[Alert] New Remote Code Execution Vulnerability in All ECShop Products

  • Source:SANGFOR Security Center
  • Date Published:2018-09-19
#

Summary

Definition From Encyclopedia

ECShop is an independent B2C online shop system for businesses and individuals to quickly build personalized online stores. The system is based on PHP + MySQL, and developed as a cross-platform open source program. This online shop system is widely used in individual online shop construction. ECShop has developed a unique and efficient template engine (versions earlier than 2.15 used Smarty template engine) which is combined with Dreamweaver template and library functions to make template creation easier. Users can custom and extend ECShop according to their own needs.

Summary

The vulnerability is caused by a variable in display function from user.php file in ECShop system. The variable can be remotely controlled and thus become an injection vulnerability which can be exploited by attackers to execute remote code on servers. It is very dangerous. The vulnerability allows attackers to use getshell to gain the highest privileges of servers.

The root cause of this vulnerability is in user.php file. First, let’s take a look at login operation in /user.php. We can see that the code at Line 308 is used for reading data passed by HTTP_REFERER and assigning this data to $back_act variable.

图片1.png

Next, $back_act variable is called by assign function which is used to pass external variables to template function and then display it on page via display function.

图片2.png

We find the display function in /include/cls_template.php file and an insert_mod function in it is critical.

图片3.png

As shown below, insert_mod function is at Line 1150 and it returns a dynamic call. According to Poc details, we know that the function called is insert_ads.

 图片4.png

Let’s follow up insert_ads function. This function is in/include/lib_insert.php file:

图片5.png

From POC file, we find that $arr[’id’] and $arr[’num’] variables are input points that can be controlled remotely and used to execute SQL statements during the construction of attack vector.

At the end of insert_ads function, fetch function is called, which is the point where the vulnerability is triggered during code execution.

图片6.png

In the fetch function, eval function is found. After processed by fetch_str function, the vulnerability is executed here finally.

图片7.png

Vulnerability Reproduction

To offer you an intuitive view of the vulnerability, we use ECShop 2.7.3 to reproduce it.

First, follow the instructions to install the ECShop 2.7.3 and reproduce injected Poc of the vulnerability. After the Referer field and payload are added via Burp Suit, a response packet is obtained and the vulnerability is reproduced. SQL statements are printed in response page.

图片8.png

And then by exploiting SQL injection vulnerability, reproduce operation of writing webshell. First, modify value in Referer field. Next, inject the constructed Poc and then inject command via SQL statements. We can see that the webshell is generated in the root directory. 1.php file is the webshell, as shown below:

图片9.png

Reference

http://ringk3y.com/2018/08/31/ecshop2-x代码执行/


Solution

Remediation Solution

ECShop official website has released patches.You may click the link below to learn more:

http://bbs.ecshop.com/thread-1189867-1-1.html 

Sangfor Solution

Sangfor Security Cloud has updated in the first place and gained the ability to probe websites for this vulnerability and ensure user security.

For Sangfor NGAF customers, simply turn on the corresponding security protection feature.