-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-047 Product: MultiCash Manufacturer: Omikron Systemhaus GmbH & Co. KG Affected Version(s): 4.00.008.SP5 Tested Version(s): 4.00.008.SP5 Vulnerability Type: Client-Side Enforcement of Server-Side Security (CWE-602) Risk Level: Critical Solution Status: Not fixed Manufacturer Notification: 2021-08-05 Solution Date: No solution yet available Public Disclosure: 2021-10-05 CVE Reference: CVE-2021-41286 Authors of Advisory: Moritz Lottermann, SySS GmbH Manuel Stotz, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: MultiCash is a corporate desktop application used to manage cash and payments. The manufacturer describes the product as follows (see [1]): "For corporates needing to manage cash and payments across multiple banks and countries, MultiCash is the solution. Save time and costs by using MultiCash to provide a consolidated, real-time overview of corporate finances, spanning all relevant departments and entities." Due to a client-side implemented authentication mechanism, MultiCash is vulnerable to privilege escalation attacks. As a consequence, attackers can gain administrative privileges over the application. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: MultiCash relies on a client-side authentication mechanism. When a user logs into the application, the validity of the password is checked locally. All communication to the database back end is performed using the same technical account. Consequently, an attacker can attach a debugger to the process or create a patch that manipulates the behavior of the login function. When the function always returns the value for a correct password, an attacker can log in with any desired account, such as the administrative account of the application. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following steps can be taken to exploit the vulnerability: - Attach a debugger to the initiated process of MultiCash. - Examine the application's used modules and their functions. Find the function that is responsible for checking the password of a login attempt. - Set a breakpoint on the "ret" statement of the function's assembler code. This is the last statement of a function. Afterwards, the execution jumps back to the caller function. - Log in using a valid username and an arbitrary password. Execution will pause at the end of the password check function. - Change the value in the RAX register to 0x0. This register stores the return value of a function. - Continue execution. The application assumes the password is correct. The login is successful. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: No solution available. Omikron suggests the following workaround: "Make sure that any application environment is protected according to standard IT security recommendations (e.g. BSI IT-Grundschutz). Important measures in this context: SYS.2.1.A2 Separation of Roles SYS.2.1.A15 Secure Installation and Configuration of Clients SYS.2.1.A16 Deactivation and Removal of Unnecessary Components and IDs SYS.2.1.A33 Application Whitelisting (CIA) In addition, running the application in a server environment (Terminal Server, Virtual Machine) oder [sic] using the client server solution MultiCah [sic] Web (Web Technology based addon) may be useful." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-07-12: Vulnerability discovered 2021-08-05: Vulnerability reported to manufacturer 2021-10-05: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for MultiCash https://www.omikron.de/en/solutions/corporates/multicash/ [2] SySS Security Advisory SYSS-2021-047 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-047.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Lottermann and Manuel Stotz of SySS GmbH. E-Mail: moritz.lottermann@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Lottermann.asc Key ID: 0xC9E27D8CDEC05EF5 Key Fingerprint: EA86 773C 98EB CF3A 1959 D651 C9E2 7D8C DEC0 5EF5 E-Mail: manuel.stotz@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Manuel_Stotz.asc Key ID: 0xE790F68ABCE68C6D Key Fingerprint: F051 5B74 7E70 193E 7F66 0133 E790 F68A BCE6 8C6D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQGzBAEBCgAdFiEEKqQecuupbMgoCvm7Y6nidewbDy4FAmFcNzkACgkQY6nidewb Dy77ogv/ec6iK+GGfW3H1J2bl605w/NeR3ekJWJZ4q+vwJ58/clwh5JQPM5AAtUQ gwomxidf8VtJP5sNvdxguGkT0HhPRO82bq0Pn6QYWNx5PaZiW5cNGR98qDnFtR09 Zc8P/73BouwMtAYd487ljgfpyu7MxUHXFZFvSYd0+v+uqdlR8K2ekiJt56uuzC0S RkdWOCln9AnhqgQXOivS9p2yitddxZY7yQROQErSRb+bpvF423z1O0gIGEB5IB/D BRwq2LlmjJmGOHd8BcLVS6wlmaPqs2xPZo3G+9h/JEhVbxyZWim6NhdRCadsGWYV xUVIjMwkN7DILEbwzoGKLBuIgLTMipUMZzSWZTXkLzJHIe390dZFWCD7evNXVfkq 9Qjzf6IN3QyY0u+Ko52qjGCEdl3LH7PYIWcsYFRdw4IvVhtVL5MvkBTVL3a+5zS4 0DYD5yNSGLYwcMzU5weY+92p3P9w1jwUVukW910yxPQnp+9mTaq0zf22lH0TPign gXP398ZH =mwMI -----END PGP SIGNATURE-----