Lucene search
K

Password Safe And Repository Enterprise 7.4.4 Build 2247 SQL Injection

🗓️ 12 Oct 2015 00:00:00Reported by Matthias DeegType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 23 Views

Password Safe and Repository Enterprise 7.4.4 Build 2247 SQL Injection in Offline Mod

Code
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2015-034  
Product(s): Password Safe and Repository Enterprise  
Manufacturer: MATESO GmbH  
Affected Version(s): 7.4.4 Build 2247  
Tested Version(s): 7.4.4 Build 2247  
Vulnerability Type: SQL Injection (CWE-89)  
Authentication Bypass Using an Alternate Path or   
Channel (CWE-288)  
Risk Level: High  
Solution Status: Fixed  
Manufacturer Notification: 2015-07-09  
Solution Date: 2015-10-05  
Public Disclosure: 2015-10-12  
CVE Reference: Not yet assigned  
Author of Advisory: Matthias Deeg (SySS GmbH)  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
Password Safe and Repository Enterprise is a password management  
software for companies with many features.  
  
The manufacturer MATESO GmbH describes the product as follows (see [1]):  
  
"Manage your passwords in the company according to your security needs!  
Features such as password policies, multi-eyes principle, workflow and  
task system makes management productive and safe.  
  
The integrated rights management system with data transfer option and  
automatic synchronization with Active Directory ensures that your  
employees can only access data which they are entitled to."  
  
Due to a SQL injection vulnerability in the user authentication of the  
offline mode, an attacker can gain unauthorized access to the  
synchronized Password Safe database.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
The SySS GmbH found a SQL injection vulnerability in the user  
authentication functionality of the offline mode which can be  
exploited by an unauthenticated user with access to the offline  
database.  
  
By exploiting this SQL injection vulnerability, an attacker can gain  
unauthorized access to a synchronized Password Safe database (offline  
database), for example by bypassing the user authentication with a  
suitable SQL attack vector (see PoC section).  
  
In the context of the user authentication functionality in the offline  
mode, the following SQL statement is used which is vulnerable to  
SQL injection via the parameter user name in the WHERE clause due to  
insufficient user input validation:  
  
SELECT ID FROM tdUsers WHERE UPPER(Name) = UPPER('<USERNAME>') and LoginPassword = '<MD5 PASSWORD HASH>' and Inactive = 0 and Deleted = 0  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
In order to gain unauthorized access to an offline database, the  
following SQL attack vector  
  
') or 1=1 --  
  
can be used as user name in combination with an arbitrary password.  
  
If a user name containing an apostrophe (') is used, the password  
management software Password Safe and Repository Enterprise throws an  
exception and shows a detailed error message with the failed SQL  
statement.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
According to information by the MATESO GmbH, the described security  
issues have been fixed in the software version 7.5.0.2255 that was  
released on October 5, 2015.  
  
Please contact the manufacturer for further information or support.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2015-07-09: Vulnerability reported to manufacturer  
2015-07-09: Manufacturer acknowledges e-mail with SySS security advisory   
2015-07-30: Scheduling of the publication date in agreement with the  
manufacturer  
2015-10-02: Rescheduling of the publication date in agreement with the  
manufacturer  
2015-10-12: Public release of security advisory on agreed publication  
date  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product Web Site for Password Safe and Repository Enterprise   
http://www.passwordsafe.de/en/products/business/enterprise-edition.html  
[2] SySS Security Advisory SYSS-2015-034  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-034.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/news/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Matthias Deeg of the SySS GmbH.  
  
E-Mail: matthias.deeg (at) syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc  
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may   
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web   
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIcBAEBCgAGBQJWG19zAAoJENmkv2o0rU2rn2AP/0oeeL+x61KXAu+K+7WVYnEi  
oGnCheh9yJXqFjsja288i1DWUlRUPe8q0mQw+GDnjTjXyxMIb1oN05bVgi3oWzgv  
G3Qmj2G9T2Qej62rOO/mgeQ4fJZNOK+1ExsmvTB53oHvzwq7QA8bkuW2xrZKc4ER  
tyTgF9XINyo+SiAN9lc70ydNnEp1euRb7vqROmWYzkCz+OnHg3Pyvf6Y2qcHyJNf  
RH+kw47Q5sYVzuetTRIF+fiVYCtjR6N8yiNl6ipyZY7Y8s79oxU9zXOMl7W3+jD+  
GhkUHa8/Blr3dc1R5crw2oR/OiN5TaFOLf7qb0+KVvEvS7U1BEcgWNroWiDdkv2P  
JEGKVS4YW1YWywrlhLki9r+eCcKUl43W6WFalrrWEFVVCwitZhjVUipm+sYSeXsC  
NzPIEeX0nG77o8WZ1f7IKaS1qF3XYdXV53sFToBLz1xI9ygpq/ZXR4+cAg6xe+Ru  
Rf5UDBWnSFw0pHKVo/PPXMJHRCuf/tsDcerYlhzgeZyioIRE8RoCjtjN9T77SVTF  
lqM7Pf5kCCwlDFv2mTk9V3QoF+esqYTZ8PG1PYz/K6hpuMxVLar2DPZ9vrUsg3gb  
OrmJOsN2nMoR/wdOJdFedXyO8xDVFgMzo4jAp6FS0YN5hOMvZI9qzACpDX8bE+vo  
HKLjMIQfbQMwgHRMDHEv  
=husp  
-----END PGP SIGNATURE-----  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation