|| || [ISR] || Infobyte Security Research || www.infobyte.com.ar || 04.08.2005 || .:: SUMMARY ISS - SiteProtector Console Sql-Injection Version: 2.0.5.690, It is suspected that all previous versions of SiteProtector Console are vulnerable. .:: BACKGROUND SiteProtector is a security management system that provides a centralized view and analysis of network, server, and desktop protection agents and appliances. http://www.iss.com .:: DESCRIPTION A Sql-injection vulnerability affect SiteProtector Console This issue is due to a failure of the application to securely copy user-supplied data into fields "Tag Name" and "Object Name" of Incidents/Exception that user create or modify. Simple string use: "'" Error that display when it make the injection: ######################BEGIN############################ A Database or SQL Error occurred while working with Site Rules. net.iss.rssp.gui.site.analysis.exceptions.CommonSiteRuleException at net.iss.rssp.gui.site.analysis.AnalysisDataManager.throwCommonSiteRuleExcept ion(AnalysisDataManager.java:442) at net.iss.rssp.gui.site.analysis.AnalysisDataManager.createSiteFilter(Analysis DataManager.java:350) at net.iss.rssp.gui.site.analysis.command.AddEditSiteRuleCommand.execute(AddEdi tSiteRuleCommand.java:48) at net.iss.command.CommandTemplate.templateExecute(CommandTemplate.java:179) at net.iss.command.CommandHandler.executeCommand(CommandHandler.java:148) at net.iss.command.CommandHandler.run(CommandHandler.java:116) A database error occurred in the method "createNewSiteRule". net.iss.rssp.entity.exceptions.SiteRuleException at net.iss.rssp.server.AnalysisManager.addExceptionFilter(AnalysisManager.java: 357) at net.iss.rssp.remote.impl.AnalysisBrokerImpl.addExceptionFilter(AnalysisBroke rImpl.java:211) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at net.iss.rssp.security.server.SecureAdaptorAction.run(SecureAdaptorAction.jav a:22) at net.iss.rssp.security.server.SecureAdaptorImpl.invoke(SecureAdaptorImpl.java :114) at sun.reflect.GeneratedMethodAccessor21.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source) at sun.rmi.transport.Transport$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at sun.rmi.transport.Transport.serviceCall(Unknown Source) at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source) at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Database Error SQL State = 42000 Vendor code = 105 Vendor msg = [42000][Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string '') AND NOT EXISTS (SELECT 1 FROM ObservanceSiteFilters OSF WITH (NOLOCK) WHERE OSF.ObservanceID = OB.ObservanceID AND OSF.SiteFilterRuleID = 853)'. net.iss.rssp.db.DataAccessException at net.iss.rssp.server.database.DatabaseObjectHandlerBase.handleSQLException(Da tabaseObjectHandlerBase.java:75) at net.iss.rssp.server.database.SiteFilterHandler.write(SiteFilterHandler.java: 134) at net.iss.rssp.server.AnalysisManager.addExceptionFilter(AnalysisManager.java: 348) at net.iss.rssp.remote.impl.AnalysisBrokerImpl.addExceptionFilter(AnalysisBroke rImpl.java:211) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at net.iss.rssp.security.server.SecureAdaptorAction.run(SecureAdaptorAction.jav a:22) at net.iss.rssp.security.server.SecureAdaptorImpl.invoke(SecureAdaptorImpl.java :114) at sun.reflect.GeneratedMethodAccessor21.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source) at sun.rmi.transport.Transport$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at sun.rmi.transport.Transport.serviceCall(Unknown Source) at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source) at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Error Inserting into table ObservanceSiteFilters Code: 52000 DB Key: 0 java.sql.SQLException: [42000][Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string '') AND NOT EXISTS (SELECT 1 FROM ObservanceSiteFilters OSF WITH (NOLOCK) WHERE OSF.ObservanceID = OB.ObservanceID AND OSF.SiteFilterRuleID = 853)'. at ids.sql.IDSSocket.error(IDSSocket.java:325) at ids.sql.IDSSocket.verify(IDSSocket.java:270) at ids.sql.IDSPrepared.execute(IDSPrepared.java:578) at ids.sql.IDSPrepared.execute(IDSPrepared.java:559) at net.iss.rssp.server.database.SiteFilterHandler.write(SiteFilterHandler.java: 103) at net.iss.rssp.server.AnalysisManager.addExceptionFilter(AnalysisManager.java: 348) at net.iss.rssp.remote.impl.AnalysisBrokerImpl.addExceptionFilter(AnalysisBroke rImpl.java:211) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at net.iss.rssp.security.server.SecureAdaptorAction.run(SecureAdaptorAction.jav a:22) at net.iss.rssp.security.server.SecureAdaptorImpl.invoke(SecureAdaptorImpl.java :114) at sun.reflect.GeneratedMethodAccessor21.