diamond_fulldiamonddiamond_halfdiamond_eurosearch-iconmenuchat-iconclose-iconenvelope-iconsmartphone-call-icon

Blog & News

March 28, 2024

Advisory: Insufficient Access Controls in Visual Planning

Release of SCHUTZWERK-SA-2023-005

preview-image for SCHUTZWERK-SA-2023-005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Title
=====

SCHUTZWERK-SA-2023-005: Insufficient Access Controls in Visual Planning

Status
======

PUBLISHED

Version
=======

1.1

CVE reference
=============

CVE-2023-49233

Link
====

https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-005/

Text-only version:
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-005.txt

Affected products/vendor
========================

All versions prior to Visual Planning 8 (Build 240207) by STILOG I.S.T.

Summary
=======

Insufficient access checks in Admin Center allow attackers in possession of a non-administrative Visual Planning account to utilize functions normally reserved for administrators. The affected functions allow attackers to obtain different types of configured credentials and potentially elevate their privileges to administrator level.

Risk
====

Due to lack of access controls attackers in control of non-administrative user accounts are able to perform at least the following actions via the GUI:

- - access and modify modules
- - access and modify services
- - access and modify WebService administrator API key
- - access and modify LDAP settings
- - access and modify document storage settings
- - export and import management data
- - execute SQL queries against the configured database
- - access and modify planners

If the corresponding requests are known, the functions can be directly called via the respective API calls.

The ability to access LDAP and document storage settings allows attackers to obtain configured LDAP, Dropbox, OneDrive and Google Drive credentials. Importing management data likely allows attackers to overwrite passwords and add new users (potentially including administrators).

Credentials can be obtained through the vulnerability described in SCHUTZWERK-SA-2023-004/CVE-2023-49232.

Description
===========

During a recent red teaming assessment, Visual Planning was identified as part of the customers internet-facing assets. The software is developed by STILOG I.S.T. and provides resource management and scheduling features. A security assessment conducted by SCHUTZWERK found insufficient access checks in Visual Planning's Admin Center.
The application Admin Center (vpadmin) communicates with the server through an XML-based protocol that utilizes proprietary compression methods and is transmitted via HTTP. SCHUTZWERK implemented a custom proxy as part of an assessment in order to intercept and manipulate the messages exchanged between application and server.

When performing a login in Admin Center, the message similar to the following is sent to the server:

<?xml version="1.0" encoding="UTF-8"?>
<com.visualplanning.query.NamedMethodParameter>
<methodName>validateUserLogin</methodName>
<rawResult>false</rawResult>
<userSession isNull="true"/>
<values>
<HashtableValue>
<key>passwd</key>
<value class="String">Passw0rd!</value>
</HashtableValue>
<HashtableValue>
<key>login</key>
<value class="String">test4</value>
</HashtableValue>
<HashtableValue>
<key>adminMode</key>
<value class="java.lang.Boolean">true</value>
</HashtableValue>
</values>
</com.visualplanning.query.NamedMethodParameter>

If the provided credentials are valid, the server will respond with a VPUser data structure containing information about the user:

<?xml version="1.0" encoding="UTF-8"?>
<com.visualplanning.query.result.PersistentDataLoadResult>
<datas>
<com.visualplanning.data.admin.VPUser>
<ID>6</ID>
<UID>79C4-9F31-FD34-4E52-0EF1-501D-7789-FA77</UID>
<activated>true</activated>
<comments></comments>
<email></email>
<expiredPasswd>false</expiredPasswd>
<groups/>
<imageProfilBase64></imageProfilBase64>
<ldapSetting>
<entityID>-1</entityID>
</ldapSetting>
<licenses/>
<loginAttemps>0</loginAttemps>
<mobilePhoneNumber></mobilePhoneNumber>
<name>test4</name>
<ownerID>0</ownerID>
<phoneNumber></phoneNumber>
<platform>VP</platform>
<resetPasswd>false</resetPasswd>
<resourceUser>false</resourceUser>
</com.visualplanning.data.admin.VPUser>
</datas>
<histories/>
<resultValues/>
<status>OK</status>
</com.visualplanning.query.result.PersistentDataLoadResult>

At this point, if the user is not an administrator, the Admin Center displays the message "Unauthorized user or already connected".

It was, however, discovered, that the corresponding checks to determine whether a user is authorized to access the Admin Console take place on the client-side. Modifying the ID contained in the <ID> field of the response to "1" allows the login to progress further and causes a mostly complete UI to be loaded. Due to missing server-side permission checks the functions of the Admin Console can subsequently be used by the unauthorized user.

Solution/Mitigation
===================

The vendor suggests to update to Visual Planning 8 (Build 240207)

Disclosure timeline
===================

2023-11-01: Vulnerability discovered
2023-11-09: Contact vendor in order to determine security contact
2023-11-10: Received generic sales response from vendor
2023-11-14: Contacted CTO of vendor directly
2023-11-16: Vulnerabilities demonstrated in call with contact at vendor
2023-11-24: CVE assigned by Mitre
2023-11-24: Additional technical details provided to vendor
2023-12-19: Vendor informed SCHUTZWERK that work on fixing the findings is in progress
2024-01-30: Inquired about mitigation status regarding the reported vulnerabilities
2024-01-30: Vendor informed SCHUTZWERK that some of the issues were already fixed
2024-03-08: Sent advisory drafts to vendor
2024-03-28: Received patch information and release of advisory

Contact/Credits
===============

The vulnerability was discovered during an assessment by Lennert Preuth and David Brown of SCHUTZWERK GmbH.

References
==========

[1] https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html

Disclaimer
==========

The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The most recent version of this security advisory can be found at SCHUTZWERK GmbH's website ( https://www.schutzwerk.com ).

Additional information
======================

SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/

SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmbWzaIaHGFkdmlzb3Jp
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrvOsBAAteYsWLXH4c3uYw3n+Zgt
fgMrGFEbAwZpSEGoFf4DFmChk/hgyKkQrz2rnqtYXv/YuULvMzCLBAh+s4g0aIei
Zkr3FvIjPzkGXJzp+tXpUcsUOu3zB8s9qNSgDW3ybIPMqRTJYbyl7Hz3nJlPWx64
rplOaK0i6+aMizOQ6cvQk/9XE6gHZjyf+A1aJcY5L6U9zjj57YNX2WT+I4/us8LT
bEi6DU3A0MJ5gVGf78CipUcDywTGzTgnsph3zWR7vLA9qXfNVqXMVq3OHPGRp2sp
/Kjp5bBnprCUh9EabIpzw925oXEY6ccZQeJmAa4sGYZZDIPEMaPuj0QBo7DEwT4w
ijP+5CCSQogOQt0S1eyg16WIOHi1//G2n0JIfvkk7LgQjMNyUsfZlIjVf8N7pS8J
WEFlVPg1mFSZLxM/dj/b9R89bIAAIxpBdeRGVkDS9V01CaoNA6mydLuV/zhrAznW
eOXJaRfcLXk4iOv3j9ogSnUZwbx11fL91W+WSWw7zzgkYtGi2ncuh9hEnYYccUs+
5OB2yHJ8uX1j3Hc1Tt18zTweY5lBYf9/b+HwH98lzNFZipWngo5gY0VGZN+7mpX7
n3+nMUKJAFKa65yv2Y3DHO6lpZaaNH91I8Vxrz0m6kZHGOVuCtg6WOI/+f5sIZXJ
H/zr65uZoj2YjXf8cWuC4gU=
=p8j9
-----END PGP SIGNATURE-----

~ Lennert Preuth, David Brown

Free Consultation