[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] Navy Federal Reflective Cross Site Scripting (XSS)

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: Re: [FD] Navy Federal Reflective Cross Site Scripting (XSS)
From: Ken <catatonicprime@xxxxxxxxx>
Date: Mon, 5 Oct 2020 18:05:33 -0700

ASC, Thanks for the follow up.

For your reference (and anyone else out there), I have verified the
exploitability of multiple of your CVEs in later versions of onbase.
Specifically 18.0.0.37.

CVE-2020-25254 - SQL Injection - this appears to be limited to
read-only and often requires more than basic user privileges on
(workview configuration privilege) in addition to a basic user. In EP3
these appear to always require workview configuration privileges,
which I don't have on my configuration yet, so maybe it's patched in
EP3? Probably not, but it demonstrates activity in the right
direction.
CVE-2020-25248 - Path traversal for read access, definitely present.
In EP3 it looks like it requires additional workview configuration
privilege but I suspect it's still present.
CVE-2020-25247 - Path traversal for write access, it's there, but
requires privilege I don't have in my configuration yet. It should be
noted that this is limited to the current resourcePath & if that is on
a separate partition than the binaries location then this may be a
significant mitigating factor to exploit chaining with the proposed
DLL hijacking vulnerability.

The SQL injection has been the most valuable, I haven't been able to
write anything but I have confirmed the ability to dump data.


On Tue, Sep 29, 2020 at 2:16 PM AdaptiveSecurity Consulting via
Fulldisclosure <fulldisclosure@xxxxxxxxxxxx> wrote:
>
> Good evening. Because of the nature of the software and vulnerabilities we 
> have been very cautious about releasing too much information so that people 
> cannot easily create exploits. We have privately provided some examples, but 
> we are being very cautious and do not want to provide proof of concept or 
> other information publicly beyond what our lawyers advised us on already. We 
> would like to point you to the FullDisclosure post "[FD] Navy Federal 
> Reflective Cross Site Scripting (XSS)" (18 September) from another security 
> researcher references our disclosures and states that NavyFederal.org was 
> vulnerable to XSS, citing our work in their timeline, leading us to believe 
> that NavyFederal.org is or was using OnBase.
>
> While we do not know what version of the software you have, we did examine 
> two major versions of the software and noted that they both had a large 
> number of vulnerabilities. When we tested 19.8.9.1000, we found that it had 
> fewer instances of SQL injection than 18.0.0.32, but there were still large 
> segments of the software that was vulnerable because they still make use of 
> String.format and string concatenation. Both versions were equally vulnerable 
> to authorization bypass, logging issues, and the other issues.
>
> We mostly focused on the webserver bypassing the clients completely because 
> our customer's network and needs. We did not do as much testing on the 
> webclient and did not use the mobile client because our customer wasn't going 
> to use it. If you are having trouble, first configure your Unity client to 
> proxy traffic through RAT, ZAP, or Burp Suite. We also recommend using 
> CodeReflect, dotPeek, or a similar decompiler and search for things like 
> String.format and their exceptions because it makes it easier to find the 
> vulnerabilities and then create your exploits.
>
> We have been told that Hyland has since had a third party perform examination 
> and found the same general issues. We have also been asked repeatedly if 
> Hyland has contacted us even now and they have not.
>
> Adaptive Security Consulting
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Tuesday, September 29, 2020 5:06 PM, Ken <catatonicprime@xxxxxxxxx> wrote:
>
> > Some discussion regarding the onbase vulnerabilities. I should have
> > CC'd you on the FD list to be sure you received it. So sorry to just
> > kinda forward it on to you.
> >
> > https://seclists.org/fulldisclosure/2020/Sep/48
> >
> > On the bright side, feel free to discuss privately if you prefer. Let
> > me know if you need me to up a new gpg key, I let mine expire as no
> > one I know actually uses them.
>
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Recon Informer v1.2 - Intel for offensive systems tool.
Next by Date: [FD] FortSIEM <= 5.2.8 RCE due to EL Injection - analysis
Previous by thread: [FD] Recon Informer v1.2 - Intel for offensive systems tool.
Next by thread: [FD] FortSIEM <= 5.2.8 RCE due to EL Injection - analysis
Index(es):
- Date
- Thread