Shopware is a popular e-commerce software. We discovered two vulnerabilities in the code that bases on Symfony, Doctrine and the Zend Framework. In this blog post we investigate the exploitation of a rare PHP object instantiation vulnerability (CVE-2017-18357).
Installations with following requirements are affected by this vulnerabilities:
- Shopware version <= 5.3.3 and >= 5.1
In order to exploit the found vulnerabilities an attacker needs to be able to use the backend functionality of Shopware, specifically, the configuration of product streams. However, it is sufficient if the attacker can control the session of an account with limited permissions.
Successfully exploiting the object instantiation vulnerability grants an attacker the ability to instantiate an object in the PHP application of an arbitrary class. By using a blind XXE attack described in this blog post, this can lead to the disclosure of any file on the server (as long as the user associated with the PHP process has the required permissions). This can for example, be any confidential file of the shopware installation like
config.php which contains the database credentials.
In this section we will technically analyse the object instantiation vulnerability by examining the flow of data from the input to the dangerous sink. Furthermore, we will present a way of how such a vulnerability can be exploited by escalating it into a blind XXE attack. This sort of vulnerability is not very often to find, and thus an interesting candidate for our inspection.
RIPS automatically identified the object instantiation vulnerability that spans over multiple files and classes. The point of injection resides in the feature to preview product streams in the shopware backend. Here, the user parameter
sort is received in the
loadPreviewAction() method of the
The input is then forwarded to the
unserialize() method of
Shopware\Components\ProductStream\Repository. Note that this is not a PHP Object Injection vulnerability and a custom
unserialize() method. This method calls another
unserialize() method of
The user input is passed along in the first parameter. Here, it ends up in a foreach loop.
Each array key of the user input is then passed to a
createInstanceFromNamedArguments() method as
Finally, the keypoint is the instantiation of an object with
ReflectionClass of the type specified in
$className. The invokation of the
newInstanceArgs() method with user controlled input in
$arguments allows to specify the arguments of the constructor
ReflectionClass is part of the reflection API introduced with PHP 5. It allows retrieving information (available methods, their awaited parameters, etc.) about all classes accessible at a given point during execution. As the name implies,
newInstanceArgs() creates an instance of a class with given parameters. So basically at this point, we can instantiate arbitrary objects.
Let's take a look at how such a vulnerability can be exploited. An attacker that can control the input sent to the
loadPreviewAction() method for product streams can provoke the instantiation of an arbitrary object with chosen parameters. Exploiting an object instantiation vulnerability with chosen parameters presents nearly the same challenges to an attacker as exploiting an object injection vulnerability. The difference is that instead of the magic method
__wakeup() that gets called when an object is unserialized,
__construct() gets called. Inspecting the lifecycle of an injected dummy object revealed that the following methods of its methods get called:
So what is left to do is to find a class available at runtime in which one of the above methods is implemented in an advantageous manner. Unfortunately we could not find any such class in the Shopware code base.
However, at runtime also the PHP built-in classes are available! An interesting class of which one could instantiate an object in such a situation is
SimpleXMLElement. This class is part of the PHP SimpleXML extension which is available on most PHP installations. When instantiating an object of
SimpleXMLElement, the data passed to its constructor is parsed as XML. This can be exploited to launch an XML External Entity (XXE) attack. The signature of the constructor of SimpleXMLElement looks like the following:
As the third parameter
$data_is_url might imply, it's even possible to pass an URL to an external XML file which should be parsed. The following XML and DTD example shows how this can be abused to read any file on the targeted system that the web server's privileges allow access to.
First, the object instantiation vulnerability is used to instantiate a
SimpleXMLElement object with the appropriate parameters. The parameter
$options must be set to
LIBXML_NOENT in order to activate entity substitution which is required for the XXE to work. The parameter
$data_is_url is set to true and the
$data points to the attackers
xxe.xml file. When the XML file is parsed by the injected
SimpleXMLElement object, it reads the
/etc/passwd file from the file system and sends its content base64 encoded back to the attackers web server.
Finally, the attacker can read the content of the desired file by reviewing his web server's log file and base64 decoding the received log entry.
|2017/09/13||Reported vulnerabilities in Shopware ticket system|
|2017/09/14||Coordinated disclosure timeline with vendor|
|2017/10/02||Vendor fixed issues in code base|
|2017/10/24||Vendor released fixed version 5.3.4|
We analyzed the community edition of the popular e-commerce software Shopware as part of our PHP vulnerability research that contributes to open source security. We identified two security issues in the code base. In this post we analyzed a unique and cool object instantiation vulnerability and presented a way of how such a vulnerability can be escalated into a blind XXE attack leading to arbitrary file disclosure.
We would like to thank the team behind Shopware for their professional collaboration and for quickly resolving the issues with the release of version 5.3.4. If you are still using an older version, we encourage to update.