diamond_fulldiamonddiamond_halfdiamond_eurosearch-iconmenuchat-iconclose-iconenvelope-iconsmartphone-call-icon

Blog & News

28. März, 2024

#ADVISORIES

Advisory: Insufficient Access Controls in Visual Planning

Release of SCHUTZWERK-SA-2023-005

preview-image for SCHUTZWERK-SA-2023-005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Title
=====

SCHUTZWERK-SA-2023-005: Insufficient Access Controls in Visual Planning

Status
======

PUBLISHED

Version
=======

1.0

CVE reference
=============

CVE REQUESTED

Link
====

https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-005/

Text-only version:
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-005.txt

Affected products/vendor
========================

All versions prior to Visual Planning 8 (Build 240207) by STILOG I.S.T.

Summary
=======

Insufficient access checks in Admin Center allow attackers in possession of a non-administrative Visual Planning account to utilize functions normally reserved for administrators. The affected functions allow attackers to obtain different types of configured credentials and potentially elevate their privileges to administrator level.

Risk
====

Due to lack of access controls attackers in control of non-administrative user accounts are able to perform at least the following actions via the GUI:

- - access and modify modules
- - access and modify services
- - access and modify WebService administrator API key
- - access and modify LDAP settings
- - access and modify document storage settings
- - export and import management data
- - execute SQL queries against the configured database
- - access and modify planners

If the corresponding requests are known, the functions can be directly called via the respective API calls.

The ability to access LDAP and document storage settings allows attackers to obtain configured LDAP, Dropbox, OneDrive and Google Drive credentials. Importing management data likely allows attackers to overwrite passwords and add new users (potentially including administrators).

Credentials can be obtained through the vulnerability described in SCHUTZWERK-SA-2023-004/CVE-2023-49232.

Description
===========

During a recent red teaming assessment, Visual Planning was identified as part of the customers internet-facing assets. The software is developed by STILOG I.S.T. and provides resource management and scheduling features. A security assessment conducted by SCHUTZWERK found insufficient access checks in Visual Planning's Admin Center.
The application Admin Center (vpadmin) communicates with the server through an XML-based protocol that utilizes proprietary compression methods and is transmitted via HTTP. SCHUTZWERK implemented a custom proxy as part of an assessment in order to intercept and manipulate the messages exchanged between application and server.

When performing a login in Admin Center, the message similar to the following is sent to the server:

<?xml version="1.0" encoding="UTF-8"?>
<com.visualplanning.query.NamedMethodParameter>
<methodName>validateUserLogin</methodName>
<rawResult>false</rawResult>
<userSession isNull="true"/>
<values>
<HashtableValue>
<key>passwd</key>
<value class="String">Passw0rd!</value>
</HashtableValue>
<HashtableValue>
<key>login</key>
<value class="String">test4</value>
</HashtableValue>
<HashtableValue>
<key>adminMode</key>
<value class="java.lang.Boolean">true</value>
</HashtableValue>
</values>
</com.visualplanning.query.NamedMethodParameter>

If the provided credentials are valid, the server will respond with a VPUser data structure containing information about the user:

<?xml version="1.0" encoding="UTF-8"?>
<com.visualplanning.query.result.PersistentDataLoadResult>
<datas>
<com.visualplanning.data.admin.VPUser>
<ID>6</ID>
<UID>79C4-9F31-FD34-4E52-0EF1-501D-7789-FA77</UID>
<activated>true</activated>
<comments></comments>
<email></email>
<expiredPasswd>false</expiredPasswd>
<groups/>
<imageProfilBase64></imageProfilBase64>
<ldapSetting>
<entityID>-1</entityID>
</ldapSetting>
<licenses/>
<loginAttemps>0</loginAttemps>
<mobilePhoneNumber></mobilePhoneNumber>
<name>test4</name>
<ownerID>0</ownerID>
<phoneNumber></phoneNumber>
<platform>VP</platform>
<resetPasswd>false</resetPasswd>
<resourceUser>false</resourceUser>
</com.visualplanning.data.admin.VPUser>
</datas>
<histories/>
<resultValues/>
<status>OK</status>
</com.visualplanning.query.result.PersistentDataLoadResult>

At this point, if the user is not an administrator, the Admin Center displays the message "Unauthorized user or already connected".

It was, however, discovered, that the corresponding checks to determine whether a user is authorized to access the Admin Console take place on the client-side. Modifying the ID contained in the <ID> field of the response to "1" allows the login to progress further and causes a mostly complete UI to be loaded. Due to missing server-side permission checks the functions of the Admin Console can subsequently be used by the unauthorized user.

Solution/Mitigation
===================

The vendor suggests to update to Visual Planning 8 (Build 240207)

Disclosure timeline
===================

2023-11-01: Vulnerability discovered
2023-11-09: Contact vendor in order to determine security contact
2023-11-10: Received generic sales response from vendor
2023-11-14: Contacted CTO of vendor directly
2023-11-16: Vulnerabilities demonstrated in call with contact at vendor
2023-11-24: CVE assigned by Mitre
2023-11-24: Additional technical details provided to vendor
2023-12-19: Vendor informed SCHUTZWERK that work on fixing the findings is in progress
2024-01-30: Inquired about mitigation status regarding the reported vulnerabilities
2024-01-30: Vendor informed SCHUTZWERK that some of the issues were already fixed
2024-03-08: Sent advisory drafts to vendor
2024-03-28: Received patch information and release of advisory

Contact/Credits
===============

The vulnerability was discovered during an assessment by Lennert Preuth and David Brown of SCHUTZWERK GmbH.

References
==========

[1] https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html

Disclaimer
==========

The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The most recent version of this security advisory can be found at SCHUTZWERK GmbH's website ( https://www.schutzwerk.com ).

Additional information
======================

SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/

SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmYF0cgaHGFkdmlzb3Jp
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrve4g/9Gm6Vi3gRrISQDouTjEwF
4fdGCtMYazWmeaHa5X2qE0hZ8hhutkBd//pko7vuRDaHMPSq4hmy56GXWtVEw+IA
TohlwC+I3GBcYCZjeXz9E3JaNVjs1pTJKRS4S2MK+us8vH4Sym4kH3Ybv/jV/gBB
CjK7NvFus6ehzkaqPihXclzLclj/U9w4p1/h5ScNbnExt5KVBihy9zBJvBaRLY8i
kBGesHXiXRSg6oI14ohK6yZfcOEOcFunCAsb0sI3knsDWbaSqpt9pb2kf2PSi9yE
8Z90WXvwhLA5jhrci7J6daZg3DRJsJBPNVBysEtxHpGH9sqFHrufhFRn/0H4U7Jq
DAMFuYu+SpRlipueRbT3akyIcWPUlWYXC2aIh8/FHEbC3QCg5oBVkKar6QMaaotd
H+iLX/tmtBcdLGwjy0xs+3kVgd72AQDQFJymSkV8+OV4J/34oHpVhu4dzor9j+gu
w56bfxT82e7tlcgPULPh812+P8pUmOKWd2JMpViQ3/K2aPehH30YGUaRrW7m3oZP
VekOGuMKMy+NtK9Vk2nFBsrGh/NEMhiHcAvz9Qr355L8Oh1PcAGtzcclFhYbHFTu
84t6lxqpH1PdGNsyG6QlaLtR4M9w5qnrb8cZqc6RTyD3Jn/aQfkfqoUriSA6Q/1m
S9C73VGrV+bauOhWMw9vtF0=
=ms8v
-----END PGP SIGNATURE-----

~ Lennert Preuth, David Brown

Kostenfreies Erstgespräch