
+import static java.lang.annotation.ElementType.METHOD;
+import static java.lang.annotation.ElementType.PARAMETER;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import javax.inject.Qualifier;
+
+/** Annotation for {@link MagentoCosmicStingXxe}. */
+final class Annotations {
+  @Qualifier
+  @Retention(RetentionPolicy.RUNTIME)
+  @Target({PARAMETER, METHOD, FIELD})
+  @interface OobSleepDuration {}
+
+  private Annotations() {}
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		rootProject.name = 'magento_cosmicsting_xxe_cve-2024-34102'