Code-Projects SQLi Bus Dispatch Vulnerability

By

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  The vulnerability labeled as CVE-2023-2951 is a critical issue found in the “Code-Projects” Bus Dispatch and Information System version 1.0, specifically involving a file called delete_bus.php. The vulnerability arises from the fact that the argument ‘busid’ can be manipulated in a way that leads to SQL injection. SQL injection is a type of cyber attack in which an attacker can manipulate the database through user inputs. This particular type of attack is often categorized under CWE-89, CWE-74, and CWE-707 which refers to the improper neutralization of special elements used in an SQL Command.

  A remote, authenticated attacker could exploit the vulnerability by sending crafted requests to the target server. Successful exploitation could result in arbitrary remote code execution under the security context of system.

  CVE-89, CVE-74, CVE-707

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-2951.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.8 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.8 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept code.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  ”SQLMap” is an open-source tool used for detecting and exploiting SQL injection vulnerabilities in an application’s database. It’s a powerful tool that supports a wide range of databases and has many features, including database fingerprinting, data fetching from the database, and accessing the underlying file system and executing commands on the operating system.

  When you see an SQLMap attack with a reference like “busid (GET)”, it generally refers to a SQL injection attack on the ‘busid’ parameter using the HTTP GET method.

  Here’s a bit of detail:

    ”busid”: The parameter being passed in the HTTP GET request.

    ”(GET)”: This refers to the HTTP method being used. GET is a common HTTP method used for retrieving data.

  The goal of this attack is to manipulate the ‘busid’ parameter in a way that allows for execution of arbitrary SQL commands on the application’s database.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.
  • The attacker must send malicious “SQLMap” payloads containing “SQL inputs” to the application.
  • The attacker must use “busid” within the HTTP GET Request.

Triggering Conditions:

  The attacker sends GET Request to the URI location “delete_bus.php” with the “busid=3” parameter.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

  Three POC SQLMap inputs below:

  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS:19132 Code-projects Bus Dispatch and Information System SQLi

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Updating to a non-vulnerable version of the product.
    • Filtering attack traffic using the signature above.
    • Apply proper input validation and sanitization to any deserialized data.
  A Github member has released the following advisory regarding this vulnerability:
  Github Source

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.