During a security assessment several security vulnerabilities were discovered by my colleagues Florian Moll and Nico Jansen in the Innosoft Einsatzplanung Web Software in Version 5.2q4. The vendor was informed about the existence of the vulnerabilities in May 2019. This blog article describes the discovered vulnerabilities in detail.
Stored Cross Site Scripting
Authenticated users are allowed to modify their username. The username is displayed on the webpage. By setting JavaScript-Code as part of the username, the Code will be executed in the user’s web browser as soon as he/she logs in again. The function is reachable via the /innosoft/UserSettings/Save URL. The affected parameter is called “FullName”. The following snippet contains a JSON-Object including the payload.
(…) “GeneralSettings”:{
“FullName”:”<script>alert(“XSS”)</script>”,
(…)
Privilege Escalation / Insecure Permissions
Low privileged, authenticated users are able to gain administrative access. This is possible by updating the user profile. This means the vulnerability is also contained in the /innosoft/UserSettings/Save URL. The “Privfa” parameter contains permission flags, which can be modified by the logged in user. By changing those values, administrative access can be obtained, for example by sending the following JSON-Object:
(…) { “Code”: 0, “Message”: null, “Data”: {
“User”: { (…)
“Privfa”: “111111111111111111111111111000”,
(…)
Broken Access Control
Authenticated and non-administrative users are able to view and edit personal information of different users. By calling the URL /innosoft/UserSettings/Get/?id=[Username] it is possible to view other users profiles. Also included in this information is the password, which was secured with a rotational cipher algorithm which is easy reversible (see Usage of insecure encryption algorithms). This allows any authenticated user to view the clear-text password of any other user, including administrators. User information is returned as JSON in the following format.
{“Code”:0, “Message”:null,”Data”: {
“User” : {
“Name” : “[Username]”,
“Passwort” : “[Password]”,
“Name2” : “[Username]”,
“Sprache” : 1,
(…)
In addition non-administrative, authenticated users are able to modify the profile of any other user. This also includes changing other user’s passwords. This is again possible by modifying the profile change request before sending it to the server. Again, the modified data can be posted to the URL /innosoft/UserSettings/Save. The following snipped contains a sample payload in JSON format.
{ “Code”: 0, “Message”: null, “Data”: {
“User”: {
“Name” : “[Username to overwrite]”,
“Passwort” : “[
(…)
Usage of insecure encryption algorithms
The passwords of all users are stored in the database after encrypting them using a modified rotational cipher which works as follows: An offset is initialized as 1 and increased for each letter in the password. Based on the ASCII table, the letter is replaced by [letter+offset]. The letter a at the first position would for example result in b. At the second position instead, it would result in c. If the new char is out of a specific range, it will wrap around and result in the letter after wrapping.
This algorithm is cryptographically insecure and allows the calculation of the clear-text password within milliseconds. In addition it’s easy to generate a collision (2 passwords are matching the same “hash”). For example, it’s possible to set a user’s password to “/” and login successfully using the password “z”.
Security Misconfiguration
The maximal allowed password length is limited to only 8 chars. In addition, there is no password complexity policy enforced. As a result, it’s possible to set passwords of one letter in length. Even if a secure hash algorithm like SHA256 would be used, there passwords would be simply brute-force-able due to its low complexity.
Timeline
- • <2019-05: Vulnerabilities were discovered
- • 2019-05-17: Innosoft was informed about the vulnerabilities
- • 2019-08-06: Innosoft confirmed vulnerabilities and fixed them in next release.
- • CVE-IDs (CVE-2019-15305 – CVE-2019-15309) were assigned
- • XXXXXXXX: Public disclosure