vuln.sg  

vuln.sg Vulnerability Research Advisory

Cool Messenger Server SQL Injection Vulnerability

by Tan Chew Keong
Release Date: 2006-08-23

   [en] [jp]

Summary

A vulnerability has been found in Cool Messenger Office/School Server. When exploited, the vulnerability allows any people to logon to the messenger server as any user without requiring knowledge of any passwords.


Tested Versions

Japanese Version:
Cool Manager version 5.0 (5,60,90,27) with Cool_CoolD 5,60,90,7

Korean Version:
Cool Messenger Office/School Server version 5.5 (5,65,12,12) with Cool_CoolD 5,65,12,11


Details

This advisory discloses an SQL injection vulnerability in Cool Messenger Office/School Server. The vulnerability exists when Cool_CoolD.exe is handling a user logon authentication request. It is possible to exploit the vulnerability to logon as any user to the messenger server without requiring knowledge of a password.

The vulnerability exists because Cool_CoolD.exe does not sanitise the username received from a Cool Messenger client before using it in an SQL query.


The username received from a Cool Messenger client is used to construct the following query.
CString::Format("SELECT K_MEMBERID,PASSWD FROM CD_MEMBER WHERE MEMBERID='%s';", username);
 

Since username is not sanitised, it is possible to manipulate the query to allow logon to the messenger server without knowing any passwords.


For example, by submitting a specially-crafted username via the Cool Messenger client:



 

When such an attack has occurred, the following entry will be observed in the Cool_CoolD_Log log file.


[15:40:04:406] (1184) [INFO] User "xx' union ...."[2] logged-in, from 192.168.1.108
 


Patch / Workaround

According to the vendor, the vulnerability has been fixed in the following versions.

Japanese Version:
Cool Manager version 5.0 (5,60,90,28)

Korean Version:
Cool Messenger Office/School Server version 5.5 (5,65,12,13)


Disclosure Timeline

2006-07-15 - Vulnerability Discovered.
2006-07-17 - Initial Vendor Notification.
2006-07-28 - Received notification that fixed Korean version has been released. Japanese version is not ready for release.
2006-08-04 - Reminder sent to vendor of Japanese version.
2006-08-16 - Reminder sent to vendor in Korea.
2006-08-16 - Received reply that fixed Japanese version will be released on 2006-08-16.
2006-08-23 - Public Disclosure.


Contact
For further enquries, comments, suggestions or bug reports, simply email them to