Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Magento CosmicSting XXE (CVE-2024-34102) Detector #538

Open
wants to merge 12 commits into
base: master
Choose a base branch
from
Open

Add Magento CosmicSting XXE (CVE-2024-34102) Detector #538

wants to merge 12 commits into from
+1,312 −0

Conversation

lokiuox
Copy link
Collaborator

@lokiuox lokiuox commented Sep 16, 2024

Hello,

Here's the detector implementation for the Adobe Commerce/Magento CosmicSting XXE (CVE-2024-34102) detector. Testbed PR here: google/security-testbeds#89

A few notes:

  • The DTD_FILE_URL here will need to be updated before merging the PR so that it references the right repo/branch
  • The detector falls back to response matching if the callback server is not available
  • When the Callback Server is available, the exploit is made in such a way that the contents of /etc/passwd are sent as a base64-encoded URL parameter when performing the callback request. However, with the current TCS implementation there is no way to retrieve the request's body, it's only possible to know whether a callback was received or not, so Tsunami can't actually read the exfiltrated data. Still, a safe instance would not send a request at all, therefore this is still a good indicator of a vulnerable instance.

References:

@tooryx tooryx requested a review from maoning October 23, 2024 15:13
@lokiuox
Copy link
Collaborator Author

lokiuox commented Nov 16, 2024

@maoning done. Just a reminder that DTD_FILE_URL needs to be updated to point to Google's repo. Would you like me to do that just before merging, so that it's correct once merged?

@maoning
Copy link
Collaborator

maoning commented Nov 26, 2024

@maoning done. Just a reminder that DTD_FILE_URL needs to be updated to point to Google's repo. Would you like me to do that just before merging, so that it's correct once merged?

Could you create a separate PR to commit this file to https://github.com/google/tsunami-security-scanner-plugins/tree/master/payloads?

@lokiuox lokiuox mentioned this pull request Nov 26, 2024
Open
@lokiuox
Copy link
Collaborator Author

lokiuox commented Nov 26, 2024

Here it is: #553

I proceeded to change the path in the detector already to what will be the new URL, so it can be tested as soon as the payload PR is merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maoning maoning maoning left review comments

Assignees

@lokiuox lokiuox

Labels
lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lokiuox @maoning @leonardo-doyensec