exploit the possibilities

Epicor Retail Store Help System Code Execution

Epicor Retail Store Help System Code Execution
Posted May 3, 2015
Authored by Joseph Zeng Xianbo

Epicor Retail Store Help System version suffers from a remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2015-2210
MD5 | db4608045a3dd89f4f183d43377ead0c

Epicor Retail Store Help System Code Execution

Change Mirror Download
Hash: SHA256

Title: Code Injection in Epicor Retail Store Help System
CVE: CVE-2015-2210
Vendor: Epicor
Product: CRS Retail Store v3.
Affected version:
Reported by: Zeng Xianbo Joseph (webmaster@josephzeng.com)
Issue identified by: Zeng Xianbo Joseph and Alshi Shantanu

By design, the POS software requires a higher privileged user (e.g. remote supervisor) to authorize running system commands on the operating system. These include shutting down the system, launching task manager or running arbitrary system commands. An authorized user must successfully provide the correct response code to a challenge code presented by the CRS RetailStore software. This can be bypassed by exploiting the vulnerability identified below.


- From the POS main screen,
1. Click F1 Help button
2. Click F5 Void Last Item
3. Right click on Help window
4. Click View Source
5. Insert some JavaScript into the HTML file which creates a button to spawn a command shell
6. Save file
7. Right click on Help window
8. Click Refresh
9. Click the newly created button that will spawn a shell
10. If a prompt appears asking for permissions to run ActiveX, click “Yes”

During the test, the system was observed to run the Windows command prompt on Windows XP Embedded. This was performed using an ActiveX JavaScript payload.

For systems which are using the affected software, the following actions are advised:
* Upgrade affected systems to the latest stable version of CRS Retail Store
* Consider upgrading Windows operating systems to later stable versions such as Windows Embedded 8.1 Industry
* Ensure proper network segmentation and firewalls are configured and placed correctly for networks containing such systems

All times provided in GMT +8
2014 July: Security issue found on CRS Retail Store software. Issue reported to vendor for fix through Epicor client. April 2015 given as date for completion of patch deployment.
2015 Feb 17: Email sent to asiamarketing@epicor.com to confirm that the vulnerability had been fixed. There was no reply.
2015 Feb 28: Email sent to asiamarketing@epicor.com for update on earlier email. There was no reply.
2015 Mar 4: Request sent to CVE assignment team, MITRE CVE Numbering Authority for CVE identifier
2015 Mar 5: CVE-2015-2210 is assigned by CVE assignment team, MITRE CVE Numbering Authority
2015 Mar 18: Call made to Epicor Corporate HQ (+15123282300) at 10:01:39 PM. Recipient of call did not seem to understand about security issue.
2015 Mar 21: Issue reported to CERT(R) Coordination Center. Issue tagged as VU#255588.
CERT Vulnerability Analysis Team declines to publish issue due to local exploitation and advises that
"if the vendor is unresponsive, publishing via SecurityFocus or another mailing list after some time (we recommend allowing 45 days for a vendor response) is an option."
2015 May 2: Security advisory released for the purpose of preventing such attacks by notifying public of need to mitigate vulnerability.

CVSS v2 Score: 5.3 (AV:L/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
CVSS v3 Preview 2 Score: 6.7 (CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C)
Official patch assumed for this calculation.
Version: GnuPG v2



RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    14 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2019 Packet Storm. All rights reserved.

Security Services
Hosting By