Exploit the possiblities

Perspective ICM Investigation And Case 5.1.1.16 Privilege Escalation

Perspective ICM Investigation And Case 5.1.1.16 Privilege Escalation
Posted Dec 6, 2017
Authored by Konstantinos Alexiou

Perspective ICM Investigation and Case version 5.1.1.16 suffers from a privilege escalation vulnerability.

tags | exploit
advisories | CVE-2017-11319
MD5 | 97c034ce64727812cd85cd9c6bdfb14d

Perspective ICM Investigation And Case 5.1.1.16 Privilege Escalation

Change Mirror Download
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # ## # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
# Exploit Title: Privilege Escalation - Perspective ICM Investigation & Case - 5.1.1.16
# Date Reported to vendor: Jun 28, 2017
# Date Accepted by vendor: Jun 11, 2017
# Exploit Author: Konstantinos.alexiou@hotmail.com
# Vendor Homepage: www.resolver.com
# Version: Perspective ICM Investigation & Case - 5.1.1.16
# Tested on: Windows 8.1
# CVE: CVE-2017-11319
# CVSS v2 Vector: (AV:A/AC:L/Au:S/C:C/I:C/A:P)
# CVSS v2 Score: 7.4
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
According to Resolver site: CIS "investigations and case management software is an end-to-end, total solution for responding to, reporting on,
and investigating incidents"
====================================================Vulnerability description=============================================================
The CIS application permits tampering of usersa permission values which are loaded through the following methods inside the Perspective.data.dll
just after the initial authentication phase and before the graphical usersa interface is loaded:
- accessLevels()
- userEntityPrivs()
- userFieldPrivs()
The CIS thick client uses the aforementioned methods to set the usersa graphical interface, their permissions access level as well privilege access against
each GUI field which is retrieved from the database server just after the initial login phase. Due to insufficient validation methods and missing cross server
side checking mechanisms, unprivileged authenticated users are allowed to modify their access level permissions by tampering and modifying these values
thus gaining access to priveleged users actions. An unprivileged user is able by using a C# disassembling and debugging tool such as adnspya to tamper
these values and gain access on hidden and restricted privileged fields or enable hidden forms such as the aAdministrationa currently accessible only to the
aCIS Administratorsa group.
======================================================== Proof of Concept ==============================================================

1. Connect to the URL and click on the main button to initiate the installation of the ClickOnce CIS application.
The CIS application starts downloading various required files which are automatically saved under the following folder:
C:\Users\{Current Logged in User}\AppData\Local\Apps\2.0

2.When the download is finished the main executable aPerspective.exea is initialized and loaded by the dfsvc.exe which is responsible to check if the application
is already installed and up to date.

3. Close the application and open a disassembling and debugging tool such as dnspy. Use the menu adebuggera and choose the option aDebug an assemblya.
This will open a dialog box to choose an executable for debugging.
Navigate to the main executable aPerspective.exea which is installed inside the following directory and press OK:
aC:\Users\{Current Logged in User}\AppData\Local\Apps\2.0\Data\{name}.WRL\{name}.AOQ\ pers..tive_f50e2c1eb6078f5b_0005.0001_c760ec4c4b1ffe6d\
The debugger will stop at the main Entry Point of the application.

4. Click aContinuea from the main menu of the application until the login form appears on the screen.

5. When the login screen appears, navigate to the aDataHandlea class which is defined inside the aPrespective.data.dlla and should be already decompiled by the dnSpy.

6. Insert breakpoints at the following functions inside the DataHandle Class:
- UserEntityPrivs
- UserFieldPrivs
- UserReportPrivs

7. Login to the application with an unprivileged account and then click Continue from the main menu of the dnSpy. The debugger will stop on the first breakpoint at line
of the function UserEntityPrivs(). The aforeacha loop used inside these lines calls the UserEntityPrivs() function and sets the usersa allowed permissions against visible
screens and forms. Click on the Locals field at the bottom menu of the dnSpy and navigate to the entity auseEntityPrivs()a section.
It should be mentioned that the aAdministrationa menu is restricted only for members belonging to aCIS Administratora role while the user ITSECAS1 has no access on it.

8. To enable just the administration menu for an unprivileged user just press Continue until the EntityID aAdministrationa appears in the Locals screen of the dnSpy and
change the following values to true:
- AllowAdd
- AllowDelete
- AllowEdit
- AllowExecute
- AllowFullControl
- AllowMange
- AllowReadOnly
- AllowShare
- Visible

9. Delete the breakpoints and press Continue until the main screen of the thick client appears on the screen.
While the user is assigned as aGlobal Heada the administration menu accessible only to the admin users appears on his screen.
This modification provide access rights to change the minimum Password length to 6 characters
Additionally, using the aforementioned technique it is possible to enable additional restricted and none visible screens for any unauthorized user.
It should be also be mentioned that using the same technique it was possible to change the usersa report privileges inside the last aforeacha loop.

10. Finally, and just after the UserReportPrivs foreach loop finishes, we can modify the usersa global membership permissions before they are applied to his interface.
Finally it should be mentioned that it is possible to access any submenu on the administration menu and modify values with only exception to create a new user.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    10 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close