Researchers Identify Backdoor Methods to Access MagentoSucuri Offers Advice on Risk Mitigation
Researchers at website security company Sucuri have discovered five backdoor methods to access Adobe's Magento e-commerce platform, potentially enabling capture of credit card details or administrator login credentials.
The backdoors, which the researchers say evade common detection techniques and provide attackers remote code execution privileges, were found during an investigation of a compromised Magento environment.
“The techniques used by the attackers in these backdoors illustrate the ever-changing landscape of website security and highlight some of the tactics used to avoid traditional backdoor detection,” says Liam Smith, security analyst at Sucuri.
The five distinct backdoor methods discovered during the investigation are:
Reflection function - This backdoor is added directly to Magento’s core file /errors/503.php. This malicious code takes user input from the “ID” URL parameter and builds a reflection function, which acts as a disguise and gives the attacker an opportunity to pass malicious input. Below is an example of a payload that can be abused:
“If, during the attack, command execution functions such as system or shell_exec are enabled, the attacker would have unhindered access to your site files, including configuration files,” Smith notes. “This would further lead to lateral movement into the website’s database and allow further injections aimed at capturing credit card details or administrator login credentials."
forward_static_call() - This is nearly identical to the “reflection function” backdoor, but is added in Magento’s processor.php file. “This sample builds a class ‘A’, with a constructor that calls whichever function is named from input 'X', and passes input '_' as an argument,” Smith says.
register_tick_function() - This backdoor is added in Magento’s close.php file. Like the previous two methods, this one provides attackers with remote code execution. “By keeping no one backdoor the same, the attackers can thwart attempts to search for other infections based on any previously discovered samples,” Smith notes.
session_set_save_handler() - In this method, the attacker abuses regular and unsuspicious functions to achieve remote code execution privileges. This function allows developers to specify how a user’s session is to be stored, and attackers abuse it by a backdoor hidden in a file named 1.php. The save handler function is forced to accept the untrusted input from the attacker due to this abuse and instantly executes the malicious payload.
ZipArchive() - This is one of the most unusual methods for backdoor abuse in Magento, because it interacts with the cookies using a POST request. Generally, if access logging is enabled on a web server or a firewall, the GET request initiated by the attackers can be detected.
The attackers ensure that only payloads they send are executed through their backdoor. The first step is to check the value of the “mailto_” cookie. In Magento, the “mailto_” cookie is usually not configured. The value inside the cookie is then named and saved as a zip archive in the /tmp temporary folder. Because it uses the regular function, it avoids detection and deletes itself from the temporary folder immediately post execution, leaving no trails of the backdoor established, according to Sucuri.
“In the same spirit of remaining discrete, the attacker wrapped the entire backdoor in a try/catch statement to ensure that any errors that might generate through the execution of the code are silently discarded and not logged to a central file,” Smith says.
Sucuri advises e-commerce sites that use Magento to perform integrity checks on their websites to detect these infections. Systems performing integrity checks will track any modifications to site files and can help find malware that would have otherwise gone undetected, Sucuri says.
Monitoring access logs can also help detect malicious activities and backdoors, the security firm notes.