Salam, Hello, Nekhaw, Selamat Datang, Komastaka, Aregato, Ciao, Merhaba, Swadi Kup, Namaste, Kak Gatokha Bratokha 😀
Wherever you are from, Welcome to this blog post about a Remote Code Execution Vulnerability that affects the most popular shopping application on the internet –> #Magento
The case started when i found below sub-domain for Magento.com website: http://lavender.dev.magento.com/
As you can see it is a development server, after some crawling i found below directory:
http://lavender.dev.magento.com/GitHub/setup/ (
The “GitHub/” directory is the folder where they are installing
Magento, And the “Setup/” is the application installation
directory )
It was the installation folder for Magento application, However, After clicking Next, Next:
Important Note: in the installation process, Magento allows you to name your admin login page as you like, you can name it admin or cpanel or whatever!
Anyway, I reached below URL which is used to configure a database for Magento to use: http://lavender.dev.magento.com/GitHub/setup/#/add-database
So, I submitted any bogus data as a database credentials, and i got below error:
As you can see, the database triggered error because it can’t connect to the bogus IP i provided in the previous step, But wait! also the credentials i provided is reflected inside the page!
So here is the scenario to trigger the RCE:
1- I will provide a bogus ip so the database will through an error, and that error will be reflected in the “Admin” page i created.
2- Because i can rename the admin panel to whatever, so i will rename it to “zigoo.php”, now the error will be inserted into “zigoo.php” page.
3- Since the data i provided in the db username and password inputs are reflected in the “.php” page, i will inject a PHP code inside the username & password fields.
That said, i will add php code “<?phpinfo();?>” in the username & password field, rename the admin panel to be “zigoo.php” and add bogus ip in the “Database Server Host” field as below:
Now let’s try a small test first, i will rename the admin panel to be “zigoo1.php” to see if it works or not:
Works fine as expected, now i will inject the php codes inside the other inputs as below:
And Pingo! RCE triggered and the php code “<?phpinfo();?>” worked like a charm!
To fix this vulnerability in your website, just make sure that the installation files/drectory are DELETED or at least renamed.
Vulnerability Timeline:
This vulnerability has been reported to Magento team on: 09/Nov/2014
That time, Paypal and Magento were still the same BBP, However, I got the first response from Magento on: 11/11/2014
Emails going back and forth until i received an Email from the team on: Jul 2, 2015 at 9:52 AM (after 9 months) that the bug is not yet fixed as Highlighted below:
After that time, i sent an Email in the same month and another and so on, i didn’t receive any response for over 3 months:
Untill i fedup with this! so i decided to search for Magento security Employees on linkedIn to message them about the issue!!!!!
However, I found someone from Magento team, after i explained the issue to him, he escelated the issue, and finally on 24/10/2015 i got a response that they will handle this issue and the rest of bounty will be sent next week.
Finally i received the payment on October 27, 2015 10:27:54 PM (After around 1 Year of the report)
I Emailed the team back to know why this issue took 1 year to be fixed?!
Their response were:
1- The issue were fixed on 30 June 2015 (arround 8 months)
2- The reason of no responses and delay in sending the bounty is:
As a conclusion for this long blog post:
1- This bug has been fixed now, but if you are using older version of Magento, don’t forget to remove the installation files/directory.
2- Emergency leaves happens to all of us all the time, but someone should be following up/Delegated on the P1(Priority one) reports!!!
3- The reward for this vulnerability were the “Second Tier” Application RCE reward.
4- Thanks “Mark Brinton” for your prompt help to escelate this issue 🙂
[…] If you are interested about the vulnerability timeline give a look to the post published by Ebrahim Hegazy. […]
Very good job, I really liked it 😉
Incredible, keep going brother.
But renaming the installation directory is not enough to gain security, as any attacker can get the new name of the installation directory using any kind of crawlers.
yours
TSAR