[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Magento 1.9.x Multiple Man-In The Middle
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Magento 1.9.x Multiple Man-In The Middle
- From: cxsecurity@xxxxxxxxxxxxxx
- Date: Mon, 25 Jan 2016 20:08:50 GMT
Magento 1.9.x Multiple Man-In The Middle
https://cxsecurity.com/issue/WLB-2016010129
--- Description ---
The man-in-the middle attack intercepts a communication between two systems.
For example, in an http transaction the target is the TCP connection between
client and server. Using different techniques, the attacker splits the original
TCP connection into 2 new connections, one between the client and the attacker
and the other between the attacker and the server, as shown in figure 1. Once
the TCP connection is intercepted, the attacker acts as a proxy, being able to
read, insert and modify the data in the intercepted communication.
https://www.owasp.org/index.php/Man-in-the-middle_attack
--- Result of static code analysis ---
Let's follow the curl's settings for CURLOPT_SSL_VERIFYPEER and
CURLOPT_SSL_VERIFYHOST in Magento 1.9.
CURLOPT_SSL_VERIFYPEER option.
http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html
WARNING: disabling verification of the certificate allows bad guys to
man-in-the-middle the communication without you knowing it. Disabling
verification makes the communication insecure. Just having encryption on a
transfer is not enough as you cannot be sure that you are communicating with
the correct end-point.
CURLOPT_SSL_VERIFYHOST option.
http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html
When the verify value is 0, the connection succeeds regardless of the names in
the certificate. Use that ability with caution!
DHL App
---------------------------------
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Dhl.php:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Dhl.php:
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Dhl.php:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Dhl.php:
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
---------------------------------
In this file, we can see
----
protected function _doRequest()
{
$r = $this->_rawRequest;
$xml = new SimpleXMLElement('<?xml version = "1.0" encoding =
"UTF-8"?><eCommerce/>');
$xml->addAttribute('action', 'Request');
$xml->addAttribute('version', '1.1');
$requestor = $xml->addChild('Requestor');
$requestor->addChild('ID', $r->getId());
$requestor->addChild('Password', $r->getPassword());
----
where ID and Password are sending in insecure connection. Next.
Fedex App
---------------------------------
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Fedex.php:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Fedex.php:
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
---------------------------------
The same problem. Vulnerable.
UPS App
---------------------------------
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Ups.php:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER,
(boolean)$this->getConfigFlag('mode_xml'));
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Ups.php:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER,
(boolean)$this->getConfigFlag('mode_xml'));
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Ups.php:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER,
(boolean)$this->getConfigFlag('mode_xml'));
---------------------------------
Missing CURLOPT_SSL_VERIFYHOST. Vulnerable.
Mobile Controller
---------------------------------
./magento-mirror-1.9.1.1/app/code/core/Mage/XmlConnect/controllers/Adminhtml/MobileController.php:
curl_setopt($curlHandler, CURLOPT_SSL_VERIFYHOST, 2);
./magento-mirror-1.9.1.1/app/code/core/Mage/XmlConnect/controllers/Adminhtml/MobileController.php:
curl_setopt($curlHandler, CURLOPT_SSL_VERIFYPEER, 0);
---------------------------------
CURLOPT_SSL_VERIFYPEER == 0. Vulnerable
Mobile Controller
---------------------------------
./magento-mirror-1.9.1.1/downloader/lib/Mage/HTTP/Client/Curl.php:
$this->curlOption(CURLOPT_SSL_VERIFYPEER, false);
./magento-mirror-1.9.1.1/downloader/lib/Mage/HTTP/Client/Curl.php:
$this->curlOption(CURLOPT_SSL_VERIFYHOST, 2);
---------------------------------
CURLOPT_SSL_VERIFYPEER == false. Vulnerable
3D Secure CentinelClient
---------------------------------
./magento-mirror-1.9.1.1/lib/3Dsecure/CentinelClient.php: curl_setopt($ch,
CURLOPT_SSL_VERIFYHOST, 2);
./magento-mirror-1.9.1.1/lib/3Dsecure/CentinelClient.php: curl_setopt($ch,
CURLOPT_SSL_VERIFYPEER, FALSE);
---------------------------------
CURLOPT_SSL_VERIFYPEER == false. Vulnerable
PEAR SOAP
--------------------------------
./magento-mirror-1.9.1.1/lib/PEAR/SOAP/Transport/HTTP.php: curl_setopt($ch,
CURLOPT_SSL_VERIFYPEER, 0);
---------------------------------
Vulnerable
Errors caught by cifrex.org. Sorry for the late publication but Magento
Security Team did not responded to my emails :(
In ChangeLog for version 2.0.0.0-dev60:
* Fixed a security issue when CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST
where used with improper values sometimes
and for 2.0.0.0-dev35
* Fixed security issue - set `CURLOPT_SSL_VERIFYPEER` to `true` by default in
cUrl calls
but no detailed information available
--- Credit ---
Maksymilian Arciemowicz from CXSECURITY
https://cxsecurity.com
http://cifrex.org