module
CosmicSting: Magento Arbitrary File Read (CVE-2024-34102) + PHP Buffer Overflow in the iconv() function of glibc (CVE-2024-2961)
| Disclosed | Created |
|---|---|
| 2024-07-26 | 2024-10-18 |
Disclosed
2024-07-26
Created
2024-10-18
Description
This combination of an Arbitrary File Read (CVE-2024-34102) and a Buffer Overflow in glibc (CVE-2024-2961)
allows for unauthenticated Remote Code Execution on the following versions of Magento and Adobe Commerce and
earlier if the PHP and glibc versions are also vulnerable:
- 2.4.7 and earlier
- 2.4.6-p5 and earlier
- 2.4.5-p7 and earlier
- 2.4.4-p8 and earlier
Vulnerable PHP versions:
- From PHP 7.0.0 (2015) to 8.3.7 (2024)
Vulnerable iconv() function in the GNU C Library:
- 2.39 and earlier
The exploit chain is quite interesting and for more detailed information check out the references. The tl;dr being:
CVE-2024-34102 is an XML External Entity vulnerability leveraging PHP filters to read arbitrary files from the target
system. The exploit chain uses this to read /proc/self/maps, providing the address of PHP's heap and the libc's filename.
The libc is then downloaded, and the offsets of libc_malloc, libc_system and libc_realloc are extracted, and made use
of later in the chain.
With this information and expert knowledge of PHP's heap (chunks, free lists, buckets, bucket brigades), CVE-2024-2961
can be exploited. A long chain of PHP filters is constructed and sent in the same way the XXE is exploited, building a
payload in memory and using the buffer overflow to execute it, resulting in an unauthenticated RCE.
allows for unauthenticated Remote Code Execution on the following versions of Magento and Adobe Commerce and
earlier if the PHP and glibc versions are also vulnerable:
- 2.4.7 and earlier
- 2.4.6-p5 and earlier
- 2.4.5-p7 and earlier
- 2.4.4-p8 and earlier
Vulnerable PHP versions:
- From PHP 7.0.0 (2015) to 8.3.7 (2024)
Vulnerable iconv() function in the GNU C Library:
- 2.39 and earlier
The exploit chain is quite interesting and for more detailed information check out the references. The tl;dr being:
CVE-2024-34102 is an XML External Entity vulnerability leveraging PHP filters to read arbitrary files from the target
system. The exploit chain uses this to read /proc/self/maps, providing the address of PHP's heap and the libc's filename.
The libc is then downloaded, and the offsets of libc_malloc, libc_system and libc_realloc are extracted, and made use
of later in the chain.
With this information and expert knowledge of PHP's heap (chunks, free lists, buckets, bucket brigades), CVE-2024-2961
can be exploited. A long chain of PHP filters is constructed and sent in the same way the XXE is exploited, building a
payload in memory and using the buffer overflow to execute it, resulting in an unauthenticated RCE.
Authors
Sergey Temnikov
Charles Fol
Heyder
jheysel-r7
Charles Fol
Heyder
jheysel-r7
Platform
Linux,Unix
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.