Posts

CVE-2019-16384, 85: Cyblesoft Thinfinity VirtualUI – Path Traversal, HTTP Header Injection

Nettitude discovered two vulnerabilities within Cyblesoft’s Thinfinity VirtualUI web application. The findings include path traversal and HTTP header injection, which could be leveraged to execute an XSS payload.

Thinfinity VirtualUI enables Windows-based desktop applications to function as cross-browser, cross-device web applications, which can be run on a Windows environment or be accessed remotely from a web-browser.

Path Traversal Proof of Concept – CVE-2019-16384

The path traversal vulnerability can be leveraged to perform remote data exfiltration on the Windows host.  This enables files outside of the intended web directory to be retrieved if the location is known and the application has sufficient permissions. Consequently, this compromises the confidentiality of application data.

The following proof of concept shows how common Windows configuration files were retrieved on the test host, traversing the file directories using the ../ notation. This was captured on the Cyblesoft demo site.

Vulnerable Request Including Path Traversal Payload

Vulnerable Request Including Path Traversal Payload

Local File ‘win.ini’ Displayed within Server Response

Local File ‘win.ini’ Displayed within Server Response

HTTP Header Injection Proof of Concept – CVE-2019-16385

The identified HTTP header injection vulnerability enables control over the application response and can be leveraged to perform a reflected Cross-Site Scripting attack.

The vulnerable mimetype URL parameter can be injected with an arbitrary payload, which is reflected within the Content-type header of the server response, in its entirety.

Injecting HTML encoded carriage return line feed characters %0d%0a within that vulnerable parameter results in the response being split, as a new line is inserted within the header section of the server response, whilst still returning a 200 OK response.

The ability to insert newlines and arbitrary payloads gives full control over the contents of the response and as shown below can be leveraged to perform reflected cross-site scripting. The created new lines result in the proceeding response headers being interpreted as the response body, and within this new response body, the malicious JavaScript payload is injected.

An example payload consisting of encoded CRLF characters, HTML, and JavaScript is injected to reflect a basic alert box within the client.

Vulnerable Request Including HTML Encoded CRLF Characters and XSS Payload

Vulnerable Request Including HTML Encoded CRLF Characters and XSS Payload

Server Response Showing Injected JS Payload

Server Response Showing Injected JS Payload

Versions Affected

All versions up to and including Thinfinity VirtualUI 2.5.17.2 are affected by both of the vulnerabilities disclosed.

Conclusion

These vulnerability types are common in modern web applications.  The ones presented here could have a moderate impact, and it is recommended that users of the software fix the vulnerability by applying the available patch,

Cyblesoft were quick to respond, and regular communication with the vendor enabled a patch to be released to address both of these issues before public disclosure.

Thinfinity UI Vulnerability Disclosure Timeline

  • Date of discovery: 20 August 2019
  • Vendor informed: 22 August 2019
  • Vendor patch received: 14 October 2019
  • Patch confirmed effective: 14 October 2019
  • Vendor informed about planned disclosure: 14 October 2019
  • Public Disclosure: 4 June 2020

CVE-2019-13021, 22, 23: JETSELECT Network Segregation Application

Nettitude are disclosing three vulnerabilities discovered as part of a security assessment on board a superyacht. These vulnerabilities have now had patches published by the vendor, and an appropriate time period has elapsed to allow for a patching window aboard the vessels.

JETSELECT

The JETSELECT application is supplied by JetStream, a technology company specialising in the provision of various IT services to the yacht industry. Further details on the product can be found here:

http://www.jetstream.mc/our-products/jetselect/

The JETSELECT instance tested by Nettitude was hosted on Oracle Glassfish middleware, which was vulnerable to Local File Inclusion. This vulnerability allowed Nettitude to analyse the underlying source code of JETSELECT, revealing several other vulnerabilities. The Oracle Glassfish middleware was the mechanism that allowed for the discovery of the following vulnerabilities from an unauthenticated attacker perspective.

CVE-2019-13021

During installation of the JETSELECT application, an installation script is run.  It writes a copy of the master password to a .bak file stored on the filesystem.

As can be seen in the screenshot below, the CONFSFC variable is assigned to /JetSelect/SFC/resources/sfc-general.properties.

