-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2020-028 Product: Startup TOOLS Manufacturer: INNEO Solutions GmbH Affected Version(s): <= 2018 M040 (13.0.70.3804) Tested Version(s): 2017 M021 (12.0.66.3784) 2018 M040 (13.0.70.3804) Vulnerability Type: Path Traversal (CWE-22) Risk Level: Critical Solution Status: Solved Manufacturer Notification: 2020-07-01 Solution Date: 2020-07-15 Public Disclosure: 2020-07-23 CVE Reference: CVE-2020-15492 Author of Advisory: Patrick Hener, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The manufacturer describes the product as follows (see [1]): "For years, Startup TOOLS has guaranteed efficient utilisation of PTCs product development environment. The success of Startup TOOLS throughout the world is based on the combination of add-on-functionality for the users, configuration and administration assistance and a comfortable graphical user interface. With Startup TOOLS, you can not only design faster and more efficiently but also consistently throughout your company." Due to improper input validation, the web application is vulnerable to path traversal attacks which can be eventually leveraged to obtain remote code execution on the target. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: SySS GmbH found out that the web application served on TCP port 85 (sut_srv.exe) will include user input into a file system access without any further validation. This vulnerability allows an unauthenticated attacker to read arbitrary files on the server and execute arbitrary code by using log poisoning. The software uses PHP version 5.2.13 which is prone to a null-byte injection attack. This enables the attacker to poison the sut_server_.log and then include the log as PHP resulting in an arbitrary code execution. Per default, the service is installed as nt-authority\system, thus the RCE will be with the highest privileges possible. Also refer to [2] for a weaponized exploits written in Go. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following URL can be used to download the file C:\windows\win.ini http://example.com:85/../../../../../../../windows/win.ini The corrsponding response to the request will look like this: HTTP/1.1 200 OK Connection: close Content-Type: application/octet-stream Content-Length: 92 Server: Startup TOOLS Web Server Set-Cookie: IDHTTPSESSIONID=H4RQ51AKTOT5yCj; path=/ ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The vendor has a newer version 6.x.x.x and ongoing which is the successor of the deprecated versions of 2018 and before. The new version is not prone to this vulnerability anymore, as it is a complete redesign of the application itself. The vendor recommends migrating from the deprecated Startup TOOLS 2018 and prior to at least 6.0.2.0 (recent version by the time of writing) or later. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2020-06-24: Vulnerability discovered 2020-07-01: Vulnerability reported to manufacturer 2020-07-15: Manufacturer provided solution 2020-07-23: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product Website for Startup TOOLS https://www.inneo.co.uk/en/product-development/inneo-in-house-products/startup-tools.html [2] Weaponized Go Exploit https://exploit-db.com/exploits/48693 [3] SySS Security Advisory SYSS-2020-028 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-028.txt [4] Vendor Link to Advisory https://www.inneo.de/files/content/Produktentwicklung/Tools-und-Erweiterungen/Startup-TOOLS/INNEO-SA-SUT-2020-01.pdf [5] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Patrick Hener of SySS GmbH. Special credits go to Dr. Benjamin Heß of SySS GmbH for figuring out the log poisoning and helping with exploit development. E-Mail: patrick.hener@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Patrick_Hener.asc Key ID: 5C708555930AA477 Key Fingerprint: 9CB7 1E87 BD83 64B7 38F2 3434 5C70 8555 930A A477 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEnLceh72DZLc48jQ0XHCFVZMKpHcFAl8eblwACgkQXHCFVZMK pHfkphAAud21fukzzaUTiYIAu9prA+jZ+VOPnesEkDlrOCfQSF44u3Q+Z6OXuhuw uG708g6ep31zfZwZhNoA7KIjdk2dYt5vtcAbA5/+05BTYTPk5rI8jrOMvvq0zrua gadJbjkaOs033RKah4Y/AiFyhWFcIcGjKhuuM1V8zbXYxYzvX4dyN8ivZhPkPStK P5cKIjdyI0q5+3S+4rmBwhJ4iJfUhI9LBBEVSYI1dLg183gmiHIKNCMzV7resUt5 I2My5D68n8i24FguVA7u1Q/Ub2o0bHSiyd26VZbjpZKdGjgw7ThaJeOCNNZA/Lbp FfFTlyXzvHF0bcWsEgSrVK5BuJf/xL3bEVqksuK2Nqi22oZfG3haHYFjidmIpkZq x77JDKoUQNII76QR8oPgzeUyVauioEgdIi4cv5SMCtewMvN4S4F7mLuc7u+dEAPp YVgb4csBOFlHACME2oAp3kP4247UCqUj28XY8yGKap0KEL5gx6V0if+XdI3cukpN uZ4byKX8Jppw3k5oju3Fo4v+He/lsdQclHugi+GtI1ZLkrvXS2TrpCNHRckTYbeq 0IFqrQTHhhz9XqXEcL4thE5yob7ahMwI0DHu0ac6aA2hiER8OK6qC5tMJdbSbkDW 4XjFTgVwj7UKQUv6W7SNKbATMJutFaeY2anPLS5mbw8qbv/6Zns= =3T9d -----END PGP SIGNATURE-----