CVE-2016-4010
published 2017-01-23CVE-2016-4010: Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized…
PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
92.87%
99.8th percentile
Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized shopping cart data.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| magento | magento | <= 2.0.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /rest/default/V1/guest-carts/*/shipping-information for serialized PHP object payloads in the `additional_information` field of the JSON body, particularly containing class names such as Magento\Framework\DB\Transaction, Magento\Sales\Model\Order\Payment\Transaction, or Magento\Framework\Simplexml\Config\Cache\File. ↗
- →Detect PHP object injection via crafted serialized shopping cart data submitted to the Magento REST API endpoint for guest cart shipping information. ↗
- →Alert on the presence of Magento PHP object injection gadget chain class names (e.g., Magento\Framework\DB\Transaction, Credis_Client, Magento\Framework\Simplexml\Config\Cache\File) within HTTP request bodies to Magento REST endpoints. ↗
- →This vulnerability is exploitable via the Metasploit module exploits/multi/http/magento_unserialize; detect exploitation attempts matching this module's traffic patterns against Magento 2.0.6 or prior. ↗
- →The exploit uses payment method 'checkmo' as the delivery vehicle; flag POST requests to shipping-information endpoints where paymentMethod.method is 'checkmo' and additional_information contains serialized PHP data. ↗
- ·The payment method used to deliver the payload ('checkmo') may vary per Magento installation; defenders should not rely solely on this value for detection. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Magento < 2.0.6 - Arbitrary Unserialize / Arbitrary Write File
exploitdb·2016-05-18·CVSS 9.8
CVE-2016-4010 [CRITICAL] Magento < 2.0.6 - Arbitrary Unserialize / Arbitrary Write File
Magento arbitrary write file
// Date: 18/05/206
// Exploit Author: agix (discovered by NETANEL RUBIN)
// Vendor Homepage: https://magento.com
// Version: /shipping-information
// (* in the response check the payment method it may vary from checkmo)
//
// If you didn\'t provide whereToWrite, it will execute phpinfo to leak path.
class Magento_Framework_Simplexml_Config_Cache_File extends DataObject
{
function __construct($data){
$this->_data = $data;
}
}
class Credis_Client{
const TYPE_STRING = 'string';
const TYPE_LIST = 'list';
const TYPE_SET = 'set';
const TYPE_ZSET = 'zset';
const TYPE_HASH = 'hash';
const TYPE_NONE = 'none';
const FREAD_BLOCK_SIZE = 8192;
/**
* Socket connection to the Redis server or Redis library instance
* @var resource|Redis
*/
protected $redis;
protected $redi
Metasploit
Magento 2.0.6 Unserialize Remote Code Execution
metasploit
Magento 2.0.6 Unserialize Remote Code Execution
Magento 2.0.6 Unserialize Remote Code Execution
This module exploits a PHP object injection vulnerability in Magento 2.0.6 or prior.
No writeups or analysis indexed.
http://netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-execution/https://magento.com/security/patches/magento-206-security-updatehttps://packetstormsecurity.com/files/137121/Magento-Unauthenticated-Arbitrary-File-Write.htmlhttps://packetstormsecurity.com/files/137312/Magento-2.0.6-Unserialize-Remote-Code-Execution.htmlhttps://www.exploit-db.com/exploits/39838/http://netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-execution/https://magento.com/security/patches/magento-206-security-updatehttps://packetstormsecurity.com/files/137121/Magento-Unauthenticated-Arbitrary-File-Write.htmlhttps://packetstormsecurity.com/files/137312/Magento-2.0.6-Unserialize-Remote-Code-Execution.htmlhttps://www.exploit-db.com/exploits/39838/
2017-01-23
Published