Researchers Hacked Apple Infrastructure Using SQL Injection WIth RCE bug

The authors were analyzing Masa/Mura CMS for potential SQL injection vulnerabilities to identify unsafe queries within JSON API endpoints. Due to manual code review being inefficient, they searched for static analyzers or CFML parsers that could automatically detect such vulnerabilities. 

The focus was to find queries where user input is directly used in the SQL statement without proper sanitization, regardless of the presence of the `cfqueryparam` tag for parameterized queries, and found a potential parser, `cfmlparser`, that could be used to achieve this goal. 

Sql query

The code searches for ColdFusion Markup Language (CFML) files (.cfm, .cfc) within a specific directory, and then parses each file and identifies <cfquery> tags. If a <cfquery> tag contains arguments within its content (indicating potential user input), the code extracts and prints the entire query along with the filename. 

 Two other inputs

This approach aims to detect SQL injection vulnerabilities in CFML applications by finding instances where user input might be directly embedded in database queries without proper sanitization.

The code snippet analyzes a potential security vulnerability in a ColdFusion application, as the function getObjects retrieves content objects based on three arguments: columnID, ContentHistID, and siteID. 

The investigation by Project Discovery, reveals that ContentHistID is the only argument susceptible to exploitation as it’s validated as a string whereas columnID is numeric and siteID is validated by default. 

The function is called from dspobjects within the contentRendererUtility.cfc component, which is triggered through a JSON API call.

An attempt to trigger SQL injection through a single quote bypass in Lucee was unsuccessful due to an unanticipated condition, and the application required the isOnDisplay property to be true for the injection to work. 

 setting the isOnDisplay property to true.

At first, it was thought that parameters could directly change it, but further research showed that it was overwritten somewhere else. By finding the standardSetIsOnDisplayHandler function, it was possible to see that setting the previewID parameter would make the desired property change, which would allow the SQL injection through a specially made parameter string. 

An attacker exploited an error-based SQL injection to reset an admin’s password on a local system, and by injecting SQL queries, they retrieved the password reset token and user ID. Leveraging plugin installation functionality, they uploaded malicious CFM files, achieving Remote Code Execution (RCE). 

Webpage

However, on Apple’s system, the vulnerability became blind due to generic error messages, as the attacker then targeted the unique characteristic of UUIDs (used for tokens and IDs) to exfiltrate them through scripting. 

Finally, a Proof of Concept (PoC) showcasing account takeover and potential RCE was submitted to Apple. 

Nuclei can be used to detect a critical SQL injection vulnerability (CVE-2024-32640) in Mura/Masa CMS and send a POST request containing malicious data to a specific API endpoint. 

The response is analyzed for specific markers like a 500 status code, a JSON content type header, the presence of “Unhandled Exception” in the body, and “cfid” and “cftoken” headers. 

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here