Full Report
While fuzzing a web application, the authors of the post noticed something weird. When putting one single quote (') in a field for time, a 400 error occurred. However, when putting two single quotes ('') into the field, the request returned a valid response! The functionality indicated a SQL injection vulnerability. While trying to exploit the vulnerability, they kept getting 403's from the proxy. Instead of attacking the live production server for the client, they installed a clean version of the software. While crafting the payload they could see error messaging on the running application, which made exploit development much easier. To bypass the filtering, they simple sprinkled in /**/ comments within the attack query. Can we take this further? The authors noticed that the running user in Postgres was root. Additionally, stacked queries was enabled, making exploitation much easier. By using the stacked query functionality to call COPY command (known technique)to run shell commands. Overall, good find! I do find it strange this started from a pentest... it's cool they found the bugs but it seems like a weird use of time.
Analysis Summary
# Vulnerability: SQL Injection Leading to Remote Code Execution in ZKSecurity Bio
## CVE Details
- CVE ID: CVE-2022-36635
- CVSS Score: Not explicitly provided, but exploitation led to RCE, implying High/Critical severity.
- CWE: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))
## Affected Systems
- Products: ZKSecurity Bio
- Versions: v4.1.3
- Configurations: Default PostgreSQL installation utilized by the software, running as the `root` user.
## Vulnerability Description
The application suffers from a classic SQL Injection (SQLi) vulnerability when inputting data into the 'Time' field within the 'Operation Log' functionality under the 'System' menu. Initial testing showed differential responses for single quotes (`'`) versus double single quotes (`''`). The vulnerability was exacerbated by a sanitization filter that could be bypassed by replacing spaces in the malicious SQL payload with the SQL comment syntax `/**/`. The underlying PostgreSQL database was running with a highly privileged user (`root`), and stacked queries were enabled, allowing the injection of commands following the initial query. This enabled the execution of the PostgreSQL `COPY FROM PROGRAM` command to achieve Remote Code Execution (RCE).
## Exploitation
- Status: PoC available (Demonstrated in the article via sleep command and confirmed RCE via system command execution).
- Complexity: Low (Exploitation was facilitated by easy-to-read application logs revealing the structure of the vulnerable query and the low-privilege nature of the database setup).
- Attack Vector: Network (Remote)
## Impact
- Confidentiality: High (Data exfiltration possible via SQLi and subsequent RCE).
- Integrity: High (Full system compromise possible via RCE).
- Availability: High (Full system compromise possible via RCE).
## Remediation
### Patches
- The article mentions the vendor responded indicating public fixing on 24/08/2022. Specific patch version numbers are not provided, but users should update to the latest version released after August 2022.
### Workarounds
- Restrict network access to the vulnerable application interface.
- Configure the PostgreSQL instance not to run as the `root` user (though the core fix is updating the application).
- Disable stacked queries if possible within the application's database connection configuration (if applicable).
## Detection
- **Indicators of compromise:** Look for SQL keywords, comment obfuscation (`/**/`), stacking sequences (multiple distinct SQL commands separated by semicolons), or execution attempts of the `COPY FROM PROGRAM` command in database logs. Specific indicators of RCE include outbound network connections (e.g., DNS lookups or pings executed by the database process) resulting from the attack.
- **Detection methods and tools:** Web Application Firewalls (WAF) configured to detect SQL Injection patterns, especially those involving comment obfuscation. Database audit logging enabled to monitor for unusual commands like `COPY FROM PROGRAM`.
## References
- Vendor Advisory timeline (Initial disclosure 16/07/2022, Public fix announced 24/08/2022).
- Medium Article: CVE-2022–36635 — A SQL Injection in ZKSecurityBio to RCE