CVE-2017-9841 detector script by Massimiliano Brasile
WHAT HAPPENED
January 6th, 2020 I was advised of a security issue apparently affecting most versions of PrestaShop (the warning was shared by PS team only internally on 3rd January 2020). After some digging, I have discovered the problem is related to a testing framework library called PHPUnit [1] that is accidentally included in some production modules used in Prestashop 1.7 (distributed either through Prestashop API or with PrestaShop installations). The issue for PHPUnit was labelled CVE-2017-9841 [2] [3], but the warning for Prestashop is active at the moment cause there is at least one bot ( XsamXadoo ) scanning PS websites exactly for this issue [4].
HOW IT WORKS
Technically CVE-2017-9841 refers to the possibility to execute remote code on every application using a bugged version of phpunit/phpunit and January 8th, 2020 an other issue was discovered ( before 4.8.28 and 5.x before 5.6.3 related to versions before 7.5.19 for 7.x and 8.5.1 for 8.x [5] ). Since phpunit is a famous framework it looks the issue has impact on main php CMSs (Prestashop, Wordpress, Drupal, ..) and their plugins, but only in case they use it. To help to find these backdoors it is mandatory to check for any inclusion of this testing framework in every subfolder of your web root. So, to speed up the whole thing I have written this little quick&dirty script that helps me to control all the instances of Prestashop or Wordpress I am in charge of.
WHERE TO CHECK
According PS forum [4], these modules need to be checked:
- autoupgrade (versions 4)
- module pscartabandonmentpro ; versions v2.0.1 and 2.0.2
- module ps_checkout ; versions v1.0.8 & v1.0.9
- module ps_facetedsearch ; version v3.0.0 and v2.2.1
- module gamification
But in my tests I have found it also in ps_facetedsearch v3.2.1 module. It was not presented in autoupgrade v4.9+.
HOW TO USE THE SCRIPT
- copy the bash script in your web root folder (e.g. /var/www/html)
- execute as root (e.g. sudo ./cve_phpunit.sh) or at least with the right privileges to read all folders and files
- wait for the recursively scan end and in case of occurrences, it will show for any phpunit/phpunit folder found if it looks a safe or bugged version
HOW TO FIX
In case of bugged version occurence of phpunit instances, update if possible his parent module or remove (delete folder) them if they lack support from their developer; according PS forum, you should completely remove all vendor folders inside these modules, but it needs to be checked!
REFERENCES
[2] https://nvd.nist.gov/vuln/detail/CVE-2017-9841
[3] https://www.cvedetails.com/cve/CVE-2017-9841
[4] https://www.prestashop.com/forums/topic/1012095-hack-prestashop-avec-xsamxadoo-bot
[5] NOT official yet!! see PrestaShop/PrestaShop#17059 (comment)