ZeusCart 4.x Remote SQL Injection

`On May 27th our research labs discovered a vulnerability (CVE-2014-3868)  
in an e-commerce shopping cart application known as "ZeusCart". The  
same day,  
we reported this vulnerability to mitre.org and the CVE was assigned.  
We were  
able to get in touch with the vendor with a confirmed response relatively  
quickly (May 29).  
  
We attempted to contact them again on June 4 and June 17. They have not  
since  
responded.  
  
Since then there have been multiple pushes and merges to the project's  
master  
branch on github; the security issue still has not been addressed  
despite the  
fix being a single, simple line of code. This copy-paste fix could have  
been  
implemented extremely quickly and easily and the vendor has pushed many  
updates since their notification. When initially disclosing this, we gave  
them a time period of 14 days before we would publish it. Because they  
responded to us positively, we gave them extra time to fix it. At this  
point,  
seeing that they continue to update the software past the 14 day window  
without implementing a ten second fix leaves us little alternative to our  
present course of action.  
  
As per our Actionable Intelligence Must Beget Overzealous Timing (AIMBOT)  
policy, this report is being released in the hopes that vendor  
negligence and  
potential incompetence may be appropriately addressed. Responsible  
disclosure  
includes the responsibility to be transparent with consumers and the  
responsibility to consumers to prevent them from being harmed.  
  
Before we get into any specific vulnerability, we would like to  
compliment this  
vendor on their UI development. The responsive HTML5 layout is  
certainly an  
excellent piece of code.  
  
While the vendor has amazing interface developers, their database  
architects  
are as poor at databasing as their UI developers are good at interfacing.  
  
Our initial analysis of the software in question, including  
CVE-2014-3868 and  
several other vulnerabilities follows below. Weaponized exploit samples  
for  
this software will NOT be made available by ourselves, as weaponizing  
exploits  
affecting this type of application is contrary to the spirit of consumer  
protection. We will attempt to provide diffs for each thing we were  
able to  
easily patch at the end of this document; however this is not a  
guarantee of  
the future safety of this third-party-patched product.  
  
  
--- CVE-2014-3868 ---  
Assigned:  
27 May 2014 (Submitted to Vendor May 29)  
  
Status:  
Vendor Ignored, see suggested fix below.  
  
Classification:  
Blind SQL Injection  
  
Exploit Complexity:  
Low  
  
Severity:  
High  
  
Description:  
Blind SQL injection vector exists in the current addtocart  
functionality  
for the latest version of ZeusCart.  
  
Required information for attack to be successful:  
* valid product id  
* valid session ID  
  
PoC:  
* Requires a valid sessionid and numeric product id.  
* The following bash commands causes the target page to sleep for 13  
seconds, while the expected inputs have a near-instant response time:  
  
# export SESSID="YOURSESSIONID, CHANGE THIS";  
# export PROD_ID="Numeric Product ID";  
# time curl -d "addtocart=${PROD_ID}" -b "PHPSESSID=${SESSID}" \  
"http://zeuscart_install/index.php?do=addtocart&prodid=${PROD_ID} and  
sleep(1)"  
  
Suggested Action:  
At the top of CAddCart.php, line 32 (just after the comments and  
before the  
definition of the class), add the following line of code:  
  
$_GET['prodid'] = abs((int)$_GET['prodid']);  
  
  
--- Initial Analysis ---  
The first thing we noticed was that Zeuscart uses  
Bin/Core/Assembler.php to  
automatically iterate over each user input and use  
"mysql_real_escape_string"  
on everything. While the comments call this "power security", it is not.  
Inputs that are not wrapped in quotes are not in any way protected. Two  
better  
ways to implement "power security" include using PDO with paramaterized  
statements or an ORM that sanitizes inputs according to datatypes in the  
information_schema database.  
  
