UNIVERSITY OF TARTU FACULTY OF SCIENCE AND TECHNOLOGY INSTITUTE OF COMPUTER SCIENCE INFORMATICS. CVE Hiie-Helen Raju

Transcription

1 UNIVERSITY OF TARTU FACULTY OF SCIENCE AND TECHNOLOGY INSTITUTE OF COMPUTER SCIENCE INFORMATICS CVE Hiie-Helen Raju Tartu 2017

2 Contents Introduction... 3 Vulnerability description... 3 Threat and exploitation... 3 Solution... 4 References

3 Introduction Symphony CMS is a XSLT-powered open source content management system (CMS). (Symphony, n.d.) It provides users with tools for creating web applications. Symphony offers users an already set up project template where many things have already been implemented. In the project the toolkit package contains AuthorManager class, which manages Author type objects which differ from Manager type objects as they are stored in a database not in the file system. CRUD methods are implemented to allow Authors to be created (add), read (fetch), updated (edit) and deleted (delete). (Symphony CMS API, n.d.) Normally these methods can only be used by authenticated administrators to get their own data from the database. Vulnerability description CVE is a SQL injection vulnerability in Symphony CMS before version SQL injection is a common web hacking technique in which the attacker instead of inserting data inserts a malicious code with a SQL query into the software (for example a text field). The most common way is getting user data from other users with the following method. Example of SQL injection As 1=1 is always true, the request will always go through and all content from Users table will be returned. In CVE the injection could be inserted through the HTTP GET sort parameter as arbitrary SQL commands. Threat and exploitation In Symphony, CVE allows remote authenticated users to execute arbitrary SQL commands via the sort parameter to system/authors/. (CVE , n.d.) In Symphony the vulnerability existed (has now been fixed) because the filtration of HTTP GET parameter sort was not sufficient. SQL commands could be executed in the application database by an 3

4 authenticated administrator, including some that are not the designated use. (HTB23148 Security Advisory, n.d.) This Proof of Concept code would create a /var/www/file.txt file with user information from the authors table with logins, password hashes etc. There is another exploitation option for this vulnerability. Via CSRF (Cross-Site Request Forgery) vector and this time by a non-authenticated attacker. The attacker could trick any authenticated administrator to visit a site with the following exploit code. (HTB23148 Security Advisory, n.d.) SQL injection worked here so that the attacker used id%20into%20outfile%20%27/var/www/file.txt%27%20--%20 as the sort parameter value for the request. This would send it to the database which assumes that the content of this line is simply a sort request. While in reality the content sorts and asks for content to be written into a file. The file could be reached after from This is based on the assumption that the web server serves content from the /var/www directory which is common in Unix-based systems. If this does not work, then other possible paths could be tried out. Solution To solve this kind of SQL injection the request has to be checked to match the type of input parameter that the developers wish to give the query. This means that a back-end validation has to be implemented in code level. The developers fixed this vulnerability in the next patch (2.3.2). There were two lines added the AuthorManager class code to fix this. The main idea behind them was to check the data type before it is passed on to the query. The sort parameter is stored in the $sortby variable and is checked to be null before id is assigned to the variable. If it is not null, then it is passed on to another method that cleans it before using it in the query. The order parameter is stored in $sortdirection variable and its content and type are compared to the string ASC. If it does not match, the value is replaced by DESC. 4

5 Source code for the vulnerability fix (Fix code in repository, n.d.) If the previously mentioned attack is used after this fix it will create a syntax error. The line id%20into%20outfile%20%27/var/www/file.txt%27%20--%20 is URL encoded and if it is to be decoded the %27 would translate as ' (one quotation mark). The cleanvalue method adds a backslash (\) before the quotation marks which renders the command syntax incorrect. (CleanValue code, n.d.) This fix is not the best solution for the SQL injection vulnerability (in the author s opinion) as there may be other injections that this might not protect against. The entire fetch method is as follows. Source code for the entire method (Fix code in repository, n.d.) A more thorough fix would be if the ORDER BY %s %s line would be changed into ORDER BY `%s` %s This would ensure that the id is an identifier and the id%20into%20outfile%20%27/var/www/file.txt%27%20--%20 part of the query would be read as `id INTO OUTFILE '/var/www/file.txt' -- ` (the entire line would be the id). However, this is not enough, as the ` mark could be added into the line. Therefore, the code should delete the ` marks from the line itself in the same method that it currently adds \ to the front of the marks. 5

6 References CleanValue code. (n.d.). Retrieved from 2/blob/6c8aa4e9c810994f ce50f468/symphony/lib/toolkit/class.mysql.php CVE (n.d.). Retrieved from Fix code in repository. (n.d.). Retrieved from 2/commit/6c8aa4e9c810994f ce50f468 HTB23148 Security Advisory. (n.d.). Retrieved from Symphony. (n.d.). Retrieved from Symphony CMS API. (n.d.). Retrieved from Symphony sort parameter SQL injection. (n.d.). Retrieved from 6