MATESO GmbH Password Safe And Repository Enterprise 7.4.4 Build 2247 SQL Injection

2017-04-11T00:00:00
ID PACKETSTORM:142091
Type packetstorm
Reporter Matthias Deeg
Modified 2017-04-11T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2015-035  
Product(s): Password Safe and Repository Enterprise  
Manufacturer: MATESO GmbH  
Affected Version(s): 7.4.4 Build 2247  
Tested Version(s): 7.4.4 Build 2247  
Vulnerability Type: Violation of Secure Design Principles (CWE-657)  
SQL Injection (CWE-89)  
Risk Level: High  
Solution Status: Fixed  
Manufacturer Notification: 2015-07-09  
Solution Date: 2016-10-18  
Public Disclosure: 2017-04-10  
CVE Reference: Not yet assigned  
Author of Advisory: Matthias Deeg (SySS GmbH)  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
Password Safe and Repository Enterprise is a password management  
software for companies with many features.  
  
The vendor MATESO GmbH describes the product as follows (see [1]):  
  
"Manage your passwords in the company according to your security needs!  
Features such as password policies, multi-eyes principle, workflow and  
task system makes management productive and safe.  
  
The integrated rights management system with data transfer option and  
automatic synchronization with Active Directory ensures that your  
employees can only access data which they are entitled to."  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
SySS GmbH found out that the password management software Password Safe  
and Repository Enterprise violates secure design principles and  
insufficiently implements user input validation concerning database  
access via SQL statements.  
  
These vulnerabilities enable an attacker to manipulate SQL statements  
on the client side using a "malicious client" in order to perform  
privilege escalation attacks or to gain authorized read and write  
access to other user's data.  
  
Different SQL statements that are created on the client side in the  
context of different functionalities of the password management client  
software can be manipulated and thus exploited for such attacks.  
  
These vulnerabilities both affect the online and the offline mode of the  
password management software, but there may be different requirements  
for a successful exploitation like valid user credentials.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
1) Privilege escalation by retrieving information of another user  
  
In order to perform a privilege escalation attack in the online mode  
of the password management software Password Safe and Repository  
Enterprise from the perspective of an authorized low-privileged user,  
the parameter "ID" of the following SQL statement simply has to be  
manipulated:  
  
SELECT * FROM tdUsers WHERE ID=<USER ID>  
  
This SQL statement is used by the client software in the online mode for  
retrieving user information from the server system after a successful  
user login. If the parameter "ID" is set to a valid user ID of another  
existing user, for example the built-in administrator account who has  
usually the user ID 1, the application can be used with the privileges  
of the user with the chosen user ID.  
  
  
2) Privilege escalation by setting new user rights  
  
Another possibility to perform a privilege escalation attack in the  
online mode from the perspective of a low-privileged user is to  
manipulate the following SQL statement that is used to update the  
user's last login date:  
  
UPDATE tdUsers SET LastLogin = julianday('<DATE>'), ChangeDate =  
julianday('<DATE>') WHERE ID = <USER ID>  
  
By replacing this UPDATE SQL statement by the following one, the user  
rights of an arbitrary user can be modified, for example by setting  
all available rights:  
  
UPDATE tdUsers SET UserRights =  
'11111111111111111111111111111111111111111111111111' WHERE ID = <USER ID>  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
The MATESO GmbH released the new software version Password Safe and  
Repository Enterprise 8 that is not affected by the described security  
issues.  
  
Please contact the manufacturer for further information or support.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2015-07-09: Vulnerability reported to manufacturer  
2015-07-09: Manufacturer acknowledges e-mail with SySS security advisory  
  
2015-07-30: Scheduling of the publication date in agreement with the  
manufacturer  
2015-10-02: Rescheduling of the publication date in agreement with the  
manufacturer  
2016-10-18: Manufacturer presents new software version with fixed  
security issues  
2017-04-10: Public release of security advisory  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product website for Password Safe and Repository Enterprise  
http://www.passwordsafe.de/en/products/business/enterprise-edition.html  
[2] SySS Security Advisory SYSS-2015-035  
  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-035.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/news/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Matthias Deeg of SySS GmbH.  
  
E-Mail: matthias.deeg (at) syss.de  
Public Key:  
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc  
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCgAdFiEE0fCgNfBs5nXNuQUU2aS/ajStTasFAljrOosACgkQ2aS/ajSt  
TasiHg/+OJSZ7LChx4XRrfiC2Xovx4yfgjY6RrPbLMxH/Sw2S933HthDxlpijc7L  
2qyeSd+7TcTuDBnfaFSsa7X/NdSHD26U5SnHjWjEA8FyzRp2dJoJbpVMLfb9uVYh  
2/nJC0LgulQfzKGqAYO6e5S9AjlQLAWE2YfxZdX3oxAMapQiYGLRn5mqKfqc4vo1  
4EouXi8a6qumbENeaXTkYQgL4Bt/Q+3xXkufbj6NW+dTVW7+KDX97qCWtON+CF0T  
aUdmG/CODjBfDpbVbpBt8CsTmSD7RqCc6GX/KYbOvGQjZ7WhgKrnzHdRFssvZeFv  
PxikE9p1VN3BXv5o5WxN0wGYmVNiTl8NVNIw0PtVexML38gGrmtdsFvF0HDE3SBB  
lDxJrEanYdbXFzyFAW14Dk72D5F+LdGcr+103MFLgch8t8qHH4YOQdpbNKBG1hlw  
Ghq3i0FDSvmg+rkfydJVbIfEaekEDeyUBDQurHNppT6PkXa2iWjlcSgRWpT1n+fY  
8wxtXSHegR0h9relu629oue9pthGImiwECnw6Yh0BP1WFfJun9oDwkTeq4C6ZuAG  
Yu9aLwt0XETx+rS+sW4f00waXtHnYXFiXTrvo7GIKGfgy6Razn6W92mW6UnSjOBc  
P00AyZKmxnMwrNl7XpiVe5LBvmNBf610MOdwdwNVgREOrgRUqNg=  
=xAXH  
-----END PGP SIGNATURE-----  
  
`