ASC, Thanks for the follow up. For your reference (and anyone else out there), I have verified the exploitability of multiple of your CVEs in later versions of onbase. Specifically 18.0.0.37.
CVE-2020-25254 - SQL Injection - this appears to be limited to read-only and often requires more than basic user privileges on (workview configuration privilege) in addition to a basic user. In EP3 these appear to always require workview configuration privileges, which I don't have on my configuration yet, so maybe it's patched in EP3? Probably not, but it demonstrates activity in the right direction. CVE-2020-25248 - Path traversal for read access, definitely present. In EP3 it looks like it requires additional workview configuration privilege but I suspect it's still present. CVE-2020-25247 - Path traversal for write access, it's there, but requires privilege I don't have in my configuration yet. It should be noted that this is limited to the current resourcePath & if that is on a separate partition than the binaries location then this may be a significant mitigating factor to exploit chaining with the proposed DLL hijacking vulnerability. The SQL injection has been the most valuable, I haven't been able to write anything but I have confirmed the ability to dump data. On Tue, Sep 29, 2020 at 2:16 PM AdaptiveSecurity Consulting via Fulldisclosure <[email protected]> wrote: > > Good evening. Because of the nature of the software and vulnerabilities we > have been very cautious about releasing too much information so that people > cannot easily create exploits. We have privately provided some examples, but > we are being very cautious and do not want to provide proof of concept or > other information publicly beyond what our lawyers advised us on already. We > would like to point you to the FullDisclosure post "[FD] Navy Federal > Reflective Cross Site Scripting (XSS)" (18 September) from another security > researcher references our disclosures and states that NavyFederal.org was > vulnerable to XSS, citing our work in their timeline, leading us to believe > that NavyFederal.org is or was using OnBase. > > While we do not know what version of the software you have, we did examine > two major versions of the software and noted that they both had a large > number of vulnerabilities. When we tested 19.8.9.1000, we found that it had > fewer instances of SQL injection than 18.0.0.32, but there were still large > segments of the software that was vulnerable because they still make use of > String.format and string concatenation. Both versions were equally vulnerable > to authorization bypass, logging issues, and the other issues. > > We mostly focused on the webserver bypassing the clients completely because > our customer's network and needs. We did not do as much testing on the > webclient and did not use the mobile client because our customer wasn't going > to use it. If you are having trouble, first configure your Unity client to > proxy traffic through RAT, ZAP, or Burp Suite. We also recommend using > CodeReflect, dotPeek, or a similar decompiler and search for things like > String.format and their exceptions because it makes it easier to find the > vulnerabilities and then create your exploits. > > We have been told that Hyland has since had a third party perform examination > and found the same general issues. We have also been asked repeatedly if > Hyland has contacted us even now and they have not. > > Adaptive Security Consulting > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Tuesday, September 29, 2020 5:06 PM, Ken <[email protected]> wrote: > > > Some discussion regarding the onbase vulnerabilities. I should have > > CC'd you on the FD list to be sure you received it. So sorry to just > > kinda forward it on to you. > > > > https://seclists.org/fulldisclosure/2020/Sep/48 > > > > On the bright side, feel free to discuss privately if you prefer. Let > > me know if you need me to up a new gpg key, I let mine expire as no > > one I know actually uses them. > > > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
