exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ELBA 5.4.1 SQL Injection / Denial Of Service

ELBA 5.4.1 SQL Injection / Denial Of Service
Posted Feb 20, 2012
Authored by P. Tumenas | Site sec-consult.com

ELBA version 5.4.1 suffers from denial of service, information disclosure, and remote SQL injection vulnerabilities.

tags | advisory, remote, denial of service, vulnerability, sql injection, info disclosure
SHA-256 | cf75e3b1b88b0eb2ddcef342231d854b7c5c36888f20100f1943a643e56d29ea

ELBA 5.4.1 SQL Injection / Denial Of Service

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20120220-1 >
=======================================================================
title: Multiple Vulnerabilities in ELBA5
product: ELBA 5
vulnerable version: ELBA 5.4.1
5.5.0 R00004 build 0778
fixed version: partially in 5.5.0 R00004 build 0778
all issues in 5.5.0 R5
impact: Medium
homepage: https://www.elba.at/
found: 13.01.2012
by: Povilas Tumenas / SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
ELBA electronic banking is a multi-user, multi-protocol banking
application. For details, see https://www.elba.at.


Vulnerability overview/description:
-----------------------------------
1) The ELBA application v5.4.1 listens on a remotely reachable port
that is used for network testing purposes. It uses java serialization
for its protocol without any encryption or authentication. This can be
abused to leak the username of a currently logged on user. Disclosed
usernames can be used in further attacks on different services and/or
ease bruteforcing of user accounts.
Furthermore, if ELBA receives an invalid serialized method name an
assertation fails and a message box with an attacker controlled value
is displayed and the user is forced to shut down the application. This
can be abused to disrupt the work of a user, or as a part of a social
engineering attack as it is possible to make the message box display a
message controllable by the attacker.


2) Due to insufficient input validation, the application <v5.5.0 R5
allows the injection of direct SQL commands. By exploiting the
vulnerability, an attacker gains access to all records stored in the
database. In this instance of SQL injection, the vulnerability can
additionally be used to get access to other user accounts and their
data. During the creation of an account group by a non-sysadmin user
the account group name is not validated and is used in a SQL query.
This allows for the injection of arbitrary SQL code. The account group
creation can be accessed from the menu -> Master Data -> More ->
Account Groups.


Proof of concept:
-----------------
1.a) Denial of Service:

A python script has been developed in order to exploit this issue. This
proof-of-concept code will not be published.

After sending the malicious payload ELBA would display a message box
that would force the user to quit the application. Please also note
that the port under which ELBA listens for serialized communication
changes every time the application starts, but it can be easily found
remotely by port scanning.


1.b) Information Disclosure:

A python script has been developed in order to exploit this issue. This
proof-of-concept code will not be published.

The currently logged on username "SYSADMIN" is visible in the received
data after sending the malicious payload.

Please also note that the port under which ELBA listens for serialized
communication changes every time the application starts, but it can be
easily found remotely by port scanning.


2) Account Group Creation SQL-Injection:
To prove this issue it is sufficient to click the "New" button and
enter a value that would result in an invalid SQL query as the name of
the account group.

The description field can be anything, and either one or both of the
checkboxes must be selected. If you try to create this new account
group, then the SQL server terminates and an error message is
displayed, because the SQL query with an invalid syntax was executed.
If a user enters a value that results in a valid SQL query then the
account group creation is successful.

This attack does not work with the sysadmin account, because when using
the sysadmin account a prepared statement is used for account group
creation.


Vulnerable / tested versions:
-----------------------------
1) Information Disclosure and DoS are only exploitable in ELBA v5.4.1
2) ELBA 5.5.0 R00004 build 0778


Vendor contact timeline:
------------------------
2012-01-20: Contacting vendor through software@racon-linz.at.
2012-01-23: Vendor responds with contact of CISO.
2012-01-23: Contacting CISO with advisory.
2012-01-26: Vendor has verified vulnerability #2 and pointed out, that
only version v5.4.1 is affected by vulnerability #1.
2012-01-26: Verification of affected version of vulnerability #1 and
update of advisory accordingly.
2012-01-27: Vulnerability #2 will be fixed with next release (version
5.5.0 R5) on February 13th.
2012-02-13: Sending updated advisory to vendor
2012-02-20: Public release


Solution:
---------
1) The network testing functionality has been disabled or removed in
ELBA 5.5.0. Upgrade to the newest version.

2) According to the vendor, the SQL injection has been fixed in ELBA
5.5.0 R5. Upgrade to the new release.


Workaround:
-----------
1) In order to mitigate the vulnerability, firewall rules can be set to
prevent unauthorized access to the port used for network testing.

2) Do not give a user the privilege to create account groups.


Advisory URL:
-------------
https://www.sec-consult.com/en/advisories.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com

EOF PTU / @2012
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close