We were able to identify a number of sql injection vulnerabilities  
which  
involved integer handling bugs. The following functions are vulnerable to  
the following parameters:  
  
classes/Core/CUserNewsLetter.php:  
* addNewsLetter() : $_POST['subId'] (line 72)  
  
  
classes/Core/CAddCart.php:  
* addCartFromProductDetail() : $_GET['prodid'] (lines 238, 379)  
* addCartFromProductDetail() : $_POST['variations'] (line 273)  
  
  
Eventually we stopped actually looking CAddCart.php and just ran a  
fancy  
grep to see queries that had string concatenated inputs that weren't  
wrapped in  
quotes. The results were kind of scary, so, for CAddCart.php we simply  
made a  
list of vulnerable integer inputs with some magical bash:  
* $_GET['prodid']  
* $_POST['variations']  
* $_POST['prodid'][$i]  
* $_POST['qty'][$i]  
* $_POST['qty']  
  
Our greps also returned a fairly large amount of other  
vulnerabilities. The  
following filenames and line numbers showed as vulnerable for one reason or  
another, we are limiting the information here due to the severity of the  
bugs.  
./classes/Core/CAddCart.php:91  
./classes/Core/CAddCart.php:115  
./classes/Core/CAddCart.php:138  
./classes/Core/CAddCart.php:238  
./classes/Core/CAddCart.php:273  
./classes/Core/CAddCart.php:734  
./classes/Core/CAddCart.php:742  
./classes/Core/CAddCart.php:749  
./classes/Core/CAddCart.php:756  
./classes/Core/CAddCart.php:757  
./classes/Core/CAddCart.php:762  
./classes/Core/CAddCart.php:783  
./classes/Core/CAddCart.php:789  
./classes/Core/CAddCart.php:905  
./classes/Core/CUserNewsLetter.php:72  
./classes/Display/DAddCart.php:277  
./classes/Display/DAddCart.php:1146  
./classes/Display/DAddCart.php:1161  
./classes/Display/DAddCart.php:1326  
./classes/Display/DAddCart.php:1341  
./classes/Display/DUserAccount.php:1216  
  
Most major and obvious SQL injection bugs are fixed with our patch  
to the  
Assembler.php file; however we are not willing to vouch that there are  
no SQL  
injection vulnerabilities in our patched version. This is only our initial  
analysis and as such it is not complete. This is simply what we were  
able to  
find and fix on our "first pass".  
  
  
--- Our Patchset ---  
While we have applied some best-effort hotfixes here, it is highly  
recommended  
to move to a software platform who's vendor takes security more  
seriously until  
the vendor officially patches these bugs amongst others. Serious code  
review  
and standard enforcement is both lacking and needed by this vendor.  
  
The diff is provided as follows:  
  
[root@temp Core]# diff Assembler.php Assembler_New.php  
47c47,73  
<  
---  
>  
> if (isset($_POST['prodid'])) {  
> if (is_array($_POST['prodid'])) {  
> foreach ($_POST['prodid'] as $key => $value) {  
> $_POST['prodid'][$key] = abs((int)$value);  
> }  
> } else {  
> $_POST['prodid'] = abs((int)$_GET['prodid']);  
> }  
> }  
>  
>  
> if (isset($_POST['qty'])) {  
> if (is_array($_POST['qty'])) {  
> foreach ($_POST['qty'] as $key => $value) {  
> $_POST['qty'][$key] = abs((int)$value);  
> }  
> } else {  
> $_POST['qty'] = abs((int)$_GET['prodid']);  
> }  
> }  
>  
> if (isset($_POST['variations']))  
$_POST['variations'] = abs((int)$_POST['variations']);  
> if (isset($_GET['prodid'])) $_GET['prodid']  
= abs((int)$_GET['prodid']);  
> if (isset($_POST['subId'])) $_POST['subId']  
= abs((int)$_POST['subId']);  
>  
>  
240c266  
< ?>  
\ No newline at end of file  
---  
> ?>  
  
Again, we would like to stress that this is NOT a guarantee of the  
security of  
this product. This simply fixes the SQL injection vulnerabilities we  
were able  
to discover on our first glance. If we were able to discover these  
at-a-glance  
then imagine what could potentially be in the wild.  
  
Github pull request:https://github.com/ZeusCart/zeuscart/pull/23  
Full Advisory:http://breaking.technology/advisories/CVE-2014-3868.txt  
  
- Breaking Technology Staff  
  
  
  
  
`