NovaCHRON Smart Time Plus SQL Injection Vulnerability Allowing Unauthenticated Database Access

A SQL injection vulnerability has been identified in NovaCHRON Smart Time Plus versions 8.x prior to 8.6. The vulnerability exists in the 'getCookieNames' method of the 'smarttimeplus/MySQLConnection' endpoint, allowing unauthenticated users to execute UNION SELECT based SQL injection attacks. This exploitation can lead to unauthorized access to sensitive data, including usernames, password hashes, session cookies, and plain text SMTP credentials.

Impact

Exploitation of this vulnerability allows for unauthorized access to the application's MySQL database, with the potential to retrieve sensitive information such as user credentials and session data. This database access can be leveraged to create new admin users, as demonstrated in the exploitation of a related vulnerability (CVE-2024-53543), ultimately leading to unauthenticated remote code execution on the Windows host via a chained exploitation process.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'smarttimeplus/MySQLConnection' endpoint. The 'getCookieNames' method can be invoked without any session cookie, making it possible to inject SQL payloads that exploit the UNION SELECT injection vulnerability. After successfully injecting a payload, the response will include the extracted data from the database, such as usernames and password hashes.

Remediation

Users are advised to update to NovaCHRON Smart Time Plus version 8.6, which addresses the SQL injection vulnerabilities. However, ensure that the correct 8.6 installation package is used, as an earlier 8.6 release contained a partially patched web component.