exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Rock RMS File Upload / Account Takeover / Information Disclosure

Rock RMS File Upload / Account Takeover / Information Disclosure
Posted Jan 4, 2021
Authored by Cyber Security Research Group

Rock RMS suffers from arbitrary file upload, account takeover, and personal information disclosure vulnerabilities. Various versions are affected.

tags | exploit, arbitrary, vulnerability, info disclosure, file upload
advisories | CVE-2019-18641, CVE-2019-18642, CVE-2019-18643
SHA-256 | 8fc0428a6783de1ab9966a207dcdde3ec9f01dd3fbbf4d51cb139ea9c834aa0a

Rock RMS File Upload / Account Takeover / Information Disclosure

Change Mirror Download
Title
=========================
Multiple vulnerabilities found in Rock RMS including RCE and account takeover. A total of three CVEs were issued for the vulnerabilities (CVE-2019-18641, CVE-2019-18642, CVE-2019-18643)

Product Description
=========================
Rock RMS is an open source CRM. Although the product is free, they request a paid subscription based on number of users. In some cases, early access to patches require a paid subscription.

Vulnerability Descriptions
=========================
1
Name: File upload restriction bypass - CVE-2019-18643
CVSS score: 9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details: The file upload functionality using the fileUpload.ashx page was vulnerable to uploading malicious files by bypassing the file extension restrictions. Rock RMS uses a black list of file extensions which is checked upon uploading a file. The logic for the black list validation was vulnerable to bypass leading to arbitrary file uploads resulting in RCE. There were other issues with the file upload functionality such as being able to tamper the upload location which led to the ability to upload files to any directory on the system. Several failed patches were released for this vulnerability which partially addressed the issue but the product remained vulnerable to exploitation until the final patch was released.
Disclosure dates:
01/09/2019 - initial disclosure of filetype restriction bypass
03/17/2019 - second disclosure informing that the 8.6 patch did not fully fix the vulnerability. File upload is still vulnerable by tweaking the exploit
07/10/2019 - third disclosure informing that the 8.8 patch did not fully fix the vulnerability. File upload is still vulnerable by tweaking the exploit
11/03/2019 - fourth disclosure informing that the 8.9 patch did not fully fix the vulnerability. File upload is still vulnerable by tweaking the exploit
Patch date and version: Final patch was released on 11/05/2019 for version 8.10 and on 11/06/2019 for version 9.4. Vulnerable versions are < 8.10 and 9.0 - 9.3.

2
Name: Account takeover - CVE-2019-18642
CVSS score: 9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details: When a low privileged user updates their profile, the user ID is sent to the server. This ID can be tampered to make changes to any other user including the system administrator account. Changing the email address of another account allows an attacker to perform a password reset then login and take over the account. Performing this action on the administrator account leads to full application compromise.
Disclosure date: 01/16/2019
Patch date and version: 02/19/2019 in version 8.6

3
Name: User personal information leak - CVE-2019-18641
CVSS score: 5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details: The GetVCard functionality was not setup with any security. This allowed any unauthenticated user to loop through all sequential user ID's and exfiltrate user's personal information they have entered for their account. This information could include first name, last name, phone numbers, email address, physical address, etc.
Disclosure date: 01/09/2019
Patch date and version: 02/19/2019 in version 8.6

There were other security risks that were identified in the product such as several API calls that were not secured, reflected XSS and private calendar access leading to information leakage.

Detection and Remediation
======================
Firstly, update to the most recent patch as soon as possible. Once updated, there are a few things that can be checked to determine if any malicious activity has taken place on your implementation of Rock RMS.
-Review the Content directory for any files that have file extensions that could be malicious such as aspx
-Check all web logs you have to see if the file upload functionality was used to upload to a directory outside the Content directory
-Check web logs for suspicious iterations looping through objects such as vcard IDs

Responsible Disclosure Timeline
=========================
01/09/2019 - Initial disclosure of vulnerabilities including RCE via restricted file upload, vulnerable API tags, GetVCard exfil of users personal information and calendar private data
01/10/2019 - Vendor responded and informed they would investigate
01/16/2019 - Second disclosure - Account take over via profile update
01/18/2019 - Third disclosure - File upload can write to any location on disk, File upload with sensitive extensions allowed
02/19/2019 - Version 8.6 released
03/07/2019 - Disclosed that patch logic in 8.6 did not fully fix file upload issue
03/19/2019 - Version 8.7 released (no additional patch for upload issues - still vulnerable)
05/29/2019 - Version 8.8 released
07/10/2019 - Disclosed that patch logic in 8.8 did not fully fix upload issue
08/05/2019 - Version 9.0 released (9.x requires a paid account)
08/09/2019 - Version 8.9 released
08/20/2019 - Version 9.1 released (no additional patch for upload issues - still vulnerable)
09/11/2019 - Version 9.2 released (no additional patch for upload issues - still vulnerable)
10/23/2019 - Version 9.3 released (no additional patch for upload issues - still vulnerable)
11/03/2019 - Disclosed that patch logic in 8.9 did not fix the file upload issue.
11/05/2019 - Version 8.10 released (contained final fix for file upload vulnerability in version 8.x line)
11/06/2019 - Version 9.4 released (contained final fix for file upload vulnerability in version 9.x line)
11/07/2019 - Confirmed file upload vuln was fixed in 8.10

Delayed public disclosure to allow time for customers of the product to patch their systems.


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close