-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2021-029 
Product: COINS Construction Cloud
Manufacturer: Construction Industry Solutions (COINS)
Affected Version(s): 11.12
Tested Version(s): 11.12
Vulnerability Type: Privilege Defined With Unsafe Actions (CWE-267)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2021-11-02
Solution Date: TBA
Public Disclosure: 2022-01-13
CVE Reference: CVE-2021-45222
Author of Advisory: Jürgen Zöller, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

COINS Construction Cloud is an enterprise resource planning software specifically
for the construction industry.

The manufacturer describes the product as follows (see [1]):

"COINS Construction Cloud is a powerful solution that enables construction companies,
their subcontractors, suppliers and workforce – to work better together on site,
off site, on the road and in the office."

Due to logical flaws in the human resources interface, COINS Construction Cloud
is vulnerable to privilege escalation by HR personnel.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Human resources personnel has access to the "Personnel Workbench", which allows
adding and modifying personal information for other users of the same company. 
However, when adding personal information, it is possible to select an existing
user ID (hereafter called "victim") as "System User ID". This allows the HR user
to change the registered e-mail address for the victim account. 
As the registered e-mail address is also used to receive the e-mails from the
"reset password" function, this allows an HR user to gain control of the victim
account. An attacker with HR staff permissions can thereby take over other
arbitrary accounts of the same company.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Log in to the human resources account.
2. Navigate to "Personnel Workbench".
3. Add personal information.
4. Select an existing "System User ID" in the "Main" tab.
5. Switch to the "Work Information" tab.
6. Change the registered e-mail to an address under your control.
7. Save and log out.
8. Trigger a password reset for the victim account.
9. Enter new credentials for the victim account.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

No solution has been provided yet.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2021-04-20: Vulnerability discovered
2021-11-02: Vulnerability reported to manufacturer
2022-01-13: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for COINS Construction Cloud
    https://www.coins-global.com/solutions/47/
[2] SySS Security Advisory SYSS-2021-029
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-029.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Jürgen Zöller of SySS 
GmbH.

E-Mail: juergen.zoeller@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Juergen_Zoeller.asc
Key ID: 0xA55C06902A34886E
Key Fingerprint: F279 067D A805 F18E BB71  E876 A55C 0690 2A34 886E

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE8nkGfagF8Y67ceh2pVwGkCo0iG4FAmHdbNcACgkQpVwGkCo0
iG672hAAjsVHFZPlI/b/GZdg1avaEx1oUt866W2rGI2MIMoOKx2s2Jp+C+Z0LbW8
CnS6KMbEw1nIutcghYu+fPN82OKOV6wu7MkSvw+ptZAy6D7T+grFdBjjOX6zJ7ib
OCcFaIAT3cmOmYbtBnKcn1m4wAIdwsOqkw+ybuoqIFVW0sMHYKGlQPBSHcUtzWJE
4d1rOoWjnpo7mZPWx27W2loskueOeWFmjW01TRPDm2LtS0MO+6QRS9hWfI0n3uKd
LbtcmnaOpsCpPk5ypxNG4njLBWVO4ssGpja34qAnQYj+Q0BuyOOmqxPRJHbahU+5
h+A9+ObHnyTEIXYH0O/8QTcWhEhTcXHZ1B1Fl87a3UPTpwGx+q2pTX/Ufg7ThToI
BLVGxdEKHGkGI4VmsrgC35Z+QSdYJhVVX9E7pOmyeIRaj3kcFp3XAJEqJeQiTM5g
J816avUAYFuj+bs+k4xDZgg5avyZjJDpR3xuc9NVfTmcUXizIGL+zVWiJpB/E/iN
MeC9Ynr6LWQBIlMim5Cj6mEQBipKMijxH3d8eOantQQrB+VT58FVFxaa9e8Otk/t
vfCMJH+8PFGM9mmEA1yVmWhK75ITsHv1qUfDHeQdY60ROwZVzjsD9X0xM7CNyLLJ
6/9BKa7QXTJjt0SP6F17h4MSxTjfIx85GHGW8GilYmC3hGr3qS0=
=wfJ/
-----END PGP SIGNATURE-----