Securin Zero-Days

CVE-2020-24600 – SQL Injection in CAPExWeb

Severity:High

Vendor

Shilpi

Affected Product

CAPExWeb

CVE

CVE-2020-24600

Securin ID

2020-CSW-01-1038

Status

Fixed

Date

July 1, 2020

Description

The GET request parameters in servlet/capexweb.cap_sendMail are vulnerable to SQL Injection. An unauthenticated user can take over the database of the application.

Proof of Concept (POC):

The following vulnerability was tested on CAPExWeb version 1.1 Product.

  1. Visit the /capexweb/capexweb URI on the server where the capexweb client is installed.

Figure-1: Default login page of the application.

  1. Now, fill the login form with the wrong details and submit them.

Figure-2: Login form with invalid credentials.

Figure-3: Response shows the credentials are invalid.

  1. From the error response, click on the “Forgot My User id or Password” link.

Note: We cannot navigate to the capforgotpassword.jsp directly, as the application takes the user id from the previously submitted request.

Figure-4: Response shows user-id as null if we navigate to capforgotpassword.jsp directly.

Figure-5: Forgot password page with user-id value submitted in the login page. Now, click on the send request button.

  1. The browser sends the following request to the server.

Figure-6: Forgot password request

Figure-7: Response from the server for invalid user id.

Figure-8: Replay of forgot password page with user-id value containing a single quote returns ORA string not properly terminated error message from the database.

 

Figure-9: Replay of forgot password page with user-id value containing two quotes returns valid error message from the application.

Figure-10: Replay of forgot password page with user-id value contains comments to truncate the query after user-id returns missing right parenthesis from the database server.

Figure-11: Replay of forgot password page with user-id value contains a single quote and right parenthesis returns quoted string not properly terminated error message from the database server.

Figure-12: Replay of forgot password page with user-id value contains a single quote, right parenthesis, and comment returns missing right parenthesis error message from the database server.

Note: After analyzing the responses for different payloads, the payload needs two right parentheses to work.

Figure-13: Replay of forgot password page with user-id value contains a single quote, two right parentheses, and comment returns a valid error message from the application.

Note: The proper execution of functionality sends an email or SMS to the user. In production servers, checking this issue may impact all the users. As we do not have a valid user id, trying for always real conditions impacts all the users in the application. So, to minimize the impact on one user, use the ROWNUM condition.

Figure-14: Request with ROWNUM condition as part of the payload.

Figure-15:  User id value with always true condition and ROWNUM condition does not show invalid user id or pan.

Figure-16: The payload XORXX’)) or%201=ctxsys.drithsx.sn (1, (select%20sys.stragg(distinct%20banner)%20from%20v$version))– in request to retrieve the data from the database in error information.

Figure-17: The available databases in the Oracle database server.

Impact

A successful attack may result in the unauthorized viewing of user lists, the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, all of which are highly detrimental to a business.

Remediations

Use parameterized queries when dealing with SQL queries that contain user input. Parameterized queries allow the database to understand which parts of the SQL query should be considered as user input, therefore solving SQL injection.

Timeline

 July 01, 2020: Discovered in our research lab

 July 17, 2020: Followed up with the Vendor

 July 29, 2020: Followed up with the Vendor

 October 7, 2020: Informed CERT-in about the vulnerability

 November 27, 2020: CERT-in confirmed the vulnerability fix

Let Securin level up your security posture!