Securing Open Source: CVE-2019-18608

Cezerin is a React and Node.js based eCommerce platform. Affected versions of this package are vulnerable to improper access control.

โš™๏ธ Description

The vulnerability exists in the checkout page which allows an attacker to send extra parameter values e.g `paid`, which result in manipulating the order status to paid (without paying anything)

๐Ÿ’ป Technical Description

Following the provided PoC by cloudz leads to src/api/server/ajaxRouter.js .ย The route is responsible for checking the order id in the cookie. If there is an order id then it calls api.orders.checkout in cezerin-client module.

The cezerin-client sends the request to the order API route.

File: node_modules/cezerin-client/lib/api/orders/orders.js

and if we look into the order api file we can see that it call checkoutOrder function

File: src/api/server/routes/orders.js

The checkout function calls the updateOrder function. The update function sends the Object (data)to getValidDocumentForUpdate, this function is for generating orders and it does have certain attributes that if provided can result in order manipulation e.g `paid` `shipping_discount` `shipping_price` `tax_rate` etc..

File: src/api/server/routes/orders/orders.js

The solution I come up is to only send the data to the function that is required from the user any extra value if being sent will be overridden with undefined value and there is already a check for an undefined value in the getValidDocumentForUpdate function which does check it through the server-side

๐Ÿ› Proof of Concept (PoC)

1. Add any item to the chart and checkout.

2. Add additional attributes (e.g., paid, tax_rate, shipping_price, shipping_discount, etc.) to the user input field in the request. In my case I added `paid`

PUT /ajax/cart HTTP/1.1

Host: localhost:3001

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/json

Content-Length: 752

Origin: http://localhost:3000

Referer: http://localhost:3000/checkout

Connection: close

Cookie: referrer_url=s%3Ahttp%3A%2F%2Flocalhost%3A3002%2Fproduct%2F5ebf904f019a46570832cb1f.YDyXRnpoWg0Cn6i%2BL2kx2UETY0PqY8%2BXWJ5LPCyoJ%2Fo; landing_url=s%3Ahttp%3A%2F%2Flocalhost%2F.tyZ3uwyR9gAuGEJzxP6kxtZ8cXlAsZTbPH6NKLaAhHk; order_id=s%3A5ebfc8fe30e7a22e0884afdf.bmuz92dPI6fLGaNVOxXckNXktUZDtsBNFR1z2pb4NXA




{"shipping_address":{"address1":"Testbug street","address2":"Testbug street","city":"testbug","country":"US","state":"TESTBUG","phone":"","postal_code":"00001","full_name":"","company":"","tax_number":"","coordinates":{"latitude":"","longitude":""},"details":null},"billing_address":{"address1":"","address2":"","city":"","country":"","state":"","phone":"","postal_code":"","full_name":"","company":"","tax_number":"","coordinates":{"latitude":"","longitude":""},"details":null},"email":"[email protected]","mobile":"+11312312312","first_name":"Testbug","last_name":"Testbug","password":"http://localhost:3000/checkout","payment_method_id":"5ebf904f019a46570832cb29","shipping_method_id":"5ebf904f019a46570832cb28","comments":"", "paid": true}

3. The status of the order is set as paid without payments.

๐Ÿ”ฅ Proof of Fix (PoF)

1. Add any item to the chart and checkout.

2. Add additional attributes (e.g., paid, tax_rate, shipping_price, shipping_discount, etc.) to the user input field in the request. In my case I added `paid`

3. The status of the order is not set as paid without payments.

๐Ÿ‘ User Acceptance Testing (UAT)

– Add `tax_rate` , `shipping_price`, `paid` , `payment_token` etc.. in the request.

Original Pull Request 418sec#1

 

Securing Open Source: CVE-2020-7688

mversion is a cross packaging manager module version handler/bumper. Affected versions of this would allow attackers to execute unexpected, dangerous commands directly on the operating system.

What is Command Injection?

OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data. Very often, an attacker can leverage an OS command injection vulnerability to compromise other parts of the hosting infrastructure, exploiting trust relationships to pivot the attack to other systems within the organization. (Portswigger)

โš™๏ธ Description

The vulnerability exists in the tagName user input, which allows an attacker to execute remote commands.

๐Ÿ’ป Technical Description

The issue occurs in the tagName user input, the input is formatted inside the exec function in #L64 and is executed without any checks.

File: lib/git.js

The occurrence of this vulnerability is caused due to the usage of the exec() function. In general, exec allows us to execute more than one command on a shell. When using exec, if we need to pass arguments to the command, they should be part of the whole command string. Which in this case, we could execute separate commands if we use shell command separator which would result in command injection.

๐Ÿ•ต๏ธโ€โ™‚๏ธ Proof of Concept

ย Since the application implements no defenses against OS command injection, an attacker can submit the following input to execute an arbitrary command

The command executed by the application is:

The touch command is used to create a file in Linux and is a useful way to test for some types of OS command injection. The ; character is a shell command separator, and so what gets executed is actually two separate commands one after another. As a result, a file name “hbkhan” will be created.

๐Ÿ”ฅ Fix

The following code would call escapeQuotes function. The function is responsible for sanitizing the input value.

Disclosure Timeline :

  • 24 June 2020: Issue reported to the author through Github
  • 24 June 2020: Proposed a Fix
  • 24 June 2020: Pull Request Accepted
  • 01 July 2020: CVE Published CVE-2020-7688
 

A design flaw that allows a user to cheat in Offensive Security Exams

Jul 2018 Offensive Security announced online exam proctoring. Since then all of the Offensive Security certifications exams are being monitored to prevent cheating. When I was giving exam Offensive Security Web Expert (OSWE), I thought about checking for a design flaw in the proctor session. I found out that when you click on “END EXAM” it only ends the proctor session but not the VPN session, so you could still access the environment without proctoring session. This might look a simple flaw, but it could hurt the integrity part of CIA triad (Confidentiality, integrity and availability). All the resources that Offensive Security spends on proctoring session is useless and it compromises the prestige and value of the certs.

Note: This vulnerability was reported four months ago to Offensive Security but they seems to not care about fixing this.

Update: Offensive Security has fixed this design flaw vulnerability.

Description:

This is a design flaw in the proctor session. The flaw exists in the “END EXAM” functionality

Expected Behavior:

The “END EXAM” functionality should end the VPN session of the user

Current Behavior:

The “END EXAM” functionality is just ending the user’s proctor session but not the VPN session. The user can still access the provided machines without proctor session.

If the user ends the webcam session, the user can still access the VPN, which means the session never ended

PoC:

1- Click on END EXAM

2- After ending the exam, the system will log you out

After ending the exam, I tried to log in multiple times, but it was giving an error Invalid OSID/MD5 Value

So I tried to check my VPN connection to make sure if I can still access the provided machines. What I did was disconnected my VPN, reconnect, and then try to access the machines, and I was successfully able to connect the provided machines (After ending my exam).

I finished the exam after 12 hours, and I was able to access the machines for the next 36 hours, I only lost the access after the 48 hours exam time limit.