Vulners
Lucene search
Epicor Retail Store Help System 3.2.03.01.008 Code Execution
🗓️ 03 May 2015 00:00:00Reported by Joseph Zeng XianboType 
packetstorm🔗 packetstormsecurity.com👁 58 Views
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | Epicor CRS Retail Source File Manipulation Local Command Execution Vulnerability | 7 May 201500:00 | – | cnvd |
 | CVE-2015-2210 | 6 Sep 201721:00 | – | cve |
 | CVE-2015-2210 | 6 Sep 201721:00 | – | cvelist |
 | EUVD-2015-2317 | 7 Oct 202500:30 | – | euvd |
 | CVE-2015-2210 | 6 Sep 201721:29 | – | nvd |
 | Command injection | 6 Sep 201721:29 | – | prion |
 | Code Injection in Epicor Retail Store 3.2.03.01.008 | 11 May 201500:00 | – | securityvulns |
| Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl) | 11 May 201500:00 | – | securityvulns |
`-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Title: Code Injection in Epicor Retail Store Help System
CVE: CVE-2015-2210
Vendor: Epicor
Product: CRS Retail Store v3.2.03.01.008
Affected version: 3.2.03.01.008
Reported by: Zeng Xianbo Joseph ([email protected])
Issue identified by: Zeng Xianbo Joseph and Alshi Shantanu
OVERVIEW
By design, the POS software requires a higher privileged user (e.g. remote supervisor) to authorize running system commands on the operating system. These include shutting down the system, launching task manager or running arbitrary system commands. An authorized user must successfully provide the correct response code to a challenge code presented by the CRS RetailStore software. This can be bypassed by exploiting the vulnerability identified below.
_______________________________________________________________________
STEPS TO IDENTIFY VULNERABILITY
- From the POS main screen,
1. Click F1 Help button
2. Click F5 Void Last Item
3. Right click on Help window
4. Click View Source
5. Insert some JavaScript into the HTML file which creates a button to spawn a command shell
6. Save file
7. Right click on Help window
8. Click Refresh
9. Click the newly created button that will spawn a shell
10. If a prompt appears asking for permissions to run ActiveX, click Yes
During the test, the system was observed to run the Windows command prompt on Windows XP Embedded. This was performed using an ActiveX JavaScript payload.
_______________________________________________________________________
RECOMMENDED ACTIONS
For systems which are using the affected software, the following actions are advised:
* Upgrade affected systems to the latest stable version of CRS Retail Store
* Consider upgrading Windows operating systems to later stable versions such as Windows Embedded 8.1 Industry
* Ensure proper network segmentation and firewalls are configured and placed correctly for networks containing such systems
_______________________________________________________________________
TIMELINE
All times provided in GMT +8
2014 July: Security issue found on CRS Retail Store software. Issue reported to vendor for fix through Epicor client. April 2015 given as date for completion of patch deployment.
2015 Feb 17: Email sent to [email protected] to confirm that the vulnerability had been fixed. There was no reply.
2015 Feb 28: Email sent to [email protected] for update on earlier email. There was no reply.
2015 Mar 4: Request sent to CVE assignment team, MITRE CVE Numbering Authority for CVE identifier
2015 Mar 5: CVE-2015-2210 is assigned by CVE assignment team, MITRE CVE Numbering Authority
2015 Mar 18: Call made to Epicor Corporate HQ (+15123282300) at 10:01:39 PM. Recipient of call did not seem to understand about security issue.
2015 Mar 21: Issue reported to CERT(R) Coordination Center. Issue tagged as VU#255588.
CERT Vulnerability Analysis Team declines to publish issue due to local exploitation and advises that
"if the vendor is unresponsive, publishing via SecurityFocus or another mailing list after some time (we recommend allowing 45 days for a vendor response) is an option."
2015 May 2: Security advisory released for the purpose of preventing such attacks by notifying public of need to mitigate vulnerability.
_______________________________________________________________________
SEVERITY RATING
CVSS v2 Score: 5.3 (AV:L/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
CVSS v3 Preview 2 Score: 6.7 (CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C)
Official patch assumed for this calculation.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVRG4rAAoJEC7dR+igIW6k/HYH/R7QJKw5ycI8dHeWco3I6Bew
ZN+cyv/a2sLNAgGCAJHkCsDd5moK6t7ZJMbGlKLp06B/95Ya4bkctZESzRUo2qwk
NRiwy8SjypIvR/S5cqfHNN4SVKGYac+3T7vcSrgBT6HQ5fqJihEGwe6sfJJyTlON
ksfwjX8/xt0823wP8+3nhcNyScYtmkKMNzmy9uwZzSUPgKNDoGgMQtAmyCMSKcj6
JwWytUylfebHozisG+X4hWGqGf7zGQVw4pCwD2o3Bo4db5MHhmYqL8guSYPjRF6a
As8nu4gW88w5YGBvdLzgkFLsMUQ3FUhTQqD5zC7Hx0aLuPjys2lFzXVhD7Jdi28=
=dHZo
-----END PGP SIGNATURE-----
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 May 2015 00:00Current
7.7High risk
Vulners AI Score7.7
EPSS0.00632