perfact::mpa Cross Site Request Forgery

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2015-071  
Product(s): perfact::mpa  
Manufacturer: PerFact Innovation GmbH & Co. KG  
Affected Version(s): Custom versions using PerFact DB_Utils (Toolkit) < v3.2  
Tested Version(s): Custom version with PerFact DB_Utils (Toolkit) < v3.2  
Vulnerability Type: Cross-Site Request Forgery (CWE-352)  
Risk Level: Medium  
Solution Status: Fixed  
Manufacturer Notification: 2015-12-18  
Solution Date: 2016-01-18  
Public Disclosure: 2016-02-29  
CVE Reference: Not yet assigned  
Authors of Advisory: Matthias Deeg and Sven Freund (SySS GmbH)  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
The software solution perfact::mpa is a software architecture that, for  
instance, is used to build web applications for the secure and reliable  
remote maintenance of machines via the Internet (see [1]).  
  
According to the manufacturer, remote control software built with  
perfact::mpa impresses through the following features:  
  
* location-independent and central monitoring,  
* maintenance and error management,  
* authorized remote access, and  
* integrated documentation of incidents and services.  
  
Due to missing protection mechanisms, the web application perfact::mpa  
is vulnerable to cross-site request forgery (CSRF) attacks.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
The tested web application perfact::mpa offers no protection against  
cross-site request forgery (CSRF) attacks. This kind of attack forces  
end users respectively their web browsers to perform unwanted actions  
in a web application context in which they are currently authenticated.  
  
CSRF attacks specifically target state-changing requests, for example in  
order to enable or disable a feature, and not data theft, as an attacker  
usually has no possibility to see the response of the forged request.  
  
In general, CSRF attacks are conducted with the help of the victim, for   
example by a user visiting an attacker-controlled URL sent by e-mail in   
its web browser. Often, cross-site request forgery attacks make use of   
cross-site scripting attacks, but this is not mandatory.  
  
CSRF attacks can also be performed against a web application if a victim  
is only visiting an attacker-controlled web server. In this case, the  
attacker-controlled web server is used to generate a specially crafted  
HTTP request in the context of the user's web browser which is then sent  
to the vulnerable target web application.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
The SySS GmbH could successfully demonstrate a CSRF attack against the  
perfact::mpa web application by using the found persistent cross-site  
scripting vulnerability in the file upload functionality (see   
security advisory SYSS-2015-066).  
  
The following JavaScript attack vector was used which was automatically  
executed when the uploaded attacker-controlled HTML file was opened by a  
victim.  
  
<script>location.href="https://<HOST>/<PATH>/MPA2/External/ExtAdmin/db_edit_action  
?layout_tabnum=&id=&selector_copy_from=&do_delete=&delete_next_id=&do_save=Speichern  
&name=<NAME>&random_password=<PASSWORD>&password=<PASSWORD>&password_repeat=<PASSWORD>  
&fullname=<FULL_NAME>&email=<EMAIL>&phone=&passwordexpires=  
&passwordexpires_date=&passwordexpires_time=&disabled%3Adefault=";</script>  
  
If this attack vector was executed in the context of a perfact::mpa  
system administrator, a new external administrator with the defined  
account data would be created.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
According to information by the PerFact Innovation GmbH & Co. KG, the  
described security issue has been fixed in PerFact DB_Utils (toolkit)  
software version 3.2.  
  
Please contact the manufacturer for further information or support.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2015-12-18: Vulnerability reported to manufacturer  
2016-01-18: Response from manufacturer with detailed information about  
the reported security vulnerability and its solution status  
2016-02-05: E-mail to manufacturer according two open questions  
2016-02-05: Response from manufacturer with further information  
2016-02-29: Public release of security advisory  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product Web Site for perfact::mpa  
http://perfact.de/mpa/index_html  
[2] SySS Security Advisory SYSS-2015-071  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-071.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Matthias Deeg and Sven Freund  
of the SySS GmbH.  
  
E-Mail: matthias.deeg (at) syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc  
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB  
  
E-Mail: sven.freund (at) syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sven_Freund.asc  
Key fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may   
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web   
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIcBAEBCgAGBQJW0/ASAAoJENmkv2o0rU2rkh8P/RVnz8RKPTTCTFhyLQDbLde7  
Wi5K/34T2JffZKEspK4nz5UcXp5nYNdA5myvCFgVfkZDwCjO61RtOJDFZaJpunMK  
AIbzMdR33hretpoZgdxOuD18pFIBbxOcTT7BlL+DgcTGqZNzXKMuQvgmwkyS8nU5  
7mg7DTKFX4w1r+t1G2XmVU9uSVk5PFVeKkaZLcVue9L+3JUTuLe9foG4teO23Sw3  
tXbJ201VWmavZfVJMKX4qku8X0PxQj0BJ7gp9oGIpnHis/MeJqBVeqGJVnqMqJe1  
lWoi0nmOZNFf1ty57rQ/DgHqfpOO2N8rfoQpXzYx5aXU3pFoPhlL/k187EiuhAmU  
yO9T9dlYq1iprMcNyeNj2JppsHRkFgCBEzKdpqWPxXDS5kXveIlsiAFSUR1uiouS  
pe+8OXRaj/ErsaBywMjLUBHJwaVr2fRm21aFv4ie9BuGeA8CR9QTO3E0y+Nvu7Av  
hVQjFm0Jga3npOnq3gy2l2UjwMql/ehIYE177LfYl9hK5Uhtl5sRhdAYCkDcINhc  
IH+c63uwKBDFRWyqTMB2DG5iIe8ZmuRivUnhaGqJy0vvulIu8FdwZg8DTN6eDjZL  
Mjth9vK//cwE2wDlQ6Wr5JarO5ZOidjSkvYzPJUriqneHz0gUH+zWgQA9/Zv7xc3  
yIW9LXJi5atDQXz2P51c  
=jjvR  
-----END PGP SIGNATURE-----  
`