Sep 25 2022

Critical Magento Vulnerability Let Unauthenticated Attackers to Execute Code

Category: Security vulnerabilitiesDISC @ 2:00 pm

Sansec Threat Research Team noticed a surge in Magento 2 template attacks. This critical template vulnerability in Magento 2 tracked as (CVE-2022-24086) is increasing among eCommerce cyber criminals. The vulnerability allows unauthenticated attackers to execute code on unpatched sites.

Magento is a popular, Adobe-owned open-source e-commerce platform that powers many online shops. More than 150,000 online stores have been created on the platform. As of April 2021, Magento holds a 2.32% market share in global e-commerce platforms.

Critical Magento Vulnerability

Adobe patched this Magento 2 Vulnerability (CVE-2022-24086) in February 2022; later on the security researchers have created exploit code for the vulnerability that opens a way to mass exploitation.Ā 

Sansec researchers shared findings of 3 template hacks. The report says the observed attacks have been interactive; since the Magento checkout flow is very hard to automate. It starts with the creation of a new customer account and an order placement, which may result in a failed payment.

https://www.bleepstatic.com/images/news/u/1220909/Code%20and%20Details/part-of-inj-code.png
Part of the Injected Template Code

Experts say, this downloads a Linux executable called 223sam(.)jpg and launches it as a background process.

ā€œIt is actually a Remote Access Trojan (RAT). While it remains in memory, it creates a state file and polls a remote server hosted in Bulgaria for commandsā€, Sansec

Researchers pointed out that RAT has full access to the database and the running PHP processes. Also, RAT can be injected on any of the nodes in a multi-server cluster environment.

Another variation of this attack is the attempted injection of a health_check.php backdoor. It creates a new file accepting commands via the POST parameter:

Malicious PHP file

A third attack variation has this template code, which replaces generated/code/Magento/Framework/App/FrontController/Interceptor.php. This malware is then executed on every Magento page request.

PHP eval Backdoor Created

Therefore, experts recommend the Magento 2 site administrators to upgrade their software to the latest version.

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Follow DISC #InfoSec blog

Ask DISC an InfoSec & compliance related question

Tags: critical vulnerability


Aug 18 2022

PoC exploit code for critical Realtek RCE flaw released online

Category: Security vulnerabilitiesDISC @ 8:14 am
Realtek

Exploit code for a critical vulnerability affecting networking devices using Realtek RTL819x system on a chip released online.

TheĀ PoC exploit codeĀ for a critical stack-based buffer overflow issue, tracked asĀ 

Ā (CVSS 9.8), affecting networking devices using Realtekā€™s RTL819x system on a chip was released online. The issue resides in the Realtekā€™s SDK for the open-source eCos operating system, it was discovered by researchers from cybersecurity firm Faraday Security

ā€œOn Realtek eCos SDK-based routers, the ā€˜SIP ALGā€™ module is vulnerable to buffer overflow. The root cause of the vulnerability is insufficient validation on the received buffer, and unsafe calls to strcpy. The ā€˜SIP ALGā€™ module calls strcpy to copy some contents of SIP packets to a predefined fixed buffer and does not check the length of the copied contents.ā€ reads theĀ advisoryĀ published by Realtek, which published the issue in March 2022. ā€œA remote attacker can exploit the vulnerability through a WAN interface by crafting arguments in SDP data or the SIP header to make a specific SIP packet, and the successful exploitation would cause a crash or achieve the remote code execution.ā€

Millions of devices, including routers and access points, are exposed to hacking.

The experts (Octavio Gianatiempo,Ā Octavio Galland,Ā Emilio Couto,Ā Javier Aguinaga)Ā disclosedĀ technical details of the flaw at the DEFCON hacker conference last week.

A remote attacker can exploit the flaw to execute arbitrary code without authentication by sending to the vulnerable devices specially crafted SIP packets with malicious SDP data.

The issue is very dangerous because the exploitation doesnā€™t require user interaction.

The PoC code developed by the experts works against Nexxt Nebula 300 Plus routers.

ā€œThis repository contains the materials for the talk ā€œExploring the hidden attack surface of OEM IoT devices: pwning thousands of routers with a vulnerability in Realtekā€™s SDK for eCos OS.ā€, which was presented atĀ DEFCON30.ā€ reads theĀ descriptionĀ provided with the exploit code on GitHub.

The repo includes:

  • analysis: Automated firmware analysis to detect the presence of CVE-2022-27255 (Run analyse_firmware.py).
  • exploits_nexxt: PoC and exploit code. The PoC should work on every affected router, however the exploit code is specific for the Nexxt Nebula 300 Plus router.
  • ghidra_scripts: Vulnerable function call searching script and CVE-2022-27255 detection script.
  • DEFCON: Slide deck & poc video.

Johannes Ullrich, Dean of Research at SANS shared a Snort rule that can be used to detect PoC exploit attempt.

ā€œThe rule looks for ā€œINVITEā€ messages that contain the string ā€œm=audioĀ ā€œ. It triggers if there are more than 128 bytes following the string (128 bytes is the size of the buffer allocated by the Realtek SDK) and if none of those bytes is a carriage return. The rule may even work sufficiently well without the last content match. Let me know if you see any errors or improvements.ā€Ā wroteĀ the expert.

Slides for the DEFCON presentation along with exploits, and a detection script forĀ 

Ā areĀ availableĀ in this GitHub repository.

Tags: critical vulnerability, exploit code