Injection (INJ) Examples

CVE 2007-3572 (Yoggie Pico)

BF Taxonomy

Cause: Input not checked properly (incomplete blacklist)

Attributes:
Language: CGI
Special Element: Shell Metacharacters (back ticks ` )
Entry Point: Function Parameter ("param")
Invalid Construct: Command (command within a Ping command)

Consequence: Add command, leading to arbitrary code execution and potentially complete host takeover (by adding a Ping command to change the root password)

BF Description

"Input not checked properly (incomplete blacklist) allows Shell metacharacters (back ticks ` ) through a function parameter ("param") in a CGI script and assembly of a string that is parsed into an invalid command construct (command within a Ping command), which may be exploited to add command, leading to arbitrary code execution and potentially complete host takeover (by adding a Ping command to change the root password)." [2]

This is a shell command injection

CVE Description

"Incomplete blacklist vulnerability in cgi-bin/runDiagnostics.cgi in the web interface on the Yoggie Pico and Pico Pro allows remote attackers to execute arbitrary commands via shell metacharacters in the param parameter, as demonstrated by URL encoded "`" (backtick) characters (%60 sequences)." [1]

Analysis

The following analysis is based on information in [1,3,4]. Injecting backticks that are not sanitized enables adding a shell command in a CGI script. Complete Host takeover is possible by using backtick to execute changing the file /etc/shadow to include an arbitrary password selected by the attacker. Then the attacker can use that password to login as root. The Ping command was not expected to include a "command within a (Ping) command", but the backticks (special elements) result in that unexpected structure.

Source Code

Code With Bug	Code With Fix
Source Code Not Available	Source Code Not Available

CVE-2008-5817

BF Taxonomy

Cause: Input not checked properly or input not sanitized properly

Attributes:
Language: SQL
Special Element: Query Elements (single quote ' , the word or, and equality sign =)
Entry Point: Data Entry Fields ("username" & "password")
Invalid Construct: Database Query

Consequence: Authentication loss, admin server access, and arbitrary code execution

BF Description

"Input not checked properly or input not sanitized properly allows query elements (single quote ' , the word or, and equality sign =) through data entry fields ("username" & "password") in a PHP script and assembly of a string that is parsed into an invalid database query construct, which may be exploited to mask legitimate SQL commands, leading to authentication loss, admin server access, and arbitrary code execution. [2]

This is SQL Injection

CVE Description

"Multiple SQL injection vulnerabilities in index.php in Web Scribble Solutions webClassifieds 2005 allow remote attackers to execute arbitrary SQL commands via the (1) user and (2) password fields in a sign_in action." [5]

Analysis

The following analysis is based on information in [5,6,7]. According to [7], ' or ' 1=1 is used to mask password checking and login as admin. [8] includes an explanation of this type of SQL injection.

Source Code

Code With Bug	Code With Fix
Source Code Not Available	Source Code Not Available

CVE-2008-5734

BF Taxonomy

Causes: Input not checked properly (incomplete blacklist) or input not sanitized properly

Attributes:
Language: HTML
Special Element: Scripting Elements ('<','</','>')
Entry Point: Markup Tag (<IMG>) Argument (SRC)
Invalid Construct: Markup (IMG element with <script> ... </script> in it)

Consequence: Add commands or credentials compromise for cookie-based authentication, leading to arbitrary code execution

BF Description

"Input not checked properly (incomplete blacklist) or input not sanitized properly allows HTML scripting elements ('<','</','>') through a markup tag (<IMG>) argument (SRC) of a generated HTML email and assembly of a string that is parsed into an invalid markup construct (IMG element with <script> ... </script> in it), which may be exploited to add commands or credentials compromise for cookie-based authentication, leading to arbitrary code execution." [2]

This is XSS web script or HTML injection.

CVE Description

"Cross-site scripting (XSS) vulnerability in WebMail Pro in IceWarp Software Merak Mail Server 9.3.2 allows remote attackers to inject arbitrary web script or HTML via an IMG element in an HTML e-mail message." [9]

Analysis

The following analysis is based on information in [9,10,11]. According to [10], one of the several consequences is unauthorized access to cookie-based authentication credentials.

Source Code

Code With Bug	Code With Fix
Source Code Not Available	Source Code Not Available

References

[1] The MITRE Corporation, CVE Common Vulnerabilities and Exposures, CVE-2007-3572.

[2] Irena Bojanova, Paul E. Black, Yaacov Yesha, and Yan Wu, The Bugs Framework (BF): A Structured Approach to Express Bugs, QRS 2016, Vienna, Austria.

[3] The MITRE Corporation, CWE Common Weakness Enumeration, CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').

[4] Yoggie Pico Pro Remote Code Execution

[5] The MITRE Corporation, CVE Common Vulnerabilities and Exposures, CVE-2008-5817.

[6] CXSESECURITY, webClassifieds 2005 (Auth Bypass) SQL Injection Vulnerability CWE-89 CVE-2008-5817.

[7] The MITRE Corporation, CWE Common Weakness Enumeration, CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection').

[8] Bricks, SQL injection.

[9] The MITRE Corporation, CVE Common Vulnerabilities and Exposures, CVE-2008-5734.

[10] SecurityFocus, Merak Mail Server and Webmail Email Message HTML Injection Vulnerability.

[11] The MITRE Corporation, CWE Common Weakness Enumeration, CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').