SSD Advisory – Cisco Secure Manager Appliance remediation_request_utils SQL Injection Remote Code Execution

TL;DR

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Secure Manager Appliance and Cisco Email Security Appliance. Authentication as a high-privileged user is required to exploit this vulnerability.

The specific flaw exists within the remediation_request_utils module. The issue results from the lack of proper validation of user-supplied data, which can result in SQL injection. An attacker can leverage this vulnerability to execute code in the context of root.

Note: Another vulnerability was published alongside this one. These vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit the other vulnerability.  A Low level privileges user can use the combination of the two vulnerabilities to receive full admin privileges on an affected system.

CVE

CVE-2022-20867
CVE-2022-20868

Credit

An independent security researcher has reported this to the SSD Secure Disclosure program.

Technical Analysis

The remediation functionality is only available to users that have one of the following roles: ADMIN, EMAIL_ADMIN, or CLOUD_ADMIN, however since we can impersonate any user we can obtain a token for the admin account.

The entry point for the vulnerability may be found in the process_POST method. The method loads [1] the remediation_data object from the body of the post request. The batch_id is obtained from the remediation_data object if present, and it is used to create [3] the record object. Finally, the record object is passed to the store_mor_details method indirectly via the remediation_request_records object.

The store_mor_details method is an RPC wrapper that calls [5] the write_mor_details_to_buffer method.

The write_mor_details_to_buffer method uses the record object generated earlier as a parameter to call [6] the get_formatted_mor_record method and then calls [7] the mor_details_buffer_writer with the result.

The get_formatted_mor_record formats the fields for the INSERT query that will be executed later. Some fields are sanitized, however the batch_id field is embedded [8] into the query without any sanitization.

The mor_details_buffer_writer method is later called to execute the query. The method calls [9] the insert_mor_details method with the provided parameters.

The insert_mor_details method fully constructs [10] the query and then it executes [11] it.

The query is constructed by calling the get_mor_details_bulk_insert_query, which internally calls [12] the _get_records_insert_query method.

Finally, the _get_records_insert_query method uses the given parameters to construct [13] the query without any further sanitization.

As the SQL injection happens in the context of the pgsql user, there are multiple methods to execute arbitrary commands on the target system. The method used in the exploit is to write to disk and load a postgres extension and to later call it’s defined function pg_system to execute arbitrary commands. To obtain root on the target server, there is a suid binary available named runas which allows any user to run commands as any other user by providing the desired username as the first parameter. The code for the postgres extension may be found below.

Vendor Response

The vendor has issued a patch for the vulnerability as part of its patches released on the 11th of November 2022 for the affected platform – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esasmawsa-vulns-YRuSW5mD

原文始发于SSD Advisory：SSD Advisory – Cisco Secure Manager Appliance remediation_request_utils SQL Injection Remote Code Execution