Security Risk: High
DREAD Score: 7/10
Vulnerability: Object Injection / Remote Code Execution
Patched Version: 2.3.2
In a routine audit of our Website Firewall we discovered a serious vulnerability within the Hikashop ecommerce product for Joomla! allowing remote code execution on the vulnerable website[s].
What Is At Risk?
This vulnerability affects Joomla! websites running Hikashop (< 2.3.2). It requires open account registration with email activation, which is the default configuration. In this particular case, a malicious user can remotely execute commands on the site (RCE), allowing them to do things like read any configuration file, modify files, and / or insert malware.
Because of the severity, you need to update your Hikashop installations as soon as possible. The Hikashop team released an update and provided more details on the issue here: Security Issue for HikaShop 2.3.2 and below and for HikaMarket 1.4.2 and 1.4.3
Technical Details
The extension was using some code within the user activation part of the software that relied on the PHP’s unserialize() function to confirm user-provided information. The keyword to remember here is user-provided.
As a rule of thumb, it is wise to never send raw, user-provided data, to sensitive functions, especially to unserialize(). In this case, it lead to an Object Injection vulnerability.
An attacker could use this behavior to spawn any classes available in the application’s context, modifying any internal variable it might have in an attempt to modify the class destructor’s execution flow.
These type of attacks are highly dependent on the available classes to the attacker when unserialize() parses its payload. We naturally thought it might be a good idea to verify whether or not something bad could be done using Joomla! 3.* classes, and it turns out there is. Using this, we were able to turn the Object Injection issue into a Remote Code Execution vulnerability, allowing us to run commands on the remote site.
Because of the severity, we will not release any POC (proof of concept code) or provide more details until user have had more time to update. After 30 days, we will disclose all information.
Update Hikashop as Soon as Possible!
Please update Hikashop immediately! The developers did their part and released an update within hours of our disclosure. Now, it is time for you to do your part and update your sites.
Note that site running behind our Website Firewall were remotely patched using our Zero Day Immediate Response feature.
Rianna MacLeod
Ben Martin
Allison Bondi
Juliana Lewis
Art Martori
Luke Leal
Marc-Alexandre Montpas
Northon Torga