what you don't know can hurt you

URVE Software Build 24.03.2020 Information Disclosure

URVE Software Build 24.03.2020 Information Disclosure
Posted Dec 27, 2020
Authored by Erik Steltzner | Site sec-consult.com

URVE Software build version 24.03.2020 suffers from an information disclosure vulnerability that leaks passwords.

tags | exploit, info disclosure
advisories | CVE-2020-29550
MD5 | 67a93118486c77b8f926ea8fde0d4842

URVE Software Build 24.03.2020 Information Disclosure

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2020-042
Product: URVE Software
Manufacturer: Eveo Sp. z o.o.
Affected Version(s): Build "24.03.2020"
Tested Version(s): Build "24.03.2020"
Vulnerability Type: Cleartext Storage of Sensitive Information
(CWE-312)
Exposure of Sensitive Information to an
Unauthorized Actor (CWE-200)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2020-11-10
Solution Date: 2020-11-18
Public Disclosure: 2020-12-23
CVE Reference: CVE-2020-29550
Authors of Advisory: Erik Steltzner, SySS GmbH
Christoph Ritter, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

URVE is a system for reserving rooms which also provides a web interface
with event scheduler.

The manufacturer describes the product as follows (see [1] and [2]):

'Booking rooms on touchscreen and easy integration with MS Exchange,
Lotus, Office 365, Google Calendar and other systems.
Great looking schedules right at the door.
Fight conference room theft with our 10" touchscreen wall-mounted
panel.'

'Manage displays, edit playlists and HTML5 content easily.
Our server can be installed on any Windows and works smoothly from
web browser.'

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The password of the user account which is used for the connection of
the MS Office 365 Integration Service is stored as plaintext in
configuration files, as well as in the database.

The following files contain the password in plaintext:

Profiles/urve/files/sql_db.backup
Server/data/pg_wal/000000010000000A000000DD
Server/data/base/16384/18617
Server/data/base/17202/8708746

This causes the password to be displayed as plaintext in the HTML code.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The path
/urve/roomsreservationimport/roomsreservationimport/update-HTML5?id=<id>
contains the tag with the cleartext password:

<input id="roomsreservationimport_password" [...] value="clearTextPassword">

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The password should be stored as cryptographic hash value.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2020-10-28: Vulnerability discovered
2020-11-10: Vulnerability reported to manufacturer
2020-11-18: Patch released by manufacturer
2020-12-23: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product Website for URVE
https://urve.co.uk/system-rezerwacji-sal
[2] Product Website for URVE
https://urve.co.uk
[3] SySS Security Advisory SYSS-2020-042

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-042.txt
[4] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Erik Steltzner and Christoph
Ritter of SySS GmbH.

E-Mail: erik.steltzner@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Erik_Steltzner.asc
Key ID: 0x4C7979CE53163268
Key Fingerprint: 6538 8216 555B FBE7 1E01 7FBD 4C79 79CE 5316 3268

E-Mail: christoph.ritter@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Christoph_Ritter.asc
Key ID: 0x05458E666D35EAE8
Key Fingerprint: 9FB0 1B9B 2F72 3DD5 3AF3 62D8 0545 8E66 6D35 EAE8

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZTiCFlVb++ceAX+9THl5zlMWMmgFAl/i+1YACgkQTHl5zlMW
Mmh3/Q//QN2YWirc8dEQCXpmkzQ36C2HB5QwkDyimYZ9cm6d0dOp0IoxqOTXTT0M
/SYxxwiAjsimZk5P5oMlXz+H1UqickvfyOrw3xg4XIrUBh5GYlFvD4+Jvfrj27Mv
NVRaqvMfVzkqvZvnVePxqMNekrJdBwIRyTVnQ9nCcFqTo6n3xeqprTw5shVRQtqW
7jbtlrznPjGRR6tKdGZW6e29MHBU6tCLm1Z+h5hI1yJgnItpwXKZc9D6cpcxutrp
yveyFlYOSsZ8Yy7a8mGtvkbsJZFbX9aFtxF7hCWousnEJo8fECS7BIbezQoqzl74
dnWwIU/ZzoQTThS14PhLk4fVV4tPbgg35EEdpoxhJiWbkMQGx6TJkz9t/+XDcu2R
JkqcMHZNV7XNJJLs+MPTg3TGXy5OKuiPbZpSnmT1NCowGTQbb4Ptt+EUGCiT5djA
oQSGwgWAGQN/hf+6mJp5VN6HvU1jitQ7UquDhaDYHR7/iI3HRM5e8piqpZvSVeqd
lspnsdVTDtsobumXOSdzWhh/J7e+m9DqsBFGkFVebE/uwkrowcScFTTWLK1v1fPT
aYlw40SXnLjRuSvLBe4KVR/7x1zLCPMz5OfnbE4vh8r+yDtxd5QldcSguzPV4bu5
lHBcV2E+jWPUk6zDQVT2vGlKTSgAGBRjKUf8DVQaTf2/aBMAJXw=
=YEPt
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    1 Files
  • 17
    Jan 17th
    2 Files
  • 18
    Jan 18th
    20 Files
  • 19
    Jan 19th
    32 Files
  • 20
    Jan 20th
    12 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close