-- Corsaire Security Advisory -- Title: Ipswitch WhatsUp SQL Injection issue Date: 23.03.05 Application: Ipswitch WhatsUp Professional Environment: Web Application Author: Janne Sarendal [janne.sarendal@corsaire.com] Audience: General release Reference: c050323-001 -- Scope -- The aim of this document is to clearly define a vulnerability in the WhatsUp Professional application, as supplied by Ipswitch. [1], that would allow unauthenticated SQL injection into the backend database. The vulnerability also appears to have been independently discovered and notified to IpSwitch by both Secunia [2] and iDefense [3]. -- History -- Discovered: 22.03.05 (Janne Sarendal) Vendor notified: 30.03.05 Document released: 28.06.05 -- Overview -- WhatsUp Professional is Ipswitch's "next generation network management solution for organisations. It expands on the success of the award winning WhatsUp Gold and provides new levels of scalability, usability, and extensibility. WhatsUp Professional provides users with a simple out-of-box experience and immediate return on their network monitoring investment." By default, WhatsUp Professional also provides web access from any browser to view status or change the configuration from anywhere, at any time. This web interface, which is by default launched on TCP port 80, is susceptible to an unauthenticated system-level SQL Injection. -- Analysis -- The Ipswitch Professional WhatsUp web interface harbours an unauthenticated SQL injection vulnerability in the login facility, which is provided via the following resource: /NmConsole/Login.asp which accepts the following HTTP POST parameters: bIsJavaScriptDisabled= &sUserName= &sPassword= &btnLogIn= The input validation code does not adequately filter away dangerous characters which allow SQL code to be injected via the sUserName parameter. The sUsername and sPassword parameters are processed by the function ApplicationContext_Login in the script ApplicationContext.inc which in turn passes the values on to CoreAsp.dll, which is were the input validation flaw is located. -- Proof of Concept - Use an HTTP client to connect and insert the following proof-of-concept expression in the "User Name" field on the Login form (which shuts down the database): ' OR 1=1;shutdown;-- -- Recommendations -- Apply the vendor supplied SP1a patch [4]. -- CVE -- The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2005-1250, CAN-2005-1938 and CAN-2005-1690 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardises names for security problems. -- References -- [1] http://www.ipswitch.com [2] http://secunia.com/advisories/15503/ [3] http://www.idefense.com/application/poi/display?id=268&type=vulnerabi lities [4] http://www.ipswitch.com/Support/whatsup_professional/releases/wup2005 sp1a.html -- Revision -- a. Initial release. b. Revised to include patch and independent discovery information. c. Revised to correct error. -- Distribution -- This security advisory may be freely distributed, provided that it remains unaltered and in its original form. -- Disclaimer -- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Corsaire accepts no responsibility for any damage caused by the use or misuse of this information. -- About Corsaire -- Corsaire are a leading information security consultancy, founded in 1997 in Guildford, Surrey, UK. Corsaire bring innovation, integrity and analytical rigour to every job, which means fast and dramatic security performance improvements. Our services centre on the delivery of information security planning, assessment, implementation, management and vulnerability research. A free guide to selecting a security assessment supplier is available at http://www.penetration-testing.com Copyright 2005 Corsaire Limited. All rights reserved.