CVE-2018-20472 – Sahi pro ( <= 8.x ) Stored XSS

Sahi Pro web interface is  vulnerable to a Stored XSS . Exploiting this bug needs a prior knowledge of the end to end flow and basic scripting of sahi pro .

Sahi pro is a web application automation tool which helps automation testers to automate their web application tasks . It makes it very easy for end users with their readily available API functions . an end user can create a sahi script either by using their sahi programming language ( similar to javascript ) or can use ruby . We will use sahi language itself for this demo.

Sahi has some interesting features such as web application interface which aggregates all the reports for the sahi script execution tasks. It was found that web module is vulnerable to stored cross site scripting.

Here is the Proof of concept for the same:

fig 1 : sahi script containing XSS payload

Here we have created a simple sahi script which uses a testcase API .

var $tc1 = _testcase(“TC-1″,”<script>alert(document.cookie)</script>”).start();

_log(“testing stored XSS injection”);

$tc1.end();

In the testcase API , as per the documentation provided accepts two parameters ,first one being testcase ID and second one test case description . Both values are reflected back in the web reports  which triggers the XSS vulnerability . save the file as “filename.sah”  and with the help of sahi controller execute the script.

Fig 2 : execute the script in the controller

Now navigate to the executed report in the web report console . XSS is triggered .

  Fig 3 ,4 : Stored XSS triggers .

This can be utilized by a malicious limited user to steal password protected (admin) web reports credentials.

Disclosure timeline :

Reported on : 8 / December / 2018

Affected versions : all versions of sahi pro ( <= 8.x ) (web application automation )

vendor website :  https://sahipro.com/

 

CVE-2018-20470 – Sahi pro ( <= 8.x ) Directory traversal

Sahi pro is a application automation tool which is quite popular among automation testers . (https://sahipro.com/ )   Being a former automation tester who transitioned to penetration testing,  who also heavily relied on sahi pro for day to day automation activities, An idea raced in my mind to combine both and start hunting for some security bugs in their products. And here is one of the issue that i found in their product.

sahi pro has some interesting features such  as web reporting interface and web editor which combined and forms report module which aggregates all the automated test execution / suite .  It was found that we can view the source code of any sahi file in the editor to check debug logs, where it highlights failed line or execution flow etc

report interface url can be found at the following location :

http://<ip>:<port>/logs 

In the web editor module , it was observed that there  exists a directory traversal vulnerability which allows any user on the same network to view any files on the victim machine running sahi pro automation software. sahi pro allows users to restrict file access for scripts in their configuration file, but this particular module seems to be vulnerable due to lack of server side validations.

Proof of concept  :

Fig 1 :  shows the reports module which displays and highlights the source code of sahi script file for debugging .

here the get parameter href is vulnerable to directory traversal(can also include remote files  to cause Denial of service on victim browser)

Here href get parameter is referring to location :

href=scripts/csv_injection_demo.sah

if its modified to href=../../supersecret/password.txt , contents of crucial internal files of the victim machine.

Fig 2 : vulnerable to directory traversal.

another snapshot which disclose contents of win.ini file

Fig 3 : vulnerable to directory traversal.

URL vulnerable :

http://<ip>:<port>/_s_/dyn/Log_highlight?href=../../../../windows/win.ini&n=1#selected

Disclosure timeline :

Notified on : 8 / December / 2018

suggested quick fix till the official patch is released : password protect web reports module

Affected versions : all versions of sahi pro ( <= 8.x ) (web application automation )

vendor website :  https://sahipro.com/

CVE-2018-20468 – Sahi pro ( <= 8.x ) CSV Injection

This is one of the low risk bug which was found in Sahi Pro. Reports web interface allows a user to export the executed automation scripts/suite in excel format. It is possible to inject the excel formula which results in command execution on the victim who exports it .

Proof of concept :

excel formulas can be injected inside the sahi script as shown previously with stored XSS inside a testcase API as follows.

 script used :

var $tc1 = _testcase(“TC-1″,”=SUM(1+1)*cmd|’ /C calc’!A0”).start();

_log(“testing csv injection”);

$tc1.end();

Execute the following sahi script and take export of the report as follows :

 Fig : executed sahi script with formula injection.

Fig : victim opens the file and clicks yes on warning and the code                                         executes on victim machine .

Disclosure timeline :

Notified on : 8 / December / 2018

Affected versions : all versions of sahi pro ( <= 8.x ) (web application automation )

vendor websitehttps://sahipro.com/

CVE-2018-20469 – Sahi pro ( <= 8.x ) SQL Injection

An issue was discovered in Tyto Sahi Pro ( <= 8.x )
A parameter in the web reports module is vulnerable to  SQL injection. This can be exploited to inject SQL queries and run standard h2 system functions.

It was found in sahi reports web interface,whenever we search for a particular report using search field , direct sql query was passed as part of GET request. This query can be manipulated to dump internal details such as database name ,database path , read files using h2 system functions , user details , schema details and other critical information related to the internals of sahi database to external adversary  on same network.

Proof of concept :

              Fig 1 : sql query is directly passed as part of GET request

 

Sahi web reports interface allows an end user to search for a report based on its name. This user supplied parameter is converted into a SQL query and is directly passed as part of URL as shown in figure 1.

As sahi is using H2 database to store the reports and other data, an end user can exploit this scenario to run h2 database system functions by manipulating the passed SQL query .

               Fig 2 : leak of memory used by sahi application ( memory_used() )

Modified URL :

http://localhost:9999/_s_/dyn/pro/DBReports?sql=SELECT DISTINCT memory_used() AS ROWSTATUS, SCRIPTREPORTS.SCRIPTREPORTID,SCRIPTREPORTS.SCRIPTNAME,SUITEREPORTS.* FROM SUITEREPORTS,SCRIPTREPORTS

           Fig 3 : leak of database path by sahi application ( database_path() )

Modified URL:

http://localhost:9999/_s_/dyn/pro/DBReports?sql=SELECT DISTINCT database_path() AS ROWSTATUS, SCRIPTREPORTS.SCRIPTREPORTID,SCRIPTREPORTS.SCRIPTNAME,SUITEREPORTS.* FROM SUITEREPORTS,SCRIPTREPORTS

       Fig 4 : leak of current database user by sahi application ( user() )

Modified URL: 

http://localhost:9999/_s_/dyn/pro/DBReports?sql=SELECT DISTINCT user() AS ROWSTATUS, SCRIPTREPORTS.SCRIPTREPORTID,SCRIPTREPORTS.SCRIPTNAME,SUITEREPORTS.* FROM SUITEREPORTS,SCRIPTREPORTS

All h2 system functions can be used to abuse and leak more sensitive  information by un-authenticated user .

Disclosure timeline :

disclosed on : 8/ December / 2018

suggested quick fix till the official patch is released : password protect web reports module

Affected versions : all versions of sahi pro ( <= 8.x ) (web application automation )

vendor website :  https://sahipro.com/