Associated Vulnerability
Description
Verifed Proof of Concept on CVE-2022-24086
Readme
# CVE-2022-24086 RCE POC
## About
CVE-2022-24086 which Adobe saw being “exploited in the wild in very limited attacks” received a severity score of 9.8 out of 10, and adversaries exploiting it can achieve remote code execution on affected systems without the need to authenticate. Issue that is now tracked as CVE-2022-24087, which has the same severity score and can lead to the same result when leveraged in attacks. Both are Improper Input Validation vulnerabilities and the company released patches for Adobe Commerce and Magento Open Source to address the two security issues.
We will focus only on 2022-24086, because if CMS is patched, usually it already has both patches, so there is no point of digging into 2022-24087 one.
## Affected versions:
Magento Open Source / Adobe Commerce - 2.3.3-p1 - 2.3.7-p2
Magento Open Source / Adobe Commerce - 2.4.0 - 2.4.3-p1
This PoC checked on 2.3.4, 2.4.0 2.4.2-p2 2.4.3 and on 2.4.3-p1 versions with default email templates module and default sample data.
## Technical analysis
Let's dig into official patches, MDVA-43443, MDVA-43395. All composer patches for all versions share common parts, most important are:
```php
+ private function sanitizeValue($value)
+ {
+ return is_bool($value) ? $value : str_replace(['{', '}'], '', (string) $value);
+ }
```
```php
+ $pattern = '/{{.*?}}/';
+ do {
+ $result = preg_replace($pattern, '', (string)$result);
+ } while (preg_match($pattern, $result));
```
As we see, they try to get rid of {{ and }}. Those curly double brackets are used in built-in email templates.
Now it is the time to dig into email templates!
Official manual on email templates edited on 15-th of March, what changed and why? web.archive.org will show us an old version of that page and we can see that they removed mentions about system variables. Information about getTemplateFilter and addAfterFilterCallback methods were erased from manual.
```php
public function getTemplateFilter()
{
if (empty($this->templateFilter)) {
$this->templateFilter = $this->getFilterFactory()->create();
$this->templateFilter->setUseAbsoluteLinks($this->getUseAbsoluteLinks())
->setStoreId($this->getDesignConfig()->getStore())
->setUrlModel($this->urlModel);
}
return $this->templateFilter;
}
```
```php
public function addAfterFilterCallback(callable $afterFilterCallback)
{
// Only add callback if it doesn't already exist
if (in_array($afterFilterCallback, $this->afterFilterCallbacks)) {
return $this;
}
$this->afterFilterCallbacks[] = $afterFilterCallback;
return $this;
}
```
## Injecting demo payload
## CVE-2022-24086 RCE download
Most of the major Magento users have already patched and that tool is no longer as dangerous as it was a couple months ago. But due to potential damage that this tool can inflict this PoC should not be in limited access.
Current price - **0.5 BTC**. It includes full instruction on penetration, sample payloads and support.
Our XMPP contact for consultation and ordering is **ok0mo@jabber.cz**.
## Disclamer
This PoC is explicitly not in a state to cause any damage. It is a solid starting point for building something bigger.
The authors of this project is not responsible for any possible harm caused by the materials.
## License
CC0
File Snapshot
[4.0K] /data/pocs/38f4fb7a40e63af1af717d6053d0d9b10627511a
└── [3.5K] README.md
0 directories, 1 file
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →