[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Multiple vulnerabilities found in Rock RMS including RCE and account takeover

Title
=========================
Multiple vulnerabilities found in Rock RMS including RCE and account takeover. 
A total of three CVEs were issued for the vulnerabilities (CVE-2019-18641, 
CVE-2019-18642, CVE-2019-18643)

Product Description
=========================
Rock RMS is an open source CRM. Although the product is free, they request a 
paid subscription based on number of users. In some cases, early access to 
patches require a paid subscription.

Vulnerability Descriptions
=========================
1
Name: File upload restriction bypass - CVE-2019-18643
CVSS score: 9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details: The file upload functionality using the fileUpload.ashx page was 
vulnerable to uploading malicious files by bypassing the file extension 
restrictions. Rock RMS uses a black list of file extensions which is checked 
upon uploading a file. The logic for the black list validation was vulnerable 
to bypass leading to arbitrary file uploads resulting in RCE. There were other 
issues with the file upload functionality such as being able to tamper the 
upload location which led to the ability to upload files to any directory on 
the system. Several failed patches were released for this vulnerability which 
partially addressed the issue but the product remained vulnerable to 
exploitation until the final patch was released.
Disclosure dates:
01/09/2019 - initial disclosure of filetype restriction bypass
03/17/2019 - second disclosure informing that the 8.6 patch did not fully fix 
the vulnerability. File upload is still vulnerable by tweaking the exploit
07/10/2019 - third disclosure informing that the 8.8 patch did not fully fix 
the vulnerability. File upload is still vulnerable by tweaking the exploit
11/03/2019 - fourth disclosure informing that the 8.9 patch did not fully fix 
the vulnerability. File upload is still vulnerable by tweaking the exploit
Patch date and version: Final patch was released on 11/05/2019 for version 8.10 
and on 11/06/2019 for version 9.4. Vulnerable versions are < 8.10 and 9.0 - 9.3.

2
Name: Account takeover - CVE-2019-18642
CVSS score: 9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details: When a low privileged user updates their profile, the user ID is sent 
to the server. This ID can be tampered to make changes to any other user 
including the system administrator account. Changing the email address of 
another account allows an attacker to perform a password reset then login and 
take over the account. Performing this action on the administrator account 
leads to full application compromise.
Disclosure date: 01/16/2019
Patch date and version: 02/19/2019 in version 8.6

3
Name: User personal information leak - CVE-2019-18641
CVSS score: 5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details: The GetVCard functionality was not setup with any security. This 
allowed any unauthenticated user to loop through all sequential user ID's and 
exfiltrate user's personal information they have entered for their account. 
This information could include first name, last name, phone numbers, email 
address, physical address, etc.
Disclosure date: 01/09/2019
Patch date and version: 02/19/2019 in version 8.6

There were other security risks that were identified in the product such as 
several API calls that were not secured, reflected XSS and private calendar 
access leading to information leakage.

Detection and Remediation
======================
Firstly, update to the most recent patch as soon as possible. Once updated, 
there are a few things that can be checked to determine if any malicious 
activity has taken place on your implementation of Rock RMS.
-Review the Content directory for any files that have file extensions that 
could be malicious such as aspx
-Check all web logs you have to see if the file upload functionality was used 
to upload to a directory outside the Content directory
-Check web logs for suspicious iterations looping through objects such as vcard 
IDs

Responsible Disclosure Timeline
=========================
01/09/2019 - Initial disclosure of vulnerabilities including RCE via restricted 
file upload, vulnerable API tags, GetVCard exfil of users personal information 
and calendar private data
01/10/2019 - Vendor responded and informed they would investigate
01/16/2019 - Second disclosure - Account take over via profile update
01/18/2019 - Third disclosure - File upload can write to any location on disk, 
File upload with sensitive extensions allowed
02/19/2019 - Version 8.6 released
03/07/2019 - Disclosed that patch logic in 8.6 did not fully fix file upload 
issue
03/19/2019 - Version 8.7 released (no additional patch for upload issues - 
still vulnerable)
05/29/2019 - Version 8.8 released
07/10/2019 - Disclosed that patch logic in 8.8 did not fully fix upload issue
08/05/2019 - Version 9.0 released (9.x requires a paid account)
08/09/2019 - Version 8.9 released
08/20/2019 - Version 9.1 released (no additional patch for upload issues - 
still vulnerable)
09/11/2019 - Version 9.2 released (no additional patch for upload issues - 
still vulnerable)
10/23/2019 - Version 9.3 released (no additional patch for upload issues - 
still vulnerable)
11/03/2019 - Disclosed that patch logic in 8.9 did not fix the file upload 
issue.
11/05/2019 - Version 8.10 released (contained final fix for file upload 
vulnerability in version 8.x line)
11/06/2019 - Version 9.4 released (contained final fix for file upload 
vulnerability in version 9.x line)
11/07/2019 - Confirmed file upload vuln was fixed in 8.10

Delayed public disclosure to allow time for customers of the product to patch 
their systems.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/