An Overview of Opencart CVE-2018-11495 & CVE-2018-11494 – RCE and Arbitrary File Download vulnerability
When it comes to popular e-commerce solutions, OpenCart seems to be a popular choice. Much can be accredited to its wide range of extensions to choose from. OpenCart offers significant flexibility to its users. However, when it comes to the security front, multiple vulnerabilities have been discovered.
OpenCart was found vulnerable to an arbitrary file download and remote code execution vulnerability. Dubbed as CVE-2018-11495, this vulnerability was assigned a CVSS Score of 4.0. Moreover, the OpenCart version 184.108.40.206 was found vulnerable. This article further explains both the vulnerabilities and preventive measures to avoid them.
Related Article: The Ultimate Opencart Security Practices and Malware Removal Guide
How OpenCart File Downloads Work: An Admin’s Perspective
Before looking at the vulnerability, let us first understand how the OpenCart file downloads work.
- Step1: Normally, the files would be uploaded by the admin for other users to download.
- Step2: Once the admin has uploaded the file, the server will return a particular Filename which would be different from the Upload Name. See the given picture for further clarification.
- Step3: Now, the program would automatically save that name returned by the server as download file option in the database. So, whenever a user needs a particular file, it would look through the database and fetch the corresponding file.
Everything seems to be particularly neat here but, the vulnerability exists in the download_id parameter of the download.php file which we shall now analyze.
Your OpenCart site hacked? Drop us a message on the chat widget, and we’d be happy to help you. Fix my OpenCart site now.
How OpenCart File Downloads Work: A Look Behind the Scenes
In order to take a deeper overview of the vulnerability, let us first take a look at the code of file wwwadmincontrollercatalogdownload.php. This file made OpenCart vulnerable to the directory traversal attacks. So, let us take a look at various chunks of code present in the file to understand how the files are handled in the background.
This edit() function present in the download.php file is used to check the filename entered by the user. While identifying if the filename exists, this code also checks the user input for any anomalies i.e. there are no XSS attempts or suspicious characters in the user input. Otherwise, these characters can directly reach the database. Moreover, the code in line 6 is responsible for handling the post data passed to editDownload method.
This chunk of code in the download.php file is responsible for editing the contents of the download table. The first line of code gets filename and mask fields data from the $download_id parameter and inserts it into the download table. Moreover, the second line of code is calling the mysql_real_escape_string function. This function verifies the user input for any possible SQL Injection attacks. Also, the $download_id parameter of the editDownload() function in allows an administrator to set the download file’s address to any controllable string of choice.
This download() function of the download.php file is used to conclude the complete process of downloading a file. It does so in 4 mains steps.
- Step1: Submits user input through the download_id parameter.
- Step2: Searches and finds the record in the database. Then, gets the filename field of the corresponding file from the database
- Step3: Concatenates the filename to its basename and fetches the corresponding record from its address; while at the same time verifies if the file exists.
- Step4: Reads the contents of the file and then sends them back to the user.
Now, if an attacker can modify the address in the background to something like ../../config.php, it would allow the attacker to download the arbitrary file via $download_id thus conducting a directory traversal attack.
OpenCart Directory traversal: Proof Of Concept
OpenCart allows certain products like pdf files and ebooks to be sold as downloadable items on the store. This vulnerability, therefore, relies on this particular feature. In order to successfully conduct a directory traversal attack, we will first log in as admin and set the necessary conditions for this attack to occur.
Setting the Environment
Visit the Admin Dashboard and then the ‘Downloads‘ option. Fill the Download Name and other options as shown in the image given below.
This is a crucial step for successful exploitation. Here, in the ‘Filename‘, the admin needs to enter the location of the file that needs to be read from outside the www directory. For example, if the config.php file is two levels up from the current directory, the data entered would be ../../config.php. The double dots denote the level and is a common command in Linux systems. Here, it is noteworthy that the attacker can also trick the admin into entering these details via a CSRF, XSS or other attacks in the background. But for this article, we shall explicitly set these options.
Now, the admin needs to visit: Catalog>Products>Edit>Links>Downloads. From here on, set the product as downloadable. Moreover, the complete customization of the product can be done from Catalog>Products>Edit including things like Quantity of the product and other finer details.
Thereafter, visit: System>Settings>Edit>Option>Processing Order Status&Complete Order Status. Here, select all the options as shown in the image below.
The product is now set and ready for an order. From here on, we shall proceed to exploit using attack vector we have created.
For successful exploitation check if the products are visible in the products section. Now, any user can simply go and purchase the product from the store. However, the user needs to be registered for checkout and billing.
Once, the user has successfully purchased the product, Visit: My Account>Downloads as shown in the image.
