Researchers at website security company Sucuri have discovered five backdoor methods to access Adobe’s Magento e-commerce platform, potentially enabling capture of credit card details or administrator login credentials.
The backdoors, which the researchers say evade common detection techniques and provide attackers remote code execution privileges, were found during an investigation of a compromised Magento environment.
“The techniques used by the attackers in these backdoors illustrate the ever-changing landscape of website security and highlight some of the tactics used to avoid traditional backdoor detection,” says Liam Smith, security analyst at Sucuri.
The five distinct backdoor methods discovered during the investigation are:
- Reflection function – This backdoor is added directly to Magento’s core file /errors/503.php. This malicious code takes user input from the “ID” URL parameter and builds a reflection function, which acts as a disguise and gives the attacker an opportunity to pass malicious input. Below is an example of a payload that can be abused:hxxps://example[.]com/errors/503.php?id=system&processor=array(‘cat app/etc/local.xml’)“If, during the attack, command execution functions such as system or shell_exec are enabled, the attacker would have unhindered access to your site files, including configuration files,” Smith notes. “This would further lead to lateral movement into the website’s database and allow further injections aimed at capturing credit card details or administrator login credentials.”
- forward_static_call() – This is nearly identical to the “reflection function” backdoor, but is added in Magento’s processor.php file. “This sample builds a class ‘A’, with a constructor that calls whichever function is named from input ‘X’, and passes input ‘_’ as an argument,” Smith says.
- register_tick_function() – This backdoor is added in Magento’s close.php file. Like the previous two methods, this one provides attackers with remote code execution. “By keeping no one backdoor the same, the attackers can thwart attempts to search for other infections based on any previously discovered samples,” Smith notes.
- session_set_save_handler() – In this method, the attacker abuses regular and unsuspicious functions to achieve remote code execution privileges. This function allows developers to specify how a user’s session is to be stored, and attackers abuse it by a backdoor hidden in a file named 1.php. The save handler function is forced to accept the untrusted input from the attacker due to this abuse and instantly executes the malicious payload.
- ZipArchive() – This is one of the most unusual methods for backdoor abuse in Magento, because it interacts with the cookies using a POST request. Generally, if access logging is enabled on a web server or a firewall, the GET request initiated by the attackers can be detected.
(Except for the headline, this story has not been edited by The Technology Express staff and is published from a syndicated feed)
About Author
