Description

A system command injection vulnerability has been introduced in the Atos-Magento module version 3.0.0. This module manage the remote ATOS payment solution for Magento 1.x (1.7+) e-commerce websites.

Threat

Attackers could execute unauthorized system commands on the vulnerable application.

Vulnerability records

CVE ID: CVE-2020-13404

Access Vector: remote

Security Risk: critical

Vulnerability: CWE-78

CVSS Base Score: 9.9

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

In the module code, the Quadra_Atos_Model_Api_Response:doResponse($data, $parameters) function calls the PHP shell_exec($command) function:

//app/code/community/Quadra/Atos/Model/Api/Response.php
class Quadra_Atos_Model_Api_Response
{

    public function doResponse($data, $parameters)
    {
        $message = "message=$data";

        $pathfile = "pathfile=" . $parameters['pathfile'];

        $binPath = $parameters['bin_response'];

        $command = "$binPath $pathfile $message";
        $result = shell_exec($command);
        [...]
    }
    [...]
}    

Quadra_Atos_Model_Api_Response:doResponse($data, $parameters) is called by Quadra_Atos_PaymentController:_getAtosResponse($data), then itself called by Quadra_Atos_PaymentController:cancelAction().

The function Quadra_Atos_PaymentController:cancelAction() submit unsanitized user input ($_REQUEST['DATA']) as a parameter to Quadra_Atos_Model_Api_Response:doResponse($data, $parameters):

//app/code/community/Quadra/Atos/controllers/PaymentController.php
class Quadra_Atos_PaymentController extends Mage_Core_Controller_Front_Action
{
    [...]

    public function cancelAction()
    {

        [...]
        $response = $this->_getAtosResponse($_REQUEST['DATA']);
        [...]
    }

    [...]

    protected function _getAtosResponse($data)
    {
    $response = $this->getApiResponse()->doResponse($data, array(
        'bin_response' => $this->getConfig()->getBinResponse(),
        'pathfile' => $this->getMethodInstance()->getConfig()->getPathfile()
    ));

    [...]

    }
}

Consequently, Quadra_Atos_Model_Api_Response:doResponse($data, $parameters) will submit this unsanitized user input as a parameter to the Quadra_Atos_Model_Api_Response:doResponse($data, $parameters) function and then shell_exec($command) will be called with the unsanatized user input.

A fork of the module repository is available here.

Proof of Concept

When a user cancels the payment process from the ATOS website, a POST request is made to the magento application and encrypted data is found inside the DATA POST parameter:

Cancel payment request

This DATA parameter is vulnerable to system command injection vulnerability.

Replace DATA value by any system command and it will be executed by the server:

Exploit

The following figure shows that the server correctly executed the wget system command:

Proof

Affected versions

Versions 3.0.0 to 3.0.5 (last release).

The vendor indicated that it will not issue any patch against the Atos-Magento module, as it has dropped support for this software.

Solution

We suggest the following patch app/code/community/Quadra/Atos/Model/Api/Response.php in order to sanitize the $data variable:

From: Raphaël DULONG <Raphaë[email protected]>
Date: Mon, 18 May 2020 15:12:17 +0200
Subject: [PATCH] Remote command injection security patch.
---
 .../community/Quadra/Atos/Model/Api/Response.php  | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/app/code/community/Quadra/Atos/Model/Api/Response.php b/app/code/community/Quadra/Atos/Model/Api/Response.php
index fc1764a..80e6b4c 100644
--- a/app/code/community/Quadra/Atos/Model/Api/Response.php
+++ b/app/code/community/Quadra/Atos/Model/Api/Response.php
@@ -19,16 +19,11 @@ class Quadra_Atos_Model_Api_Response

     public function doResponse($data, $parameters)
     {
-        // Récupération de la variable cryptée DATA
-        $message = "message=$data";
-
-        // Initialisation du chemin du fichier pathfile
-        $pathfile = "pathfile=" . $parameters['pathfile'];
-
-        // Initialisation du chemin de l'executable response
-        $binPath = $parameters['bin_response'];
-
-        // Appel du binaire response
+        
+        $message = escapeshellarg("message=$data");
+        $pathfile = escapeshellarg("pathfile=" . $parameters['pathfile']);
+        $binPath = escapeshellarg($parameters['bin_response']);
+        
         $command = "$binPath $pathfile $message";
         $result = shell_exec($command);

-- 

Timeline

  • 2020-01-22: Initial discovery;
  • 2020-01-23: First e-mail contact;
  • 2020-02-04: No news, so we open an issue on the Atos-Magento repository;
  • 2020-02-06: Quadra-informatique updated Readme.MD of Atos-Magento repository with the following sentence: "There could be some security issues if you download this";
  • 2020-04-17: Quadra-informatique inform us that they will not patch the Atos-Magento module;
  • 2020-05-29: Alerting by ourselves the organization that we could publicly identify as using the vulnerable module (google dork);
  • 2020-06-09: Public disclosure.

Credits

  • Raphaël DULONG, @RaphaelDLNG, Sysdream (r.dulong -at- sysdream -dot- com)