This installation script was located in /home/bondit/jsl/3passchange.sh

At the conclusion of the script, an in-place sed command replaces all previously stored password hashes with the new passwords in the sfc-general.properties file. Additionally, the previous installation password hashes are stored in a file named sfc-general.properties.bak. The full path to this file is /JetSelect/SFC/resources/sfc-general.properties.

It is possible for any low privileged user on the system to view this directory, rendering any protections that may be provided by the MySQL database or salting to be ineffective.

Whilst this does give direct access to the password hashes, Nettitude were unable to discover the plaintext password until the discovery of CVE-2019-13022, shown below.

CVE-2019-13022

Nettitude continued to probe the application, eventually gaining access to the JAR class ENCtool.jar referred to in the installation script, which is responsible for encrypting and decrypting data.

After obtaining a copy of that file, Nettitude decompiled the application and gained access to the source code. Examination of the source code revealed that the algorithm responsible for generating secure password hashes was simply a XOR function followed by Base64 encoding the output, as shown below.

Leveraging this information, it was possible to quickly develop a tool to gain access to the original plaintext input.

Using the code above, it is possible to pass a base64 encoded string obtained from the sfc-general.properties file:

python crack.py "TVxOTkpST1k="

'Encrypted' Password: TVxOTkpST1k=

'Decrypted' Password: password

This password can be used to log into the web interface of the application as an Administrator, allowing the amendment of all network segregation rules provided by the application. Additional passwords (for example, MySQL login details) can be found by examining the other files referenced in the 3passchange.sh script mentioned previously.

Examination of an additional installation script within the BondIT home directory named runSQL.sh also revealed MySQL credentials for the root account. After obtaining access to the MySQL database as root, it was simple to obtain usernames and password hashes for all other users in the JetSelect application using the following query:

SELECT * from JSL_USER

As these passwords are ‘encrypted’ using the same manner as previously described, it is possible to gain access to all accounts in the application.

CVE-2019-13023

Nettitude also discovered that the web interface of the application stored and attempted to obscure sensitive information such as RADIUS secrets and SNMP strings. These values were stored in cleartext in a property called password within the HTML of the web page. As such, it was trivial to obtain the cleartext values of these settings, even as a lower privileged user – for example, the ETO role who is not an Administrative user and who should not have access to this information.

Nettitude did not complete a full assessment of the software as that was not the objective of the engagement; it is possible that other fields within the application suffer from the same issue.

Conclusion

This scenario also serves to highlight the risks that the Marine & Offshore sector can experience in relation to securing both the information technology (IT) and the operational technology (OT) of a vessel. Many vessels are equipped with 24/7 internet connectivity, in effect making the IT not much different to that of a conventional business.

It is critical that vessel operators adopt a cyber security strategy for both their onshore and offshore operations. This should incorporate, as a minimum, a solid patching strategy (supported by a development environment hosted onshore), vulnerability assessment and rolling penetration testing.

Additionally, this case study provides a perfect example of where the OWASP ASVS testing framework can improve assurance levels, as well as ensure that security is included in the development life-cycle of applications and services. If this application was simply tested from a black box web application perspective, two of the vulnerabilities would have gone unnoticed. By combining grey box web application penetration testing with architecture reviews, build reviews, code reviews etc, it is possible to drastically improve the security of an application as a whole.

For more information on the OWASP ASVS framework, please visit:

https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project

Disclosure Timeline

  • 15 May 2019 – Initial communications established with vendor.
  • 24 May 2019 – Technical details provided to allocated point of contact.
  • 28 May 2019 – Follow up email sent to ensure vendor received technical details.
  • 4 June 2019 – Vendor acknowledged receipt of technical details.
  • 18 July 2019 – Nettitude requests update.
  • 21 July 2019 – Vendor replies they have a patch nearly ready, that will be released in the coming weeks.
  • 24 July 2019 – Nettitude delay disclosure to allow further time for customers to patch their software.
  • 12 December 2019 – Nettitude give vendor of notice to publicly disclose.
  • 13 December 2019 – Vendor acknowledges.
  • 22 April 2020 – Nettitude publicly disclose vulnerabilities.

Credits

Thanks to Rob Bone (R2B2) @m0rv4i for his quick PoC to ‘decrypt’ the passwords stored in the application.