Simply download the file for successful exploitation. As it is shown in the image.
Once, the attacker clicks on download, the config.php file would be automatically downloaded. This can be further verified from the raw packets intercepted by the proxy from the URL (http://192.168.*.*/index.php?route=account/download/download&download_id=5) which was set up using the burp suite. Look at the image given below for further clarification.
Therefore, it is evident that the OpenCart directory traversal attack is relatively easy to conduct. However, it needs certain conditions to be met for successful exploitation. We shall now proceed to see how the OpenCart Remote Code Execution attack works.
OpenCart Remote Code Execution
Opencart 220.127.116.11 was also found vulnerable to a remote code execution flaw. This vulnerability was dubbed as CVE-2018-11494 and was assigned a CVSS score of 6.0. This vulnerability was caused due to a feature of OpenCart known as the ‘program extension upload’. Further, in this article, I shall explain the detailed steps of (upload, install, unzip, move, XML and remove) which made OpenCart vulnerable to RCE. Later in the article, we shall show how security measures like a secret temp directory name can be bypassed to conduct RCE.
Related Article- OpenCart, Magento & Prestashop credit card hack
Prerequisites for Exploitation
In order to conduct a successful OpenCart RCE, the first thing we need to check is whether the file is uploaded under the root directory. If this is the case then we shall proceed further. Otherwise, we need to set the upload directory to the root directory. This can by modifying the $path parameter from the request packets as shown in the image below.
Now once we have successfully changed the directory to root, we need to construct a malicious executable. In our case, it is phpinfo.php for test purposes. OpenCart provides us with a feature to upload extensions of our choice. However, the OpenCart documentation says that the files ought to be suffixed with ‘.ocmod.zip‘. So, to conduct an OpenCart RCE, we need to compress our malicious file into a ‘template.ocmod.zip‘ package. This can be seen from the images given below.
The Six Steps of RCE
The whole process of extension upload can be summed up in 6 steps. These are as follows:
Now here, the last step is the crucial one. If we can somehow manage to prevent deletion of the file, our malicious file would be stored permanently on the server and can be used to conduct OpenCart RCE.
This image shows a request packet for the final ‘Remove’ step. Now, if this step is skipped, the file would be stored on the server and can be accessed for OpenCart RCE. However, there is a minor setback here, the direct access to our file is not possible as OpenCart by default concatenates the folder name with 10 random numbers. This is a security measure of OpenCart which is used to block direct access to its folders. However, we shall now see how to bypass this and obtain the complete folder name.
Need professional help in cleanup after OpenCart hacked? Drop us a message on the chat widget, and we’d be happy to help you. Clean my Opencart store now.
Bypassing the Roadblock
To obtain the complete path of our malicious file, we shall use some vulnerabilities in the background language management function. Setting two levels of cross-catalog fields to the symbol ‘../..’, can reveal the folder path under the root directory, therefore, give away the random numbers we want to obtain. To accomplish this, visit: System>Localisation>Languages>Edit and change the language code to ‘../..’ as shown in the image.
Given below are the request headers and the response headers obtained.
Our next step would be to use obtain all the file paths on the web system. To accomplish this, visit: Design>Language Editor>Add. Here, add a new Value to the key and select the language with code ‘../..’ (Hindi in this case).
Once we follow the above-given instructions, the burp suite proxy would intercept the raw packets for us. Given above are the request and response packets. Once we add a new key and value from the language editor using the language code ‘../..‘ the response header would give away the random digits of the folder as shown in the image. In our case, these digits were ‘gfRpPNAt0L‘. After obtaining them, we have successfully bypassed the security measures in place, and we shall now proceed to exploit.
Now that we have obtained the 10 digits random number(gfRpPNAt0L), we shall proceed to access our malicious file. This can be done by simply appending the random digits before the file name. By simply visiting the URL: http://192.168.98.140/storage/upload/tmp-gfRpPNAt0L/phpinfo.php we can access our file as shown in the image given below.
This was a simple phpinfo.php file but in the real-life scenarios, the attackers can use customised scripts for various purposes.
These vulnerabilities could have avoided if the developer filtered the user input across the directory strings too. Moreover, crucial operations like installing extensions should be managed automatically in the backend. Negligence of safe development practices at times can lead to such vulnerabilities in popular open source software. However, as a user, the best protection against such zero-day vulnerabilities is using a security solution. Astra offers customized security solutions for OpenCart users. The Astra firewall can block any malicious file uploads thereby keeping your site safe even while it is vulnerable. Apart from this, Astra also automatically updates your OpenCart to the latest version. With prices as low as $9, try it today!