Publique! CMS SQL Injection Vulnerabilities

  Advisory Content :

=====[ Tempest Security Intelligence - Advisory #01 / 2010 ]=============

       SQL injection vulnerability in Publique! Framework
       --------------------------------------------------

Authors:
Christophe de la Fuente <christophe *SPAM* tempest.com.br>
           Gustavo Pimentel Bittencourt <gustavo.pimentel *SPAM*
tempest.com.br>

=====[ Table of Contents ]=================================

1. Overview
2. Detailed description
3. Additional context & Solutions
4. References
5. Thanks

=====[ Overview ]======================================

* System affected: Publique! version 2.3 (Other versions may be
vulnerable)
* Release date: 25 January 2010
* Impact: Successful exploitation of this vulnerability may lead to
remote
           server compromise due the ability to recover administrative
           credentials of Publique! management interface.

Publique! is a Content Management System (CMS) for Web applications by
Fábrica
Digital [1]. This framework claims to be designed for non-computer
specialists,
enabling them to update web site content directly from the internet.

This product is largely used in Brazil by companies from various areas
such as
universities, government organizations, banks and independent product
vendors [2].

A remotely exploitable vulnerability was found in the framework core
component.
Exploitation of this bug does not require authentication and will lead to
remotely exposed potentially sensitive information from the Publique!
database.
Particularly, an attacker can extract usernames and passwords needed to
authenticate to the administrative interface and gain full control of the
web
site and (depending on certain conditions) the server itself.

=====[ Detailed description ]================================

Publique! references each page with a specific ID ("sid") that the
framework
uses in most of URLs. For instance, to access the page referred by ID=1,
the
following URL is used:

http://your_website.com/publique/cgi/cgilua.exe/sys/start.htm?sid=1

It was found that Publique! does not validate properly the "sid"
parameter
value and causes this input to be interpreted as a SQL command instead of
ordinary data.

The following error is displayed when a simple quote is added after the
original value (sid=1'):

-----------------------------------------------------------------------
-------

Content-type: text/html
CGILua message
Lua error on configuration (or extension)

   Error:       unexpected type to index table
   Active Stack:
     function _ERRORMESSAGE at C code
     function _initStart at
//S/Publique/work/carregal/sys/reader/start.lua
     main of //S/Publique/work/carregal/sys/reader/start.lua
     function old_dofile at C code
     function dofile at
//S/Publique/work/carregal/cgi/cgilua/cgilua.conf/pos_env.lua
     main of string " write("") dofile(ReaderDir.."start.bin")
write("\n") det", 2
     function dostring at C code
     function: 0042E0D0 at
//S/Publique/work/carregal/cgi/cgilua/cgilua.conf/preprocess.lua
     function: 0042A8C8 at
//S/Publique/work/carregal/cgi/cgilua/cgilua.conf/preprocess.lua
     function: 0035CE60 at
//S/Publique/work/carregal/cgi/cgilua/cgilua.conf/cgilua.lua
     function: 0035D650 at
//S/Publique/work/carregal/cgi/cgilua/cgilua.conf/cgilua.lua
     main of //S/Publique/work/carregal/cgi/cgilua/cgilua.conf/cgilua.lua

CGILua 3.2.1 CGI Â©1995-99.

-----------------------------------------------------------------------
-------

After several tests, it appears that the framework is executing two SQL
queries
sequentially and the error is issued by the first query. It is unlikely
that
the bug could be exploited using conventional methods. However, it is
possible
to extract information from the database using Time-Based Blind SQL
Injection [3].

Basically, this consists of using some time-taking SQL operations (e.g.
the BENCHMARK() MySQL built-in function) that will delay server responses
if
the specific condition is satisfied. By monitoring the response time, it
is
possible to know if the conditional expression is True or False.

Using this technique, it is possible to extract the usernames and
passwords
needed to authenticate into the Publique! management interface. Database
information can be retrieved by testing the ASCII value of each character
returned by the injected query.

For example, the following payload may be used to extract the ASCII value
of
the first character returned by the query:

http://your_website.com/publique/cgi/cgilua.exe/sys/start.htm?sid=1))+U
NION+ALL
+SELECT+IF((ASCII(SUBSTRING((SELECT+CONCAT(F_Login,':',F_Password)+FROM

+Publique.T_Actor+LIMIT+1+OFFSET+0),1,1))>97),BENCHMARK(1000000,MD5('A'
)),0)%23

This query first concatenates "F_Login" and "F_Password" columns of the
internal table "T_Actor" and returns the first row (thanks to the "LIMIT
1
OFFSET 0" statement). Then, it checks if the ASCII value of the first
character
returned is greater than 97 (the letter 'a'). If the condition is
satisfied it
will trigger the BENCHMARK function, causing a significant delay in the
server
response (approximately 4 seconds using our test lab). By repeating the
query
with different values to compare to, it is possible to retrieve the exact
value
of the first character. The complete string can be extracted by
reproducing the
process for each character.

Although the password is encrypted, it is possible to discover it. After
further investigation and reverse engineering the Lua pre-compiled
binaries of
Publique! framework, it appears that the encryption algorithm used is
reversible (i.e. is not a hashing function).

Basically, before storing passwords in the database, the framework
encrypts
them with two CGILUA [4] built-in functions: "crypt()" [5] and "encode()"
[6].
Since the key used by the encryption algorithm is hard-coded in Publique!
binaries, it is possible to retrieve the plain password from the cypher
by
using the two following built-in functions: "decrypt()" and "decode()".

These plain credentials could be used to log into the Publique!
management
interface, enabling the framework upload functionality, and eventually
permitting an attacker to install malicious code on the remote server,
for
example.

=====[ Other contexts & Solutions ]============================

As usual [7], we contacted the vendor. After 45 days waiting, Fábrica
Digital
did not provide us a public URL to a fix which addresses this problem to
attach
in this publication.

=====[ Thanks ]========================================

- Tempest Security Intelligence [8] - Tempest Pentest Team
- Evandro Curvelo Hora <evandro *SPAM* tempest.com.br>

=====[ References ]======================================

[1] http://www.fabricadigital.com.br/
[2]
http://www.fabricadigital.com.br/publique/cgi/cgilua.exe/sys/start.htm?s
id=34&UserActiveTemplate=fabrica2007
[3] http://www.owasp.org/index.php/Blind_SQL_Injection
[4] https://web.tecgraf.puc-rio.br/cgilua/index2.html
[5] https://web.tecgraf.puc-rio.br/cgilua/secao5.html#crypt
[6] https://web.tecgraf.puc-rio.br/cgilua/secao5.html#encode
[7] http://www.cert.org/kb/vul_disclosure.html
[8] http://www.tempest.com.br/

===================================================

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

Publique! CMS SQL Injection Vulnerabilities