-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-063 Product: ZA|ARC Manufacturer: Softwarebüro Zauner GmbH & Co. KG Affected Version(s): 4.2.0.4 Tested Version(s): 4.2.0.4 Vulnerability Type: Client-Side Enforcement of Server-Side Security (CWE-602) Risk Level: High Solution Status: Open Manufacturer Notification: 2021-11-09 Solution Date: No solution yet available Public Disclosure: 2022-04-01 CVE Reference: CVE-2021-45891 Author of Advisory: Sebastian Hamann, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: ZA|ARC is a software that allows archiving digital tachographs. The manufacturer describes the product as follows (see [1]): "Mit ARC können Sie einfach und sicher Ihre digitalen Tachographendaten gemäß dem Fahrpersonalgesetz und der Fahrpersonalverordnung (neu) archivieren. ARC unterstützt sowohl zentrale als auch dezentrale Fuhrparks und kann problemlos Daten aus mehreren Niederlassungen und angeschlossenen Werkstätten konsolidieren. Dadurch eignet sich die Software für alle Fuhrparkgrößen und Organisationsformen." Since the authentication mechanism is implemented on the client side, ZA|ARC is vulnerable to privilege escalation attacks. As a consequence, attackers can gain administrative privileges over the application. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: ZA|ARC performs all security checks locally on the client. For example, when a user logs into the application, the validity of the password is checked on the client side. All communication to the database back end is performed using the same technical account. Consequently, an attacker can attach a debugger to the process or create a patch that manipulates the behavior of the login function. When the function always returns the value for a correct password, an attacker can log in with any desired account, such as the administrative account of the application. Note that this is only one example of how a security control can be circumvented. Alternatively, an attacker could bypass privilege level checks or take direct control over database queries. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following steps can be taken to exploit the vulnerability: - Attach a debugger to the initiated process of ZA|ARC. - Examine the application's used modules and their functions. Find the function that is responsible for checking the password of a login attempt. - Set a breakpoint on the "ret" statement of the function's assembler code. This is the last statement of a function. Afterwards, the execution jumps back to the caller function. - Log in using a valid username and an arbitrary password. Execution will pause at the end of the password check function. - Change the value in the RAX register to 0x0. This register stores the return value of a function. - Continue execution. The application assumes the password is correct. The login is successful. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The issue will not be fixed in ZA|ARC. Upgrade to zaarc.next, when available. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-10-19: Vulnerability discovered 2021-11-09: Vulnerability reported to manufacturer 2021-11-10: Vulnerability report acknowledged by manufacturer 2021-11-16: Discussion of technical information with manufacturer 2022-02-15: Manufacturer confirms that the vulnerability will not be fixed for ZA|ARC 2022-04-01: Public disclosure of the vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for ZA|ARC https://www.zamik.de/system/fuhrparkmanagement [2] SySS Security Advisory SYSS-2021-063 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-063.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Sebastian Hamann of SySS GmbH. E-Mail: sebastian.hamann@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc Key ID: 0x9CE0E440429D8B96 Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmJEBwkACgkQnODkQEKd i5YdDg/8CYb3t3KvCfuyiPOwlilJ1E5KTjO69twBn6J/rZTL/MtrrQsA3pkif4c2 Psth2/xJ/4TjDY1HUOWHsJ5XNOrHgOJIVjlosnzMLRec3c0y3DXa4K6X8JlUfqlb g8HaFW9IWsnoH6IdE2ghiia1WHdAUZAjuIeK5Gc2OZslUiNIi7gQjSd1CQ2X28RG c+kT/4vmI+EyQfdYdfhvB5UO6Egu/GgF8gz+ulBS55nQH9GPqff3IhFkd3r8p9Y4 HyyFYRBA4lRO0SntaGLftamS0v0FxVAEAqdYe/geEODwnXaV6obS7uC/tTkLXSyi TJkZNgMEt2NbGB5RAlr3ZQGUTL2nhr+SgJFMkxrnVjTTLt1jbEzcZew7KGQJ4bAf 6H3dR/m+qC113t/WidTp4vUeqr/c/QBpkd41NHQymY2U5b4kY5tf84gKLSg6XsBR e+YtjOfuyT9VBt8rXRFp4B2ggf6lILD3KuyYIZbSa6odlH1+jW75JjjCE/rU7lNV gqYGElmbddCUKxYQJRB2hp7Oee31vsxkpkoW0SfotVCING0DDXRWXAJ6/n8C8hYw H0zwlZc5aDdP1DrAMTs/Rg/8taVpW2hnJoZgstS6JRPAOmIKTTsKELuEDjiN1wI0 Kd8QJeITIFXdoB0Be9Fm45CBqqZXJ7VMdIA/J5kzeByv6DWB7Qo= =QQNG -----END PGP SIGNATURE-----