Re: Navy Federal Reflective Cross Site Scripting (XSS)

[Ken <catatonicprime () gmail com>]

ASC, Thanks for the follow up.

For your reference (and anyone else out there), I have verified the
exploitability of multiple of your CVEs in later versions of onbase.
Specifically 18.0.0.37.

CVE-2020-25254 - SQL Injection - this appears to be limited to
read-only and often requires more than basic user privileges on
(workview configuration privilege) in addition to a basic user. In EP3
these appear to always require workview configuration privileges,
which I don't have on my configuration yet, so maybe it's patched in
EP3? Probably not, but it demonstrates activity in the right
direction.
CVE-2020-25248 - Path traversal for read access, definitely present.
In EP3 it looks like it requires additional workview configuration
privilege but I suspect it's still present.
CVE-2020-25247 - Path traversal for write access, it's there, but
requires privilege I don't have in my configuration yet. It should be
noted that this is limited to the current resourcePath & if that is on
a separate partition than the binaries location then this may be a
significant mitigating factor to exploit chaining with the proposed
DLL hijacking vulnerability.

The SQL injection has been the most valuable, I haven't been able to
write anything but I have confirmed the ability to dump data.


On Tue, Sep 29, 2020 at 2:16 PM AdaptiveSecurity Consulting via
Fulldisclosure <fulldisclosure () seclists org> wrote:
> Good evening. Because of the nature of the software and vulnerabilities we have been very cautious about releasing 
> too much information so that people cannot easily create exploits. We have privately provided some examples, but we 
> are being very cautious and do not want to provide proof of concept or other information publicly beyond what our 
> lawyers advised us on already. We would like to point you to the FullDisclosure post "[FD] Navy Federal Reflective 
> Cross Site Scripting (XSS)" (18 September) from another security researcher references our disclosures and states 
> that NavyFederal.org was vulnerable to XSS, citing our work in their timeline, leading us to believe that 
> NavyFederal.org is or was using OnBase.
>
> While we do not know what version of the software you have, we did examine two major versions of the software and 
> noted that they both had a large number of vulnerabilities. When we tested 19.8.9.1000, we found that it had fewer 
> instances of SQL injection than 18.0.0.32, but there were still large segments of the software that was vulnerable 
> because they still make use of String.format and string concatenation. Both versions were equally vulnerable to 
> authorization bypass, logging issues, and the other issues.
>
> We mostly focused on the webserver bypassing the clients completely because our customer's network and needs. We did 
> not do as much testing on the webclient and did not use the mobile client because our customer wasn't going to use 
> it. If you are having trouble, first configure your Unity client to proxy traffic through RAT, ZAP, or Burp Suite. We 
> also recommend using CodeReflect, dotPeek, or a similar decompiler and search for things like String.format and their 
> exceptions because it makes it easier to find the vulnerabilities and then create your exploits.
>
> We have been told that Hyland has since had a third party perform examination and found the same general issues. We 
> have also been asked repeatedly if Hyland has contacted us even now and they have not.
>
> Adaptive Security Consulting
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Tuesday, September 29, 2020 5:06 PM, Ken <catatonicprime () gmail com> wrote:
>
> > Some discussion regarding the onbase vulnerabilities. I should have
> > CC'd you on the FD list to be sure you received it. So sorry to just
> > kinda forward it on to you.
> >
> > https://seclists.org/fulldisclosure/2020/Sep/48
> >
> > On the bright side, feel free to discuss privately if you prefer. Let
> > me know if you need me to up a new gpg key, I let mine expire as no
> > one I know actually uses them.
>
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/