[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201601252008.u0PK8o8M004598@sf01web1.securityfocus.com>
Date: Mon, 25 Jan 2016 20:08:50 GMT
From: cxsecurity@...tonmail.com
To: bugtraq@...urityfocus.com
Subject: Magento 1.9.x Multiple Man-In The Middle
Magento 1.9.x Multiple Man-In The Middle
https://cxsecurity.com/issue/WLB-2016010129
--- Description ---
The man-in-the middle attack intercepts a communication between two systems. For example, in an http transaction the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server, as shown in figure 1. Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication.
https://www.owasp.org/index.php/Man-in-the-middle_attack
--- Result of static code analysis ---
Let's follow the curl's settings for CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST in Magento 1.9.
CURLOPT_SSL_VERIFYPEER option.
http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html
WARNING: disabling verification of the certificate allows bad guys to man-in-the-middle the communication without you knowing it. Disabling verification makes the communication insecure. Just having encryption on a transfer is not enough as you cannot be sure that you are communicating with the correct end-point.
CURLOPT_SSL_VERIFYHOST option.
http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html
When the verify value is 0, the connection succeeds regardless of the names in the certificate. Use that ability with caution!
DHL App
---------------------------------
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Dhl.php: curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Dhl.php: curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Dhl.php: curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Dhl.php: curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
---------------------------------
In this file, we can see
----
protected function _doRequest()
{
$r = $this->_rawRequest;
$xml = new SimpleXMLElement('<?xml version = "1.0" encoding = "UTF-8"?><eCommerce/>');
$xml->addAttribute('action', 'Request');
$xml->addAttribute('version', '1.1');
$requestor = $xml->addChild('Requestor');
$requestor->addChild('ID', $r->getId());
$requestor->addChild('Password', $r->getPassword());
----
where ID and Password are sending in insecure connection. Next.
Fedex App
---------------------------------
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Fedex.php: curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Fedex.php: curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
---------------------------------
The same problem. Vulnerable.
UPS App
---------------------------------
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Ups.php: curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, (boolean)$this->getConfigFlag('mode_xml'));
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Ups.php: curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, (boolean)$this->getConfigFlag('mode_xml'));
./magento-mirror-1.9.1.1/app/code/core/Mage/Usa/Model/Shipping/Carrier/Ups.php: curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, (boolean)$this->getConfigFlag('mode_xml'));
---------------------------------
Missing CURLOPT_SSL_VERIFYHOST. Vulnerable.
Mobile Controller
---------------------------------
./magento-mirror-1.9.1.1/app/code/core/Mage/XmlConnect/controllers/Adminhtml/MobileController.php: curl_setopt($curlHandler, CURLOPT_SSL_VERIFYHOST, 2);
./magento-mirror-1.9.1.1/app/code/core/Mage/XmlConnect/controllers/Adminhtml/MobileController.php: curl_setopt($curlHandler, CURLOPT_SSL_VERIFYPEER, 0);
---------------------------------
CURLOPT_SSL_VERIFYPEER == 0. Vulnerable
Mobile Controller
---------------------------------
./magento-mirror-1.9.1.1/downloader/lib/Mage/HTTP/Client/Curl.php: $this->curlOption(CURLOPT_SSL_VERIFYPEER, false);
./magento-mirror-1.9.1.1/downloader/lib/Mage/HTTP/Client/Curl.php: $this->curlOption(CURLOPT_SSL_VERIFYHOST, 2);
---------------------------------
CURLOPT_SSL_VERIFYPEER == false. Vulnerable
3D Secure CentinelClient
---------------------------------
./magento-mirror-1.9.1.1/lib/3Dsecure/CentinelClient.php: curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
./magento-mirror-1.9.1.1/lib/3Dsecure/CentinelClient.php: curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
---------------------------------
CURLOPT_SSL_VERIFYPEER == false. Vulnerable
PEAR SOAP
--------------------------------
./magento-mirror-1.9.1.1/lib/PEAR/SOAP/Transport/HTTP.php: curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
---------------------------------
Vulnerable
Errors caught by cifrex.org. Sorry for the late publication but Magento Security Team did not responded to my emails :(
In ChangeLog for version 2.0.0.0-dev60:
* Fixed a security issue when CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST where used with improper values sometimes
and for 2.0.0.0-dev35
* Fixed security issue - set `CURLOPT_SSL_VERIFYPEER` to `true` by default in cUrl calls
but no detailed information available
--- Credit ---
Maksymilian Arciemowicz from CXSECURITY
https://cxsecurity.com
http://cifrex.org
Powered by blists - more mailing lists