[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAKZyQkxMo4APZX7g5HDecR8BkFXc68NinC3_b+u+fn807KJc3g@mail.gmail.com>
Date: Mon, 5 Oct 2020 18:05:33 -0700
From: Ken <catatonicprime@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] Navy Federal Reflective Cross Site Scripting (XSS)
ASC, Thanks for the follow up.
For your reference (and anyone else out there), I have verified the
exploitability of multiple of your CVEs in later versions of onbase.
Specifically 18.0.0.37.
CVE-2020-25254 - SQL Injection - this appears to be limited to
read-only and often requires more than basic user privileges on
(workview configuration privilege) in addition to a basic user. In EP3
these appear to always require workview configuration privileges,
which I don't have on my configuration yet, so maybe it's patched in
EP3? Probably not, but it demonstrates activity in the right
direction.
CVE-2020-25248 - Path traversal for read access, definitely present.
In EP3 it looks like it requires additional workview configuration
privilege but I suspect it's still present.
CVE-2020-25247 - Path traversal for write access, it's there, but
requires privilege I don't have in my configuration yet. It should be
noted that this is limited to the current resourcePath & if that is on
a separate partition than the binaries location then this may be a
significant mitigating factor to exploit chaining with the proposed
DLL hijacking vulnerability.
The SQL injection has been the most valuable, I haven't been able to
write anything but I have confirmed the ability to dump data.
On Tue, Sep 29, 2020 at 2:16 PM AdaptiveSecurity Consulting via
Fulldisclosure <fulldisclosure@...lists.org> wrote:
>
> Good evening. Because of the nature of the software and vulnerabilities we have been very cautious about releasing too much information so that people cannot easily create exploits. We have privately provided some examples, but we are being very cautious and do not want to provide proof of concept or other information publicly beyond what our lawyers advised us on already. We would like to point you to the FullDisclosure post "[FD] Navy Federal Reflective Cross Site Scripting (XSS)" (18 September) from another security researcher references our disclosures and states that NavyFederal.org was vulnerable to XSS, citing our work in their timeline, leading us to believe that NavyFederal.org is or was using OnBase.
>
> While we do not know what version of the software you have, we did examine two major versions of the software and noted that they both had a large number of vulnerabilities. When we tested 19.8.9.1000, we found that it had fewer instances of SQL injection than 18.0.0.32, but there were still large segments of the software that was vulnerable because they still make use of String.format and string concatenation. Both versions were equally vulnerable to authorization bypass, logging issues, and the other issues.
>
> We mostly focused on the webserver bypassing the clients completely because our customer's network and needs. We did not do as much testing on the webclient and did not use the mobile client because our customer wasn't going to use it. If you are having trouble, first configure your Unity client to proxy traffic through RAT, ZAP, or Burp Suite. We also recommend using CodeReflect, dotPeek, or a similar decompiler and search for things like String.format and their exceptions because it makes it easier to find the vulnerabilities and then create your exploits.
>
> We have been told that Hyland has since had a third party perform examination and found the same general issues. We have also been asked repeatedly if Hyland has contacted us even now and they have not.
>
> Adaptive Security Consulting
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Tuesday, September 29, 2020 5:06 PM, Ken <catatonicprime@...il.com> wrote:
>
> > Some discussion regarding the onbase vulnerabilities. I should have
> > CC'd you on the FD list to be sure you received it. So sorry to just
> > kinda forward it on to you.
> >
> > https://seclists.org/fulldisclosure/2020/Sep/48
> >
> > On the bright side, feel free to discuss privately if you prefer. Let
> > me know if you need me to up a new gpg key, I let mine expire as no
> > one I know actually uses them.
>
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists