Magento recently addressed vulnerabilities that could be exploited by unauthenticated attackers to hijack administrative sessions and then completely take over vulnerable web stores.
For a successful attack, a threat actor would first have to exploit a Stored Cross-Site Scripting (XSS) flaw to inject a JavaScript payload into the administrator backend of a Magento store. After hijacking the session from an employee, the attacker would then exploit an authenticated Remote Code Execution (RCE) bug to completely compromise the store.
“The attacker could then cause financial harm to the company running the store. For example, the attacker could redirect all payments to his bank account or steal credit card information,” Germany-based security firm RIPS Technologies reveals.
The vulnerabilities can be exploited if the store uses the built-in, core Authorize.Net payment module, as the issue resides in Magento’s implementation of this credit card payment processing solution. The popular module is used in many Magento stores and automation could lead to mass exploitation, the security firm says.
“We rate the severity of the exploit chain as high, as an attacker can exploit it without any prior knowledge or access to a Magento store and no social engineering is required,” RIPS Technologies notes.
The first issue is an unauthenticated Stored XSS in the cancellation note of a new product order, resulting from a bypass for the escapeHtmlWithLinks() sanitization method.
Because at one point in the sanitization process sanitized links are injected back into the string via vsprintf(), an additional double quote is injected into the <i> tag, which allows for an attribute injection.
“This allows an attacker to inject arbitrary HTML attributes into the resulting string. By injecting a malicious onmouseover event handler and a style attribute to make the link an invisible overlay over the entire page, the XSS payload triggers as soon as a victim visits a page that contains such an XSS payload and moves his mouse,” the security firm says.
Because the method is used to sanitize order cancellation notes, an attacker could exploit the vulnerability to inject arbitrary JavaScript that is triggered when an employee reviews the cancelled order.
The payload could be used to hijack the employee’s authenticated session, allowing the attacker to then exploit a Phar deserialization vulnerability within the controller responsible for rendering images within the WYSIWYG editor.
“By injecting a phar:// stream wrapper into an image file handler, an attacker can trigger a PHP object injection. He can then chain POP gadgets from the Magento core that in the end lead to Remote Code Execution,” RIPS Technologies explains.
The Stored XSS vulnerability was found in Magento 2.2.6 and reported in August 2018. A patch was released in November, but a bypass was found to impact Magento 2.3.0. The Phar deserialization vulnerability was reported in January and addressed in March in Magento 2.3.1, 2.2.8 and 2.1.17. The Stored XSS was patched again in Magento 2.3.2, 2.2.9 and 2.1.18.
Related: Magento Patches Critical Vulnerabilities
Related: Hacked Magento Sites Steal Card Data, Spread Malware