Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ishopcart-cgi-bof.c.txt

🗓️ 03 Jun 2006 00:00:00Reported by awarenetwork.orgType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 22 Views

Buffer overflows and directory traversal found in ishopcart CGI written in C. Exploit code for connect back shell available, posing remote code execution threat

Code
`Vendor: ishopcart inc  
Vendor Site: ishopcart.com  
Vendor Status: notified via telephone  
  
While spending a night auditing I have found 2 buffer overflows and 1  
directory traversal in the ishopcart cgi, which is written in C.   
  
The directory traversal is caused by how the cgi chooses to show pages.  
If, for example, the CGI is tould to show an order form, the order  
form's name is taken as argv[1] and opens this file and prints it, ie:  
  
/cgi-bin/easy-scart.cgi?../../../../../../../etc/passwd  
  
The first buffer overflow is in main()'s szTmp[100] variable. argv[1] is  
placed in this variable through a sprintf, although no check is made on  
the size of argv[1] before putting it in szTmp:  
  
sprintf(szTmp,"%s",argv[1]);  
  
The other buffer overflow (of which I have succesfuly exploited) lies in  
main() also, but is overflowed in vGetPost(). char szBuf[4000]; is  
passed to vGetPost() under the circumstance that argv[1] contains  
specific criteria. vGetPost() reads POST data until the word "Submit" is  
encountered, doing absolutely no bounds checking on the ammount of data  
supplied.  
  
When notified via telephone, the author claimed to be in the process of  
fixing these errors, and at the same time took ishopcart.com offline.  
Provided is the exploit code that spawns a connect back shell. It has been tested both localy and remotely  
and has proved to work 100%  
  
The real issue lies in the fact that this is a shopping cart system.  
Also, since this is a cgi script, apache forks before executing it and  
hence does not die on unsuccessful attempts, meaning that combined with  
a massive 4000 NOP buffer, brute forcing of the offset is possible  
leading to a theoretical 100% probability of remote code execution.  
  
The good news is that this program doesn't seem to be common. If you you  
would like to view the site and the code, search 'ishopcart' on google  
and click it's cached link, then hit the source code link and you'll see  
easy-scart.c through easy-scart6.c (all, of which, are vulnerable)  
  
--K-sPecial  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Jun 2006 00:00Current
7.4High risk
Vulners AI Score7.4
vendor notificationbuffer overflowdirectory traversalvulnerable cgiconnect back shellremote code executionexploit codeishopcart cgisecurity threatsource code.
22