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source) at sun.rmi.transport.Transport$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at sun.rmi.transport.Transport.serviceCall(Unknown Source) at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source) at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source) at java.lang.Thread.run(Unknown Source) java.sql.SQLException: [42000][Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string '') AND NOT EXISTS (SELECT 1 FROM ObservanceSiteFilters OSF WITH (NOLOCK) WHERE OSF.ObservanceID = OB.ObservanceID AND OSF.SiteFilterRuleID = 853)'. at ids.sql.IDSSocket.error(IDSSocket.java:325) at ids.sql.IDSSocket.verify(IDSSocket.java:270) at ids.sql.IDSPrepared.execute(IDSPrepared.java:578) at ids.sql.IDSPrepared.execute(IDSPrepared.java:559) at net.iss.rssp.server.database.SiteFilterHandler.write(SiteFilterHandler.java: 103) at net.iss.rssp.server.AnalysisManager.addExceptionFilter(AnalysisManager.java: 348) at net.iss.rssp.remote.impl.AnalysisBrokerImpl.addExceptionFilter(AnalysisBroke rImpl.java:211) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at net.iss.rssp.security.server.SecureAdaptorAction.run(SecureAdaptorAction.jav a:22) at net.iss.rssp.security.server.SecureAdaptorImpl.invoke(SecureAdaptorImpl.java :114) at sun.reflect.GeneratedMethodAccessor21.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source) at sun.rmi.transport.Transport$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at sun.rmi.transport.Transport.serviceCall(Unknown Source) at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source) at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source) at java.lang.Thread.run(Unknown Source) java.sql.SQLException: [42000][Microsoft][ODBC SQL Server Driver][SQL Server]Line 10: Incorrect syntax near '') AND NOT EXISTS (SELECT 1 FROM ObservanceSiteFilters OSF WITH (NOLOCK) WHERE OSF.ObservanceID = OB.ObservanceID AND O'. at ids.sql.IDSSocket.error(IDSSocket.java:325) at ids.sql.IDSSocket.verify(IDSSocket.java:270) at ids.sql.IDSPrepared.execute(IDSPrepared.java:578) at ids.sql.IDSPrepared.execute(IDSPrepared.java:559) at net.iss.rssp.server.database.SiteFilterHandler.write(SiteFilterHandler.java: 103) at net.iss.rssp.server.AnalysisManager.addExceptionFilter(AnalysisManager.java: 348) at net.iss.rssp.remote.impl.AnalysisBrokerImpl.addExceptionFilter(AnalysisBroke rImpl.java:211) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at net.iss.rssp.security.server.SecureAdaptorAction.run(SecureAdaptorAction.jav a:22) at net.iss.rssp.security.server.SecureAdaptorImpl.invoke(SecureAdaptorImpl.java :114) at sun.reflect.GeneratedMethodAccessor21.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source) at sun.rmi.transport.Transport$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at sun.rmi.transport.Transport.serviceCall(Unknown Source) at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source) at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source) at java.lang.Thread.run(Unknown Source) #######################END############################# .:: EXTRA We did not find any way to perform any unautorized actions or gain additional privileges .:: DISCLOSURE TIMELINE 04/01/2005 Initial vendor notification 04/06/2005 Initial vendor response 04/08/2005 Public disclosure .:: CREDIT Francisco Amato is credited with discovering this vulnerability. famato][at][infobyte][dot][com][dot][ar .:: LEGAL NOTICES Copyright (c) 2005 by [ISR] Infobyte Security Research. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Infobyte Security Research Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from infobyte com ar Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/