what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Rock RMS File Upload / Account Takeover / Information Disclosure

Rock RMS File Upload / Account Takeover / Information Disclosure
Posted Jan 4, 2021
Authored by Cyber Security Research Group

Rock RMS suffers from arbitrary file upload, account takeover, and personal information disclosure vulnerabilities. Various versions are affected.

tags | exploit, arbitrary, vulnerability, info disclosure, file upload
advisories | CVE-2019-18641, CVE-2019-18642, CVE-2019-18643
SHA-256 | 8fc0428a6783de1ab9966a207dcdde3ec9f01dd3fbbf4d51cb139ea9c834aa0a

Rock RMS File Upload / Account Takeover / Information Disclosure

Change Mirror Download
Title
=========================
Multiple vulnerabilities found in Rock RMS including RCE and account takeover. A total of three CVEs were issued for the vulnerabilities (CVE-2019-18641, CVE-2019-18642, CVE-2019-18643)

Product Description
=========================
Rock RMS is an open source CRM. Although the product is free, they request a paid subscription based on number of users. In some cases, early access to patches require a paid subscription.

Vulnerability Descriptions
=========================
1
Name: File upload restriction bypass - CVE-2019-18643
CVSS score: 9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details: The file upload functionality using the fileUpload.ashx page was vulnerable to uploading malicious files by bypassing the file extension restrictions. Rock RMS uses a black list of file extensions which is checked upon uploading a file. The logic for the black list validation was vulnerable to bypass leading to arbitrary file uploads resulting in RCE. There were other issues with the file upload functionality such as being able to tamper the upload location which led to the ability to upload files to any directory on the system. Several failed patches were released for this vulnerability which partially addressed the issue but the product remained vulnerable to exploitation until the final patch was released.
Disclosure dates:
01/09/2019 - initial disclosure of filetype restriction bypass
03/17/2019 - second disclosure informing that the 8.6 patch did not fully fix the vulnerability. File upload is still vulnerable by tweaking the exploit
07/10/2019 - third disclosure informing that the 8.8 patch did not fully fix the vulnerability. File upload is still vulnerable by tweaking the exploit
11/03/2019 - fourth disclosure informing that the 8.9 patch did not fully fix the vulnerability. File upload is still vulnerable by tweaking the exploit
Patch date and version: Final patch was released on 11/05/2019 for version 8.10 and on 11/06/2019 for version 9.4. Vulnerable versions are < 8.10 and 9.0 - 9.3.

2
Name: Account takeover - CVE-2019-18642
CVSS score: 9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details: When a low privileged user updates their profile, the user ID is sent to the server. This ID can be tampered to make changes to any other user including the system administrator account. Changing the email address of another account allows an attacker to perform a password reset then login and take over the account. Performing this action on the administrator account leads to full application compromise.
Disclosure date: 01/16/2019
Patch date and version: 02/19/2019 in version 8.6

3
Name: User personal information leak - CVE-2019-18641
CVSS score: 5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details: The GetVCard functionality was not setup with any security. This allowed any unauthenticated user to loop through all sequential user ID's and exfiltrate user's personal information they have entered for their account. This information could include first name, last name, phone numbers, email address, physical address, etc.
Disclosure date: 01/09/2019
Patch date and version: 02/19/2019 in version 8.6

There were other security risks that were identified in the product such as several API calls that were not secured, reflected XSS and private calendar access leading to information leakage.

Detection and Remediation
======================
Firstly, update to the most recent patch as soon as possible. Once updated, there are a few things that can be checked to determine if any malicious activity has taken place on your implementation of Rock RMS.
-Review the Content directory for any files that have file extensions that could be malicious such as aspx
-Check all web logs you have to see if the file upload functionality was used to upload to a directory outside the Content directory
-Check web logs for suspicious iterations looping through objects such as vcard IDs

Responsible Disclosure Timeline
=========================
01/09/2019 - Initial disclosure of vulnerabilities including RCE via restricted file upload, vulnerable API tags, GetVCard exfil of users personal information and calendar private data
01/10/2019 - Vendor responded and informed they would investigate
01/16/2019 - Second disclosure - Account take over via profile update
01/18/2019 - Third disclosure - File upload can write to any location on disk, File upload with sensitive extensions allowed
02/19/2019 - Version 8.6 released
03/07/2019 - Disclosed that patch logic in 8.6 did not fully fix file upload issue
03/19/2019 - Version 8.7 released (no additional patch for upload issues - still vulnerable)
05/29/2019 - Version 8.8 released
07/10/2019 - Disclosed that patch logic in 8.8 did not fully fix upload issue
08/05/2019 - Version 9.0 released (9.x requires a paid account)
08/09/2019 - Version 8.9 released
08/20/2019 - Version 9.1 released (no additional patch for upload issues - still vulnerable)
09/11/2019 - Version 9.2 released (no additional patch for upload issues - still vulnerable)
10/23/2019 - Version 9.3 released (no additional patch for upload issues - still vulnerable)
11/03/2019 - Disclosed that patch logic in 8.9 did not fix the file upload issue.
11/05/2019 - Version 8.10 released (contained final fix for file upload vulnerability in version 8.x line)
11/06/2019 - Version 9.4 released (contained final fix for file upload vulnerability in version 9.x line)
11/07/2019 - Confirmed file upload vuln was fixed in 8.10

Delayed public disclosure to allow time for customers of the product to patch their systems.


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close