-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-080 Product: PONTON X/P Messenger Manufacturer: PONTON GmbH Affected Version(s): 3.8.0 (Build 201909201204), 3.10.0 (Build 202009171429) Tested Version(s): 3.8.0 (Build 201909201204), 3.10.0 (Build 202009171429) Vulnerability Type: Weakened Cross-Site Request Forgery (CWE-352) Risk Level: Low Solution Status: Fixed in release of version 3.11.2 Manufacturer Notification: 2022-01-25 Solution Date: 2022-02-07 Public Disclosure: 2022-03-11 CVE Reference: CVE-2021-45886 Author of Advisory: Stefan Walter, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The manufacturer describes the product as follows (see [1]): > The PONTON X/P Messenger (or PONTON X/P for short) is PONTON’s > high-quality B2B integration solution with a proven track-record in > several industries since 2001. PONTON X/P is a highly configurable > ebXML, AS/1, AS/2, AS/3 and AS/4 compliant messaging software. It > provides additional features to deal with typical B2B integration > issues (such as a listener component for the DMZ, certificate > management and non-repudiation of messages). PONTON X/P is typically > used as communication layer in a business consortium or as an (OEM) > communication extension of an existing software application. The tested version was not the most recent one. The current versions 4.X were not affected. The vulnerability can only be exploited by authorisation with a user of the Ponton X/P web UI which is normally only accessible on the internal network. The vulnerability is fixed with Ponton X/P Version 3.11.2. Please upgrade to the Version 3.11.2. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The web application offers a solid baseline protection against CSRF by employing anti-CSRF tokens for every relevant request. However, these anti-CSRF tokens were globally valid, making the web application vulnerable to a weakened version of CSRF, if certain requirements are met. That is, SySS GmbH was able to use an arbitrary token of a low-privileged user to confirm actions of higher privileged ones. This effectively weakens the protection offered by the anti-CSRF tokens. The attack is also time-sensitive because at some point in time, the token will expire. For testing purposes, a local installation was set up using the application binaries provided at [2] and the instructions at [3]: $ wget 'https://www.ponton.de/downloads/xp/3.10/PontonXP-Messenger-3.10.0-Linux.zip' $ unzip PontonXP-Messenger-3.10.0-Linux.zip -d PontonXP-Messenger-3.10.0-Linux $ cd PontonXP-Messenger-3.10.0-Linux $ ./pontonxp start Afterwards, the web application is reachable at https://localhost:8443. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): First, the attacker needs a low-privileged account (like, e.g., operator) in order to obtain a valid anti-CSRF token by visiting, e.g., the settings of the current user at https://localhost:8443/pontonxp/private/user/ShowCurrentUserUpdatePassword.do:
... Next, they can craft a malicious web page that would grant themselves the role of administrators in the web application and insert the obtained token:
The following request is sent to the web server during the attack: POST /pontonxp/private/user/UserUpdateRoles.do HTTP/1.1 Host: localhost:8443 Cookie: SESSIONID8443=node01r2420cjj1uwx1965cdqxzkup94.node0; clickedFolder=F196333379%5EF1167724268%5EF934446952%5EF562478984%5EF2039484061%5E ... Content-Type: application/x-www-form-urlencoded Content-Length: 136 ... csrfToken=20c2515c-29f8-4af7-b031-434fa28d1313&userName=operator&globalRoles=ROLE_administrator&globalRoles=ROLE_operator&ok.x=13&ok.y=2 The web server accepts the anti-CSRF token obtained by the SySS GmbH's test user "operator" for confirming an action taken out as the administrator user "xpadmin". Afterwards, the SySS GmbH's attacker user "operator" has been granted administrator privileges in the web application. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The vulnerability has been fixed with Ponton X/P version 3.11.2. More information: https://www.ponton.de/downloads/xp/3.11/documents/ReleaseNotes3112.pdf ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-12-06: Vulnerability discovered 2022-01-25: Vulnerability reported to manufacturer 2022-02-07: Fixed version 3.11.2 released by manufacturer 2022-03-11: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for PONTON X/P MESSENGER https://www.ponton.de/products/xpmessenger/ [2] PONTON X/P MESSENGER 3.10.0 download https://ponton.de/downloads/xp/3.10/PontonXP-Messenger-3.10.0-Linux.zip [3] PONTON X/P MESSENGER 3.10.0 documentation https://ponton.de/downloads/xp/3.10/documents/MessengerDocumentation310.pdf [4] SySS Security Advisory SYSS-2021-080 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-080.txt [5] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Stefan Walter of SySS GmbH. E-Mail: stefan.walter@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Stefan_Walter.asc Key Fingerprint: 74DD 77CD 0317 2777 470D 38BE BE0B B311 DA3F 3E16 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdN13zQMXJ3dHDTi+vguzEdo/PhYFAmIogvoACgkQvguzEdo/ PhYLaA//UyVQsA4cHGi+/f848m6/kTa3XchnAESZsloo8O8rVu6WPLJEyyR39kgp lW8/10KeJeYA+uG8TVZT5egOVni/Vsu7qFqUx7uhmrN98R41lUguuorKoAzU7Sx/ DpuNfE/r/aE0Qd3UixM0gE1hXX0WDusZDpBJbjOYjkivXzBb+exCaiZFWs9mDoLZ r6IYFNuVEwipew8T6earNy74VaYyepUHfJSgog+tJZWp7RPcuH9tqyrTCZ5HyLmQ 3h9tFeGCReRg09nKKfIFqN1vWiwkL9ig1zifg0+fJD4Jo5nfNtdOfRWVEEMcf4hA JsP9jZ8KDPM4rzpZDuZiSgJCYXwYjJBb0evrrNnZGDFhznWSM4yXtLSnwMN6iC22 jTG7WXKwScuXEEmP3u8ffZhUddLB3EMn+gPtWCNDdqIwqlUyZ3iwBVC8IR3U574e PZBzelqheXmL8agBiXalYeh4oai16BUCKUAKztJrUgfw+mXhTLxRWQ+jHhrtFF2l 0bt3fpifII1+0flJ1PmMuO4ATD5WWQn8afpXOpZcxAY7mzJCXLwaXYKPq3JnqmhC qrZ12ZoQdEwGryCUsGgEFnekkLZ2T4tuy3QAJB3rK5c1UYKAXj03/rXQvTLZyLDg tRuH9/hhDBrQQuzlKJEwwoVSpum/SsoFM6vjcTZegT6uK9phBCo= =9u7q -----END PGP SIGNATURE-----