In the community edition and enterprise edition of the Magento application prior to version 2.0.6, an unauthenticated or authenticated arbitrary PHP object unserialize vulnerability exists in the checkout REST API functionality. This is due to improper input validation when processing API messages. This allows an attacker to craft a request which can execute arbitrary code or file writes.
- Attacker requests a valid cart ID.
- Server supplies cart ID.
- Attacker sends a crafted serialized PHP object using REST API.
- Server deserializes PHP object.
- Server executes PHP and responds to attacker.
A remote code execution vulnerability exists in the Magento WebAPI. The vulnerability is due to unserialization of user controlled data when API calls are made to set the payment method of a valid shopping cart. When the vulnerable function stores the payment method in the database, it attempts to unserialize the string stored in the attacker controlled “additional_information” field for REST requests and the <additionalData> tag for SOAP requests. PHP provides serialize() and unserialize() methods to allow the user to store PHP objects outside of the PHP interpreter containing a bye-stream representation of any PHP object. Upon unserialization of a PHP object, the magic PHP method __wakeup() will be called. Various magic PHP methods such as __destruct() and __toString() will also be called automatically during the life cycle of the object. If these functions invoke other functions or invoke a function on the objects’ property, a malicious attacker can reuse code within the PHP application to achieve various goals by specifying crafted object properties within the serialized object.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Detection of this threat is provided via Alert Logic ActiveWatch™ for Web Security Manager service. Depending on your deployment of Web Security Manager, you will receive an incident (for out-of-band deployment) or the threat will be actively blocked and rejected (for the inline Web Security Manager Premier deployment) if an exploit attempt is observed.
Recommendations for Mitigation
If you are running Magento version < 2.0.6 CE or EE and a valid exploit has been observed, it should be assumed that the exploit was successful.
Upon discovery of an exploit attempt, customers are advised to perform the following actions:
- Check for any evidence of recently created files in writable directories from the running Magento application user.
- Check firewall logs for any unauthorized outbound or inbound connections to the server.
- Check internal traffic for any evidence of pivoting from the web server to another system.
- Apply the vendor patch to eliminate the vulnerability (Magento 2.0.6 and above) or upgrade to the newest version.
- If patches or upgrades are not possible, turn off the WebAPI feature if not required.
- Filter known malicious traffic using a web application firewall.