On May 27th our research labs discovered a vulnerability (CVE-2014-3868) in an e-commerce shopping cart application known as "ZeusCart". The same day, we reported this vulnerability to mitre.org and the CVE was assigned. We were able to get in touch with the vendor with a confirmed response relatively quickly (May 29). We attempted to contact them again on June 4 and June 17. They have not since responded. Since then there have been multiple pushes and merges to the project's master branch on github; the security issue still has not been addressed despite the fix being a single, simple line of code. This copy-paste fix could have been implemented extremely quickly and easily and the vendor has pushed many updates since their notification. When initially disclosing this, we gave them a time period of 14 days before we would publish it. Because they responded to us positively, we gave them extra time to fix it. At this point, seeing that they continue to update the software past the 14 day window without implementing a ten second fix leaves us little alternative to our present course of action. As per our Actionable Intelligence Must Beget Overzealous Timing (AIMBOT) policy, this report is being released in the hopes that vendor negligence and potential incompetence may be appropriately addressed. Responsible disclosure includes the responsibility to be transparent with consumers and the responsibility to consumers to prevent them from being harmed. Before we get into any specific vulnerability, we would like to compliment this vendor on their UI development. The responsive HTML5 layout is certainly an excellent piece of code. While the vendor has amazing interface developers, their database architects are as poor at databasing as their UI developers are good at interfacing. Our initial analysis of the software in question, including CVE-2014-3868 and several other vulnerabilities follows below. Weaponized exploit samples for this software will NOT be made available by ourselves, as weaponizing exploits affecting this type of application is contrary to the spirit of consumer protection. We will attempt to provide diffs for each thing we were able to easily patch at the end of this document; however this is not a guarantee of the future safety of this third-party-patched product. --- CVE-2014-3868 --- Assigned: 27 May 2014 (Submitted to Vendor May 29) Status: Vendor Ignored, see suggested fix below. Classification: Blind SQL Injection Exploit Complexity: Low Severity: High Description: Blind SQL injection vector exists in the current addtocart functionality for the latest version of ZeusCart. Required information for attack to be successful: * valid product id * valid session ID PoC: * Requires a valid sessionid and numeric product id. * The following bash commands causes the target page to sleep for 13 seconds, while the expected inputs have a near-instant response time: # export SESSID="YOURSESSIONID, CHANGE THIS"; # export PROD_ID="Numeric Product ID"; # time curl -d "addtocart=${PROD_ID}" -b "PHPSESSID=${SESSID}" \ "http://zeuscart_install/index.php?do=addtocart&prodid=${PROD_ID} and sleep(1)" Suggested Action: At the top of CAddCart.php, line 32 (just after the comments and before the definition of the class), add the following line of code: $_GET['prodid'] = abs((int)$_GET['prodid']); --- Initial Analysis --- The first thing we noticed was that Zeuscart uses Bin/Core/Assembler.php to automatically iterate over each user input and use "mysql_real_escape_string" on everything. While the comments call this "power security", it is not. Inputs that are not wrapped in quotes are not in any way protected. Two better ways to implement "power security" include using PDO with paramaterized statements or an ORM that sanitizes inputs according to datatypes in the information_schema database. We were able to identify a number of sql injection vulnerabilities which involved integer handling bugs. The following functions are vulnerable to the following parameters: classes/Core/CUserNewsLetter.php: * addNewsLetter() : $_POST['subId'] (line 72) classes/Core/CAddCart.php: * addCartFromProductDetail() : $_GET['prodid'] (lines 238, 379) * addCartFromProductDetail() : $_POST['variations'] (line 273) Eventually we stopped actually looking CAddCart.php and just ran a fancy grep to see queries that had string concatenated inputs that weren't wrapped in quotes. The results were kind of scary, so, for CAddCart.php we simply made a list of vulnerable integer inputs with some magical bash: * $_GET['prodid'] * $_POST['variations'] * $_POST['prodid'][$i] * $_POST['qty'][$i] * $_POST['qty'] Our greps also returned a fairly large amount of other vulnerabilities. The following filenames and line numbers showed as vulnerable for one reason or another, we are limiting the information here due to the severity of the bugs. ./classes/Core/CAddCart.php:91 ./classes/Core/CAddCart.php:115 ./classes/Core/CAddCart.php:138 ./classes/Core/CAddCart.php:238 ./classes/Core/CAddCart.php:273 ./classes/Core/CAddCart.php:734 ./classes/Core/CAddCart.php:742 ./classes/Core/CAddCart.php:749 ./classes/Core/CAddCart.php:756 ./classes/Core/CAddCart.php:757 ./classes/Core/CAddCart.php:762 ./classes/Core/CAddCart.php:783 ./classes/Core/CAddCart.php:789 ./classes/Core/CAddCart.php:905 ./classes/Core/CUserNewsLetter.php:72 ./classes/Display/DAddCart.php:277 ./classes/Display/DAddCart.php:1146 ./classes/Display/DAddCart.php:1161 ./classes/Display/DAddCart.php:1326 ./classes/Display/DAddCart.php:1341 ./classes/Display/DUserAccount.php:1216 Most major and obvious SQL injection bugs are fixed with our patch to the Assembler.php file; however we are not willing to vouch that there are no SQL injection vulnerabilities in our patched version. This is only our initial analysis and as such it is not complete. This is simply what we were able to find and fix on our "first pass". --- Our Patchset --- While we have applied some best-effort hotfixes here, it is highly recommended to move to a software platform who's vendor takes security more seriously until the vendor officially patches these bugs amongst others. Serious code review and standard enforcement is both lacking and needed by this vendor. The diff is provided as follows: [root@temp Core]# diff Assembler.php Assembler_New.php 47c47,73 < --- > > if (isset($_POST['prodid'])) { > if (is_array($_POST['prodid'])) { > foreach ($_POST['prodid'] as $key => $value) { > $_POST['prodid'][$key] = abs((int)$value); > } > } else { > $_POST['prodid'] = abs((int)$_GET['prodid']); > } > } > > > if (isset($_POST['qty'])) { > if (is_array($_POST['qty'])) { > foreach ($_POST['qty'] as $key => $value) { > $_POST['qty'][$key] = abs((int)$value); > } > } else { > $_POST['qty'] = abs((int)$_GET['prodid']); > } > } > > if (isset($_POST['variations'])) $_POST['variations'] = abs((int)$_POST['variations']); > if (isset($_GET['prodid'])) $_GET['prodid'] = abs((int)$_GET['prodid']); > if (isset($_POST['subId'])) $_POST['subId'] = abs((int)$_POST['subId']); > > 240c266 < ?> \ No newline at end of file --- > ?> Again, we would like to stress that this is NOT a guarantee of the security of this product. This simply fixes the SQL injection vulnerabilities we were able to discover on our first glance. If we were able to discover these at-a-glance then imagine what could potentially be in the wild. Github pull request:https://github.com/ZeusCart/zeuscart/pull/23 Full Advisory:http://breaking.te-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512chnology/advisories/CVE-2014-3868.txt - Breaking Technology Staff