exploit the possibilities

perfact::mpa Insecure Direct Object Reference

perfact::mpa Insecure Direct Object Reference
Posted Mar 1, 2016
Authored by Matthias Deeg, Sven Freund

SySS GmbH found out that unauthorized users are able to download arbitrary files of other users that have been uploaded via the file upload functionality. As the file names of uploaded files are incremental integer values, it is possible to enumerate and download all uploaded files without any authorization.

tags | exploit, arbitrary, file upload
MD5 | 144e141f58e04e5f34a3cd1065a4e29a

perfact::mpa Insecure Direct Object Reference

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2015-067
Product: perfact::mpa
Manufacturer: PerFact Innovation GmbH & Co. KG
Affected Version(s): Custom versions using PerFact DB_Utils (Toolkit) < v3.2
Tested Version(s): Custom version with PerFact DB_Utils (Toolkit) < v3.2
Vulnerability Type: Insecure Direct Object References (CWE-932)
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2015-12-18
Solution Date: 2016-01-18
Public Disclosure: 2016-02-29
CVE Reference: Not yet assigned
Authors of Advisory: Matthias Deeg and Sven Freund (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software solution perfact::mpa is a software architecture that, for
instance, is used to build web applications for the secure and reliable
remote maintenance of machines via the Internet (see [1]).

According to the manufacturer, remote control software built with
perfact::mpa impresses through the following features:

* location-independent and central monitoring,
* maintenance and error management,
* authorized remote access, and
* integrated documentation of incidents and services.

Due to improper authorization checks, unauthorized users can download
arbitrary files that have been uploaded previously.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

SySS GmbH found out that unauthorized users are able to download
arbitrary files of other users that have been uploaded via the file
upload functionality.

As the file names of uploaded files are incremental integer values, it
is possible to enumerate and download all uploaded files without any
authorization.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Uploaded files can be download without authorization using the following
URL, where the file ID is an incremental integer value.

https://<HOST>/<PATH>/file/<FILE ID>/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to information by the PerFact Innovation GmbH & Co. KG, the
described security issue has been fixed in PerFact DB_Utils (toolkit)
software version 3.2.

Please contact the manufacturer for further information or support.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-12-18: Vulnerability reported to manufacturer
2016-01-18: Response from manufacturer with detailed information about
the reported security vulnerability and its solution status
2016-02-05: E-mail to manufacturer according two open questions
2016-02-05: Response from manufacturer with further information
2016-02-29: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product Web Site for perfact::mpa
http://perfact.de/mpa/index_html
[2] SySS Security Advisory SYSS-2015-067
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-067.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Matthias Deeg and Sven Freund
of the SySS GmbH.

E-Mail: matthias.deeg (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB

E-Mail: sven.freund (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sven_Freund.asc
Key fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJW0/ACAAoJENmkv2o0rU2rkN4P/1GjC/HikaWUsN2n+5DkYaWy
Ix9WGPCGGDXtdTjN+Ojgof1Sb1iELrVXi0eeeGfi5szUCY4ypIXhPAU7kvtivb8P
Ux81PPUxfkSAJ5rKC5iEqWwe1AtRhsTS8RhTsN5DBwko7V3JYEtLnrhSl+unQ7Wu
nd6a1gCe6a0UFKHtky6hCTA7Xc7e9qooXSlgwCDq2m1I6iQxHw9XYfa6bKqsDOU4
TtzP+qUgckQ3323OFuFtbaW0FVRb9syY10H1qaeHwetRc/XDzMk6KLfXDyLcTr0F
cBHTWBbm7sgFLB1Q5hAtyTjiR7ckZYDmLs49sEGXYTozMClT6xtxE53VLlNwWL+u
7phNuhz8gftkmWwre/izXFpx77juOFVkNVhenVofWgc5p7ixqbcyVM5oFMbC8SsA
rUtGoPRrbBZiFqTI1wHoLCnktEjo83j0HMpIvMTlg21FO4IHzIyCmIH2RCmaFf0k
9AtnUvNzqexI4TRI0mqhbXGyT+7NriHuCcNpNZRvruOLcSLo0kiWP3s4Box8ZXPA
vnE1eRQ8p3aqqZdnfS19Ewz+tVQo70ERyAbFAjCmtvkig3fQBOJjr0ycAaleahbS
lCKrUHZTDk8cdWVVCaKKDXOrypkKr+jed2TTuYLP5YmHWP6bal4DxrAsdrru6jFC
YTERsGqN6LMUCQDkRiSf
=lQuh
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close