<<< Date Index >>>     <<< Thread Index >>>

Full Disclosure: Arbitrary execution vulnerability in SQL-Ledger and LedgerSMB



Hi;

Affected versions:
LedgerSMB < 1.1.10 (but see below), current is 1.1.11
SQL-Ledger < 2.6.27 (but see below).  Current is 2.6.27

Effects: Arbitrary code execution (both products) and authentication bypass (SQL-Ledger only).

We have discovered yet another major security issue in both SQL-Ledger (for affected versions, see below) and LedgerSMB (<1.1.10, but see below). The problem exists because the login input variable is not properly checked, and the software runs a perl script derived from the login name. If the script completes and a password is set, the password is checked. In LedgerSMB, an additional check is made against a session table, which will cause the script to go no further, but in SQL-Ledger, this can also result in authentication bypass.

Affected  Versions:
Unfortunately, both projects suffered problems with their security fixes. The LedgerSMB team failed to update their version strings properly so 1.1.10 will still display 1.1.9 as its running version.
To differentiate, you can use md5sum on the LedgerSMB/Form.pl
c9621e0ed0fd633663e1be3c6d5b08c4  ledger-smb-1.1.10/LedgerSMB/Form.pm
c311f02eaeee9e0638cbe08a650ab86d  ledger-smb-1.1.9/LedgerSMB/Form.pm

The SQL-Ledger case is probably worse. The initial release of 2.6.27 included an inadequate and broken fix. A new security fix was issued later that day, but it is unclear when all mirrors were updated, and users who downloaded that version cannot be sure that they got one that was not vulnerable. The initial security fix offers little safety: authentication bypass and arbitrary code execution are still largely possible though perhaps not at the same time (as they were before).

The following md5sum's reflect whether 2.6.17 was patched or not:
e97dc79c171a45bb794e253f94caef49 is unpatched
2a2dc05d5ac7085bd9e6aaa7098e1bf1 is patched.

How the exploit works:

SQL-Ledger and their derivatives (including LedgerSMB < forthcoming 1.2.0), store login state information in a machine-writable perl script in a configurable location (by default users/). This file is read on each page load and is named [username].conf. This file contains a hash definition which is then used to validate the user's authentication token. No provisions are taken to prevent directory transversal prior to these fixes, however.

One can form a URL like:
http://localhost/sql-ledger/am.pl?login=../../../home/user/foo.pl%00&action=add_department

This causes the web server to execute ../../home/user/foo.pl (the %00 gets translated into a terminating NULL) and will then either allow access (in SQL-Ledger < 2.6.27) or provide an error. In the faulty versions of 2.6.27 and vulnerable versions of LedgerSMB, it will still execute the script however.

The faulty version of SQL-Ledger have a major oversight, however, that lends well to testing. Because the only check is on the NUL and not on the signs of directory transversal, you can test the authentication bypass and get access to sensitive configuration (including obfuscated but unencrypted database passwords and application password hashes). A sample URL for this is:
http://localhost/sql-ledger/am.pl?login=../sql-ledger&path=bin/mozilla&action=edit_template&file=users/members

This works because there is usually a Perl script named sql-ledger.conf in the directory above where these scripts are normally stored. So the username forces the execution of that script, doesn't find a password, and so allows the user in. Lovely....

Best Wishes,
Chris Travers
begin:vcard
fn:Chris Travers
n:Travers;Chris
email;internet:chris@xxxxxxxxxxxxxxxx
tel;work:509-888-0220
tel;cell:509-630-7794
x-mozilla-html:FALSE
version:2.1
end:vcard