lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 13 Nov 2009 23:42:59 -0000
From: "lsi" <stuart@...erdelix.net>
To: Tim <tim-security@...tinelchicken.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: OS Commerce authentication bypass (ANONYMOUS
	REMOTE CODE EXECUTION)

> See also:  http://www.milw0rm.com/exploits/9556
> For those who can't read past three lines:  This results in ANONYMOUS
> REMOTE CODE EXECUTION due to the availability of the file manager
> script.

The file manager seems to be implicated in many attacks on the forums 
(maybe this is the bit that permits the uploading, and subsequent 
execution, of PHP code), however it is NOT required for a successful 
authentication bypass, for example the email functionality can be 
remotely accessed without using file manager.  The milw0rm crack uses 
the file manager, so it may or may not be the same vulnerability as 
the authentication bypass.  

> > Patch: no official patches known
> 
> Somehow, the osCommerce developers don't consider this important

And, yes, I did overlook the "Impact" section in my email, sorry 
about that, it's mainly because I'm not really sure, I haven't 
analysed the code, I have cleaned up a site, and did some research as 
part of that, and I saw enough to know that this is a nasty 
vulnerability, but I wouldn't want to get shot for saying that it, 
for example permitted remote code execution, when it didn't, I can 
verify that it can send emails and attempts some strange things with 
file manager, but that was when I zapped it, so I'm not sure what 
else is possible.  

I'm not sure if a bot cracked the site I cleaned, but the log does 
show 12 requests to admin pages in 5 seconds.   A human might 
generate that traffic, especially if there are redirects or 
background POSTs or page refreshes etc... or a bot might generate it, 
with slowness due to network overheads, CPU load etc, and/or a 
deliberate delay loop.  Certainly, it would be possible to automate.  

The payload on the site I cleaned was an email to all customers, 
which contained a link to a website which sent a redirect to the 
browser to go to another website... but that website was down, so I 
never saw the juicy bit.  Probably a malware furball of some 
description...  

As the file manager is not required, those folks who simply removed 
it are still vulnerable.  Also, yes, moving the admin folder does 
nothing, so those folks who did that are still vulnerable.  htaccess-
based authentication on the admin dir fixes the issue BUT means 
double logins for the admin, a rewrite rule could also fix it, with 
no double login, except I think there's already other cracks for OSC 
that mean htaccess in the admin dir is already compulsory....  

What I don't get is why the advice-givers on the OSC forums seem to 
think that everyone already has htaccess in the admin dir, as it's 
not part of the default install.

I too was surprised to find no warnings in red, or prominent notices 
anywhere on the OSC site, everything is all peaches and cream over 
there, while customer details including credit card numbers are 
lifted, carts are spiked with iframes, and spam is sent, en-masse. 
Why is there not a simple, straightforward guide from the developers 
about this?  I'm sure there is not a simple, straightforward answer 
but whatever, the crack is out there and in use, private data is 
exposed etc, so.. that's a Fail I think... in this thread, the 
Secunia advisory is discussed, yet here we are two weeks later, still 
trying to figure it out:  

http://forums.oscommerce.com/topic/347362-security-advisory/

> > This is not the CSRF issue CVE-2009-0408 as there is no CSRF used in 
> > the above attack.  Vulnerability #2 at 
> > http://secunia.com/advisories/33446/ (recently added) seems to be it, 
> > but I don't see why it's lumped in with the CSRF flaw...
> 
> 
> Yes, this very much adds to the confusion of the issue.  
> 
> Secunia: Please fix your listing.  CSRF is still an issue in the admin
> area, but the bigger (separate) issue is a complete authentication
> bypass in a badly designed /admin/ area.

Yes, I also think the Secunia listing needs fixing, aside from 
separating the access bypass into its own vulnerability, it also 
needs to be upgraded to extremely critical, as exploits are in the 
wild (this is their defintion of extremely critical, not mine).

So yes, in all quite dismal, the hole sux, the crackers suck, the 
support sux, even the vulnerability listing sux, and the scope seems 
to be widening all the time (the issue also seems to affect OSCMAX, 
and probably other forks as well, some of the sites have advisories, 
some don't).

Happy Friday 13th... ;)

Stu

---
Stuart Udall
stuart at@...erdelix.dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