#ZeusCart 4.x Remote #SQL Injection


On May 27th our research labs discovered a vulnerability (CVE-2014-3868)
in an e-commerce shopping cart application known as "ZeusCart". The
same day,
we reported this vulnerability to mitre.org and the CVE was assigned.
We were
able to get in touch with the vendor with a confirmed response relatively
quickly (May 29).

We attempted to contact them again on June 4 and June 17. They have not
since
responded.

Since then there have been multiple pushes and merges to the project's
master
branch on github; the security issue still has not been addressed
despite the
fix being a single, simple line of code. This copy-paste fix could have
been
implemented extremely quickly and easily and the vendor has pushed many
updates since their notification. When initially disclosing this, we gave
them a time period of 14 days before we would publish it. Because they
responded to us positively, we gave them extra time to fix it. At this
point,
seeing that they continue to update the software past the 14 day window
without implementing a ten second fix leaves us little alternative to our
present course of action.

As per our Actionable Intelligence Must Beget Overzealous Timing (AIMBOT)
policy, this report is being released in the hopes that vendor
negligence and
potential incompetence may be appropriately addressed. Responsible
disclosure
includes the responsibility to be transparent with consumers and the
responsibility to consumers to prevent them from being harmed.

Before we get into any specific vulnerability, we would like to
compliment this
vendor on their UI development. The responsive HTML5 layout is
certainly an
excellent piece of code.

While the vendor has amazing interface developers, their database
architects
are as poor at databasing as their UI developers are good at interfacing.

Our initial analysis of the software in question, including
CVE-2014-3868 and
several other vulnerabilities follows below. Weaponized exploit samples
for
this software will NOT be made available by ourselves, as weaponizing
exploits
affecting this type of application is contrary to the spirit of consumer
protection. We will attempt to provide diffs for each thing we were
able to
easily patch at the end of this document; however this is not a
guarantee of
the future safety of this third-party-patched product.


--- CVE-2014-3868 ---
Assigned:
27 May 2014 (Submitted to Vendor May 29)

Status:
Vendor Ignored, see suggested fix below.

Classification:
Blind SQL Injection

Exploit Complexity:
Low

Severity:
High

Description:
Blind SQL injection vector exists in the current addtocart
functionality
for the latest version of ZeusCart.

Required information for attack to be successful:
* valid product id
* valid session ID

PoC:
* Requires a valid sessionid and numeric product id.
* The following bash commands causes the target page to sleep for 13
seconds, while the expected inputs have a near-instant response time:

# export SESSID="YOURSESSIONID, CHANGE THIS";
# export PROD_ID="Numeric Product ID";
# time curl -d "addtocart=${PROD_ID}" -b "PHPSESSID=${SESSID}" \
"http://zeuscart_install/index.php?do=addtocart&prodid=${PROD_ID} and
sleep(1)"

Suggested Action:
At the top of CAddCart.php, line 32 (just after the comments and
before the
definition of the class), add the following line of code:

$_GET['prodid'] = abs((int)$_GET['prodid']);


--- Initial Analysis ---
The first thing we noticed was that Zeuscart uses
Bin/Core/Assembler.php to
automatically iterate over each user input and use
"mysql_real_escape_string"
on everything. While the comments call this "power security", it is not.
Inputs that are not wrapped in quotes are not in any way protected. Two
better
ways to implement "power security" include using PDO with paramaterized
statements or an ORM that sanitizes inputs according to datatypes in the
information_schema database.

We were able to identify a number of sql injection vulnerabilities
which
involved integer handling bugs. The following functions are vulnerable to
the following parameters:

classes/Core/CUserNewsLetter.php:
* addNewsLetter() : $_POST['subId'] (line 72)


classes/Core/CAddCart.php:
* addCartFromProductDetail() : $_GET['prodid'] (lines 238, 379)
* addCartFromProductDetail() : $_POST['variations'] (line 273)


Eventually we stopped actually looking CAddCart.php and just ran a
fancy
grep to see queries that had string concatenated inputs that weren't
wrapped in
quotes. The results were kind of scary, so, for CAddCart.php we simply
made a
list of vulnerable integer inputs with some magical bash:
* $_GET['prodid']
* $_POST['variations']
* $_POST['prodid'][$i]
* $_POST['qty'][$i]
* $_POST['qty']

Our greps also returned a fairly large amount of other
vulnerabilities. The
following filenames and line numbers showed as vulnerable for one reason or
another, we are limiting the information here due to the severity of the
bugs.
./classes/Core/CAddCart.php:91
./classes/Core/CAddCart.php:115
./classes/Core/CAddCart.php:138
./classes/Core/CAddCart.php:238
./classes/Core/CAddCart.php:273
./classes/Core/CAddCart.php:734
./classes/Core/CAddCart.php:742
./classes/Core/CAddCart.php:749
./classes/Core/CAddCart.php:756
./classes/Core/CAddCart.php:757
./classes/Core/CAddCart.php:762
./classes/Core/CAddCart.php:783
./classes/Core/CAddCart.php:789
./classes/Core/CAddCart.php:905
./classes/Core/CUserNewsLetter.php:72
./classes/Display/DAddCart.php:277
./classes/Display/DAddCart.php:1146
./classes/Display/DAddCart.php:1161
./classes/Display/DAddCart.php:1326
./classes/Display/DAddCart.php:1341
./classes/Display/DUserAccount.php:1216

Most major and obvious SQL injection bugs are fixed with our patch
to the
Assembler.php file; however we are not willing to vouch that there are
no SQL
injection vulnerabilities in our patched version. This is only our initial
analysis and as such it is not complete. This is simply what we were
able to
find and fix on our "first pass".


--- Our Patchset ---
While we have applied some best-effort hotfixes here, it is highly
recommended
to move to a software platform who's vendor takes security more
seriously until
the vendor officially patches these bugs amongst others. Serious code
review
and standard enforcement is both lacking and needed by this vendor.

The diff is provided as follows:

[root@temp Core]# diff Assembler.php Assembler_New.php
47c47,73
<
---
>
> if (isset($_POST['prodid'])) {
> if (is_array($_POST['prodid'])) {
> foreach ($_POST['prodid'] as $key => $value) {
> $_POST['prodid'][$key] = abs((int)$value);
> }
> } else {
> $_POST['prodid'] = abs((int)$_GET['prodid']);
> }
> }
>
>
> if (isset($_POST['qty'])) {
> if (is_array($_POST['qty'])) {
> foreach ($_POST['qty'] as $key => $value) {
> $_POST['qty'][$key] = abs((int)$value);
> }
> } else {
> $_POST['qty'] = abs((int)$_GET['prodid']);
> }
> }
>
> if (isset($_POST['variations']))
$_POST['variations'] = abs((int)$_POST['variations']);
> if (isset($_GET['prodid'])) $_GET['prodid']
= abs((int)$_GET['prodid']);
> if (isset($_POST['subId'])) $_POST['subId']
= abs((int)$_POST['subId']);
>
>
240c266
< ?>
\ No newline at end of file
---
> ?>

Again, we would like to stress that this is NOT a guarantee of the
security of
this product. This simply fixes the SQL injection vulnerabilities we
were able
to discover on our first glance. If we were able to discover these
at-a-glance
then imagine what could potentially be in the wild.

Github pull request:https://github.com/ZeusCart/zeuscart/pull/23
Full Advisory:http://breaking.technology/advisories/CVE-2014-3868.txt

- Breaking Technology Staff


source