Miss Marple Enterprise Edition File Upload / Hardcoded AES Key

Miss Marple Enterprise Edition versions prior to 2.0 suffer from arbitrary file upload, hardcoded AES key, validation bypass, and other vulnerabilities.


MD5 | 5fc5d23b1a1b5d01c8a5758c57afca63

SEC Consult Vulnerability Lab Security Advisory < 20181116-0 >
=======================================================================
title: Multiple critical vulnerabilities
product: Miss Marple Enterprise Edition
vulnerable version: <2.0
fixed version: 2.0
CVE number: CVE-2018-19233, CVE-2018-19234
impact: Critical
homepage: www.comparex-group.com
found: 2018-05-29
by: Marius Schwarz (Office Munich)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Europe | Asia | North America

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"As a global IT company with thirty years of experience, COMPAREX is one of the
worldas leading IT service providers and no. 1 software license management
company in the EMEA markets. COMPAREX develops innovative services that support
management and leverage software products, leading to an overall improvement
of workforce productivity. COMPAREX serves corporate customers spanning from
small businesses to large international corporations as well as the public
institutions supporting every customer during their digital journey towards
productivity optimization. The portfolio has a solid foundation in license
management, software procurement and cloud services. Substantial professional
and managed services complete the portfolio to support customers with services
tailored to their business demands."

Source: https://comparexusa.com/about-us/about/


Business recommendation:
------------------------
The vendor provides a patch and users of this product are urged to
immediately upgrade to the latest version available.


Vulnerability overview/description:
-----------------------------------
Application overview:
Miss Marple is an inventory software that consists of a client and a server
part. The client (agent) is gathering system information and uploads the
results to a remote server in an encrypted ZIP file.

1) Hardcoded AES key (CVE-2018-19233)
A username and an encrypted password were identified in the Miss Marple
Inventory Agent configuration file. By decompiling the binary, the encryption
method was identified as AES-256 with a hardcoded key and initialization vector.
The credentials are used to deploy the inventory files to a remote server.


2) Uploading arbitrary files
There are two ways an attacker can upload arbitrary files to the server.

2.1) Patching the application binary to bypass the ZIP file extension check

Using this method, it is possible to upload any file to the server, even if
the credentials are unknown to the attacker! This works because every file in
a specific directory gets uploaded, as long as the file has the correct file
extension. This can be bypassed because the file extension is only checked on
the client side and not on the server side. Patching the binary is done by
replacing the extension string with the file extension of the attackers
file eg. ".aspx" in the MMIA.exe binary itself.

2.2) Using cURL to upload arbitrary files

If the credentials are known to the attacker, it is possible to use tools like
cURL to upload arbitrary files to the remote server.

Both ways can be used by an attacker to upload a web-shell to the server and
execute arbitrary commands.


3) Missing update validation (CVE-2018-19234)
Besides the Miss Marple Inventory Agent, an Miss Marple Updater Service is
running on all clients. This service checks for new versions on the same server.
If the files are uploaded to the right directory on the server, the updater will
download and execute them with the highest privileges (NT Authority\SYSTEM) without
validating the binaries.
This can also be used for escalating privileges on the client. By uploading a
web-shell using the methods described in vulnerability 2, an attacker gets
sufficient write permissions to access the update directory and to place malicious
files on the server. This will execute arbitrary code on all clients using Miss
Marple.


Proof of concept:
-----------------
1) Hardcoded AES key (CVE-2018-19233)
No proof of concept will be provided.

2) Uploading arbitrary files
2.1) No proof of concept will be provided. E.g. the Unicode string for ".zip" just
has to be replaced with the file extension for the uploaded web-shell.

2.2) Using cURL to upload arbitrary files
It is possible to upload arbitrary files using cURL and the credentials obtained
in 1).

3) Missing update validation (CVE-2018-19234)
No proof of concept will be provided.


Vulnerable / tested versions:
-----------------------------
The following versions have been tested and found to be vulnerable:

Miss Marple Inventory Agent / Miss Marple Updater Service 1.13


Vendor contact timeline:
------------------------
2018-06-13: Contacting vendor through [email protected]
2018-07-04: Meeting with the vendor. Reviewed planned fixes.
2018-07-10: Meeting with the vendor. Release of fix dated to 2018-09-30
2018-09-16: Meeting with the vendor. Reviewed implemented fixes.
2018-10-11: Meeting with the vendor. Scheduled the roll-out for the
fixed version.
2018-10-22: Vendor releases patched version.
2018-11-16: Public release of security advisory.


Solution:
---------
According to the vendor, all the identified issues have been fixed in
version 2.0.

Please update to the latest version immediately.


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Marius Schwarz / @2018


Related Posts