Pierluigi Paganini July 04, 2019

Magento addressed flaws that could be exploited by unauthenticated attackers to hijack administrative sessions and completely take over online stores.

Magento addressed security vulnerabilities that could be chained by an unauthenticated attacker to hijack administrative sessions and completely take over online stores.

The attacker would first exploit a Stored Cross-Site Scripting (XSS) vulnerability to inject a JavaScript payload into the administrator backend of a Magento store. In this way, he can hijack the session from a user and then exploit an authenticated Remote Code Execution (RCE) flaw to completely takeover the online store.

“When an employee of the store logs into the admin dashboard, the injected JavaScript payload runs and hijacks the administrative session of the employee.” reads the analysis published by security firm RIPS Technologies. “An authenticated Remote Code Execution vulnerability is then exploited, which results in a full takeover of the store by the attacker. The attacker could then cause financial harm to the company running the store. For example, the attacker could redirect all payments to his bank account or steal credit card information.”

The flaws could be exploited if the store uses the built-in, core Authorize.Netpayment module. that is a Visa solution that allows the store to process payments via credit cards. Experts pointed out that this module is widely used in many online stores running on top of Magento.

Experts rated the chain of exploits as high severity because it is easily exploitable and doesn’t require a specific user’s interaction.

The unauthenticated Stored XSS resides in the cancellation note of a new product order, experts explained that is possible to bypass the escapeHtmlWithLinks() sanitization method implemented by the platform.

The XSS occurs when the sanitized links are processed via vsprintf(), an additional double quote is injected into the <i> tag allowing for an attribute injection.

“As can be seen in the above table, the tag is replaced with a %1s and the user input string is then sanitized. As %1s is not a dangerous value, it passes the sanitization step. When escapeHtmlWithLinks() then reinserts the sanitized link with vsprintf(), an additonal double quote is injected into the tag, which allows for an attribute injection.” continues the post.

“This allows an attacker to inject arbitrary HTML attributes into the resulting string. By injecting a malicious onmouseover event handler and a style attribute to make the link an invisible overlay over the entire page, the XSS payload triggers as soon as a victim visits a page that contains such an XSS payload and moves his mouse,”.

The researcher discovered that this specific method is used to sanitize order cancellation notes, this means that an attacker could exploit the issue to inject arbitrary JavaScript. The injected code is then triggered when an employee reviews the cancelled order.

The malicious Javascript could be used by an attacker to hijack the employee’s authenticated session. The attacker could exploit a Phar deserialization vulnerability within the controller responsible for rendering images within the WYSIWYG editor.

“By injecting a phar:// stream wrapper into an image file handler, an attacker can trigger a PHP object injection. He can then chain POP gadgets from the Magento core that in the end lead to Remote Code Execution,” RIPS Technologies continues.

The Stored XSS vulnerability was found in Magento 2.2.6 and reported in September. Magento released a patch in November that addressed the issue in 2.2.7 and 2.1.16. In December experts noticed that the bypass was found to impact Magento 2.3.0. The Phar deserialization vulnerability was reported in January and addressed in March in Magento 2.3.1, 2.2.8 and 2.1.17. In June, the Stored XSS was patched again in Magento 2.3.2, 2.2.9 and 2.1.18.

Pierluigi Paganini

(SecurityAffairs – Magento, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]