CIPAce Version < 6.80 Build 2016031401
CIPAce Version < 9.1 Build 2019092801
CyberOne‘s TEAMARES researchers have released a steady cadence of advice regarding the importance of testing your systems regularly for vulnerabilities. The following vulnerabilities uncovered during an external penetration test drives home this necessity.
While conducting an external penetration test, our team noticed something very strange: a web application called CIPAce was disclosing errors. Under normal circumstances, this wouldn’t be unusual, but the way the application was handling errors coupled with the fact that full-stack traces were shown meant that the web.config file was configured incorrectly.
Typically, a red teamer would blindly attack this application if it could not be downloaded from an open-source repository or as a trial version. However, we decided to ask our client directly for the entire application source code as it was unavailable for download anywhere. Although these types of requests are ordinarily refused, our client was more than happy to share the source code with the team.
With the source code in hand and Jet Brains dotPeak .NET decompiler downloaded, we promptly delved into the application only to find a whopping 15 zero-days! This is a great example of why providing your source code to red teamers can help us fully flush out bugs and investigate vulnerabilities that pose a greater risk.
Upon receiving code for the version 6.80 Build 2016031401 of the CIPAce application, we were not aware of a newer version. However, while going through the source code and APIs, we noticed an API named GetDistributedPOP3 that returned the username and password of the SMTP user.
Figure 1: API Request obtaining SMTP Password
We quickly emailed the client to inform them of this bizarre “feature” and heard that there was a newer version available for review. This vulnerability did not exist in version 9.1 of the CIPAce application; however, we discovered this was just the tip of the iceberg.
The client provided us the source code for version 9.1 Build 2019092801. Since the first “feature” that leaked sensitive data was an API, we dug further and found a ton of other SOAP calls that leaked internal data, including hostname, folder/file paths, and database structures. The one that stood out the most was a SOAP API call that exposed all contents of the user table within the database, thus making SQL Injection unnecessary as we had everything we needed to login to the application with the highest user permissions. On a positive note, the passwords were MD5 hashed.
Figure 2: API Request Leaking Username and Password Data
Lastly, the most impactful vulnerability that we discovered during our penetration test was a neat file called “Upload.ashx”. After a quick review, our team observed that it lacked the necessary code to put it behind authentication and allowed the upload of any ASHX file to the underlying file system. With that in mind, we quickly drafted a multipart/form-data POST request to upload a web shell. At this time, the client locked down the application to only be accessible to our IP so we were not concerned about uploading a web shell that did not require authentication.
Figure 3: Uploading ASHX web shell
Figure 4: Executing commands through uploaded web shell
These are just a few of the many vulnerabilities existing today with the following table outlining some additional vulnerabilities. It’s important to note that all of these issues are exploitable without authentication, which underscores the necessity of thoroughly reviewing applications to prevent bugs – especially applications that are marketed to government agencies and major corporations.
11/13/2019 – Discovered POP3 Password Disclosure Issue
11/14/2019 – Confirmed the POP3 Password Disclosure was fixed on version 9.1
11/17/2019 – Discovered other 14 0-days in application version 9.1
11/17/2019 – First communication sent to vendor / No Response
11/19/2019 – Second communication sent to vendor / No Response
11/25/2019 – Third communication sent to the vendor
11/26/2019 – Vendor responded via phone call and stated they are working with the client to get it fixed
01/23/2020 – Confirmed all but one information disclosure issue was fixed
03/19/2020 – Confirmed that the last information disclosure item was fixed
03/24/2020 – Requested CVEs
Discovered by Quentin (paragonsec) Rhoads-Herrera, Director of Professional Services at CyberOne
CyberOne’s TEAMARES is comprised of professionals with more than a decade of experience conducting offensive and defensive security services. Our team has expertise in a wide array of industries, including oil and gas, healthcare, app development firms, hospitality, technology, and more.
Follow us on Twitter @TeamAresSec to stay up to date on vulnerability discoveries and cybersecurity news.