POC for CVE-2024-34102. A pre-authentication XML entity injection issue in Magento / Adobe Commerce.
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.

Magento is one of the most popular e-commerce solutions in use on the internet. It’s estimated that there are over 140,000 instances of Magento running as of late 2023. Adobe’s most recent advisory for Adobe Commerce / Magento, published on June 11th, 2024 highlighted a critical, pre-authentication XML entity injection issue (CVE-2024-34102) which Adobe rated as CVSS 9.8.

It was quite surprising to us that no public proof-of-concept existed at the time of us reading the advisory. Given the criticality of this issue and in order to provide customers of our Attack Surface Management Platform certainty around the exploitability of this issue, our security research team developed a proof-of-concept, well before our customers could be exploited by malicious actors.

We believe that the vulnerability is severe is due to the following reasons:

– It is possible to exfiltrate the app/etc/env.php file from Magento, which contains a cryptographic key used to sign JWTs used for authentication. An attacker can craft an administrator JWT and abuse Magento’s APIs as an admin user on affected installations.

– The vulnerability can be chained with recent research in PHP filter chains leading to RCE through the CVE-2024-2961 exploit, credit to Charles Fol.

– The broader impacts of XXE (any local file or remote URL’s contents can be exfiltrated).

We want to acknowledge the original author for his excellent work on discovering this vulnerability, Sergey Temnikov. Shortly after this vulnerability was dubbed “CosmicString” by SanSec, he released a limited write-up of the issue, which discusses his methodology in discovering this issue but does not reveal the proof of concept. We highly recommend reading this write-up as he explains Magento’s internal deserialization process and its inherent dangers.

As we tracked the public knowledge of this vulnerability, we found that SanSec’s original emergency mitigation could be bypassed, and Sergey’s first iteration of the “fixed” mitigation could also be bypassed. This led to both SanSec and Sergey updating their emergency hotfix mitigations over time.

This was interesting to observe as it highlighted the importance and effectiveness of peer review when it comes to emergency hot fixes and an argument for why disclosing the technical details of a vulnerability is important for the broader security industry.