View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0027495mantisbtsecuritypublic2020-11-10 16:312020-12-30 07:37
Reporterethicalhcop Assigned Todregad  
PriorityhighSeveritycrashReproducibilityalways
Status closedResolutionfixed 
Target Version2.24.4Fixed in Version2.24.4 
Summary0027495: CVE-2020-28413: SQL injection in the parameter "access" on the mc_project_get_users function throught the API SOAP.
Description

Throught the function mc_project_get_users on the API SOAP, it's possible to inject SQL commands in the parameter "access". So, creating an union select query, it's possible generate a blind sql using the IF funcion on the database to discover the different data on the application like passwords hash. Also, it's possible to exploit it using SQLMap.

Steps To Reproduce

1- start up burp suite
2- start up soap ui , configure proxy and create new soap project
3- open the mc_project_get_users function and insert "username", "password", "project_id" could be 0 and "access" let it emply
4- send request and look the SQL error
5- save the request on burp
6- insert the request file in sqlmap to read the databases sqlmap -r burp_file --dbs --batch

Also, you can make it manually
5- now, insert a SQL query on the "access" input (0 or 1=1) and send request
6- now, insert a SQL union select query on the "access" input (0 union all select 900,2,3,4 order by id desc) and send request

Additional Information

According cvss 3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

The CVE is Reserved.

The solution more closer is make a parametrization in the SQL queries and evade to insert parameters directly on the query.

TagsNo tags attached.
Attached Files
1-sending_request_with_parameter_access_emply.png (63,579 bytes)   
1-sending_request_with_parameter_access_emply.png (63,579 bytes)   
2-sending_simple_sqli_command_on_parameter_access_and project_0.png (68,178 bytes)   
2-sending_simple_sqli_command_on_parameter_access_and project_0.png (68,178 bytes)   
3-sending_simple_sqli_command_on_parameter_access_and project_2.png (68,112 bytes)   
3-sending_simple_sqli_command_on_parameter_access_and project_2.png (68,112 bytes)   
4-sending_sql_union_select_query.png (69,724 bytes)   
4-sending_sql_union_select_query.png (69,724 bytes)   
5-starting_explotation_using_sqlmap.png (64,873 bytes)   
5-starting_explotation_using_sqlmap.png (64,873 bytes)   
6-getting_results_from_sqlmap.png (52,608 bytes)   
6-getting_results_from_sqlmap.png (52,608 bytes)   

Activities

ethicalhcop

ethicalhcop

2020-11-11 08:08

reporter   ~0064629

Last edited: 2020-12-11 09:01

Summary:
Product: MantisBT
Proveedor: MantisBT Team
Vulnerable version: 2.24.3
Public divulgation: December 11 - 2020
Vulnerability type: SQL injection (CWE-89) (CWE-943)
Level Risk: Medium
CVSS 3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Discovered by: EthicalHCOP
dregad

dregad

2020-11-11 10:55

developer   ~0064636

Hello,

Many thanks for your report and responsible disclosure.

I believe that the vulnerability you discovered, should be fixed in the current master branch (2.25.0-dev since commit MantisBT master 682a182d ).

Would you be able to test again to confirm, using the latest nightly build ?
dregad

dregad

2020-11-12 08:48

developer   ~0064643

The code in project API allowing the SQL injection by not using query parameters exists at least since 1.0.0.a1.

The exploitable vulnerability via SOAP API described here, exists since 1.1.0a4.

@ethicalhcop waiting for your confirmation that code in master branch is no longer vulnerable (as far as I can tell, it is not).
ethicalhcop

ethicalhcop

2020-11-12 10:16

reporter   ~0064644

Hello dregad.

Yes sure, let me try again in the night and report you tomorrow :D !

Regards.
ethicalhcop

ethicalhcop

2020-11-18 13:10

reporter   ~0064659

Hello.

let me tell you that I retest the app again in the bb10211 compilation and the vulnerability was fixed successfully.

So, remember that I will make the public divulgation at December 11.
The mantisbt team have any protocol to make public the vulnerability for pentesters?

Regularly I do a walkthrought and write a script to exploit the vulnerability , I don't know if do you have some protocol.

mantis_dev2.25_1.png (50,587 bytes)   
mantis_dev2.25_1.png (50,587 bytes)   
mantis_dev2.25_2.png (56,634 bytes)   
mantis_dev2.25_2.png (56,634 bytes)   
dregad

dregad

2020-11-19 02:21

developer   ~0064662

The mantisbt team have any protocol to make public the vulnerability for pentesters?

Not sure what you mean by protocol.
When a patch for a security issue is ready, we just release a new version including the fix and announce it via our usual channels, referencing the CVE ID if applicable.
ethicalhcop

ethicalhcop

2020-11-19 11:08

reporter   ~0064663

Perfect !

thank you for all.
Regards !
dregad

dregad

2020-12-09 03:13

developer   ~0064778

So, remember that I will make the public divulgation at December 11.

@ethicalcop, I'm sorry, but the December 11 deadline you set might turn out to be a little short, as I have a series of other security issues that I'm still working on, and I'm not 100% sure at this time, that I'll have everything ready by Friday.

Would you mind postponing your going public by a few days ? I'll give you the green light as soon as I'm done.
dregad

dregad

2020-12-13 10:03

developer   ~0064788

@ethicalhcop Thanks for your understanding. I'll ping you here as soon as I'm ready.
dregad

dregad

2020-12-23 05:05

developer   ~0064829

next saturday december 26, I will to participate on a little security meetup where I will to talk about the CVE !

Thanks for the heads up. I was hoping to finalize fixing the other issues last week-end but unfortunately didn't have enough time.

So now there are a few options (in my order of preference / feasibility):

  1. when you make your presentation, you make it clear that the issue is has not yet been fully disclosed to the public and so it should be kept confidential
  2. I release 2.24.4 with only some of the other issues fixed, and plan for another 2.24.5 (probably best, but takes some effort on my end)
  3. I manage to finalize fixes and release 2.24.4 with everything as planned initially before 26th (unlikely)

Let me know your thoughts.

Related Changesets

MantisBT: master 3e37b404

2020-11-21 00:34

dregad


Details Diff		 Fix SQL injection in Project API

The query's where clause in project_get_all_user_rows() was built by
concatenating an unsanitized variable, allowing SQL injection via
SOAP API's mc_project_get_users() function using a crafted request.

Relying on DbQuery object ensures use of query parameters, making the
SQL injection impossible.

Partial backport from commit 682a182d4b2ae9abd2edb9c2ed40eb80723988b1.

Fixes 0027495, CVE-2020-28413		 Affected Issues
0027495
mod - core/project_api.php Diff File