Last Sunday Adobe issued an extremely highly rated CVE under CVE-2022-24086 with a rating of 9.8\/10 for their “Adobe Commerce” platform. The vulnerability allows anyone to execute arbitrary code execution, without any prior credentials or admin powers! The weakness found was based off input validation which is a relatively common weakness. If you’ve ever heard of SQL injection attacks, both attacks use the same general method to get code somewhere it shouldn’t be.<\/p>\n\n\n\n
For quick reference, Adobe Commerce is a web platform for selling products & working through the back-end logistics. For example, an online store could use it to host their website while keeping their Amazon page up-to-date, as well as handle shipping providers. This makes it customer-facing, causing a vulnerability like this one to be even worse, since you can’t just wall it off as some internal-only application.<\/p>\n\n\n\n
Thankfully, by looking into the source code of the vulnerability patch, we can get a glimmer of how this specific attack works:<\/p>\n\n\n\n
$pattern = '\/{{.*?}}\/';\n do {\n $result = preg_replace($pattern, '', (string)$result);\n } while (preg_match($pattern, $result));<\/code><\/pre>\n\n\n\n
This newly added snippet of code uses regular expressions (Regex) to look for a particular pattern in an incoming string, and remove all occurrences. The pattern is two set of curly braces, one within another, with any amount of characters (including none) between them. This specific formatting is used in YAML to embed code.<\/p>\n\n\n\n
This is entirely speculation, but my guess at the mechanics behind this attack would be sending YAML queries to the Adobe Commerce backend with a carefully crafted bit of code within a set of {{}} that the backend accidentally then executed to do some further unknown function.<\/p>\n\n\n\n
Unfortunately the specific attack details are still scarce due to Adobe waiting for their customers to patch before releasing how the vulnerability is acted upon. The vulnerability effects all versions up to two minor versions ago (current: 2.4.5, < 2.4.4 effected). Adobe also stated they’ve gotten reports of this vulnerability being exploited “in the wild” and have stated that there are “very limited attacks” on customers using Adobe Commerce, but gave no hard numbers.<\/p>\n\n\n\n
Input Validation & RCE<\/h2>\n\n\n\n
How do you tell a computer what is code, and what is data? If we were trying to encode the string “print(“Hello, World!”)”, how does Python know whether or not to execute the print() function within the string? If you call print() on that string, then what happens?<\/p>\n\n\n\n
A very important part of writing programs is input validation. Things as simple as checking whether a string can get parsed into a number, to complex error & RCE checking. There are other forms of input validation (such as checking for concurrent sessions for the same user) to be aware of as well. For string-based input validation, it is recommended to look for specific code-related characters & remove them from the input to ensure the string won’t get mis-read as code:<\/p>\n\n\n\n
Comment tags such as \/\/ or \/* *\/<\/li>
Semicolons ;<\/li>
String delimiters such as ‘ or “<\/li>
Newline and null characters: \\n and \\0<\/li>
Braces and Bracket pairs such as <>, {} and []<\/li><\/ul>\n\n\n\n
When an input is mis-read as code, it allows attackers to run effectively anything they want in the worst case as shown in this CVE. It can also result in crashing or causing incorrect behaviour in a system, which I’ve seen firsthand at an internship last summer.<\/p>\n\n\n\n
Examples of Similar Exploits<\/h2>\n\n\n\n
The classic example of improper input validation comes from XKCD:<\/p>\n\n\n\n<\/figure>\n\n\n\n
Another recent example has been the RCE exploit in Dark Souls 3, where the game’s multiplayer has been temporarily disabled to fix the problem. Another blog post has already covered this, here:<\/p>\n\n\n\n
![\"https:\/\/imgs.xkcd.com\/comics\/exploits_of_a_mom.png\"](\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" "\\"Her")
<\/figure>\n\n\n\n![\"https:\/\/imgs.xkcd.com\/comics\/exploits_of_a_mom.png\"](\"https:\/\/imgs.xkcd.com\/comics\/exploits_of_a_mom.png\" "\\"Her")
<\/figure>\n\n\n\n