perfact::mpa Insecure Direct Object Reference

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2015-072  
Product(s): perfact::mpa  
Manufacturer: PerFact Innovation GmbH & Co. KG  
Affected Version(s): Custom versions using PerFact DB_Utils (Toolkit) < v3.2  
Tested Version(s): Custom version with PerFact DB_Utils (Toolkit) < v3.2  
Vulnerability Type: Insecure Direct Object References (CWE-932)  
Risk Level: Medium  
Solution Status: Fixed  
Manufacturer Notification: 2015-12-18  
Solution Date: 2016-01-18  
Public Disclosure: 2016-02-29  
CVE Reference: Not yet assigned  
Authors of Advisory: Matthias Deeg and Sven Freund (SySS GmbH)  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
The software solution perfact::mpa is a software architecture that, for  
instance, is used to build web applications for the secure and reliable  
remote maintenance of machines via the Internet (see [1]).  
  
According to the manufacturer, remote control software built with  
perfact::mpa impresses through the following features:  
  
* location-independent and central monitoring,  
* maintenance and error management,  
* authorized remote access, and  
* integrated documentation of incidents and services.  
  
Due to improper authorization checks, different web application  
resources can be directly accessed.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
The SySS GmbH found out that different resources of the web application  
perfact::mpa can be directly accessed by the correct URL due to improper  
user authorization checks. That is, unauthorized users can access   
different functions of the perfact::mpa web application.  
  
With unauthorized access to many web application resources, an attacker  
can put the integrity of the web application database at risk by  
triggering functions or possibly find security vulnerabilities in the  
extended attack surface. For instance, within the test period the SySS  
GmbH could identify several OS command injection vulnerabilities in web  
application functions that could be accessed by unauthorized users  
(see security advisory SYSS-2015-065).  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
Some examples of accessible web application resources that are not  
directly accessibly via the offered navigation menus of restricted  
users are:  
  
* https://<HOST>/<PATH>/logic_d/method_listing  
* https://<HOST>/<PATH>/printer_d/method_listing  
* https://<HOST>/<PATH>/SOAP_WS/load_service  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
According to information by the PerFact Innovation GmbH & Co. KG, the  
described security issue has been fixed in PerFact DB_Utils (toolkit)  
software version 3.2.  
  
Please contact the manufacturer for further information or support.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2015-12-18: Vulnerability reported to manufacturer  
2016-01-18: Response from manufacturer with detailed information about  
the reported security vulnerability and its solution status  
2016-02-05: E-mail to manufacturer according two open questions  
2016-02-05: Response from manufacturer with further information  
2016-02-29: Public release of security advisory  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product Web Site for perfact::mpa  
http://perfact.de/mpa/index_html  
[2] SySS Security Advisory SYSS-2015-072  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-072.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Matthias Deeg and Sven Freund  
of the SySS GmbH.  
  
E-Mail: matthias.deeg (at) syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc  
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB  
  
E-Mail: sven.freund (at) syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sven_Freund.asc  
Key fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may   
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web   
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIcBAEBCgAGBQJW0/AKAAoJENmkv2o0rU2r9x4P/12EapQ3vvrXRj7P5UEev2YY  
Ptb4U7uOj9+Ob1KGuGqVDR1aARth0kl06BrpzeuU9VS8xymx5VWtT+l4iTjdVyQG  
AdY7Dn7u8seeSmVnZL1Fb5HYypo23e/losoNzwbbdR0Ajb5nakCeKjo4jqQFm6Cu  
pQOiXLiQHJtym16MB9YTdz69kbV74aJOCRwl0PVDFU5kMgQwJ3H29FtaKbdHVRin  
t2Ps+U8Typ7gqsWVBQ/UWRgFio1xIeu/r0sLeBDDPOen2zNKRrUUzEzWErH0soH4  
0z2JzpLEzmiow0b0nMCvq/kI14vzVfjDMB66U3UBwTJPN0Ypvg01KzK6zwkLChz6  
gxESa7oAQ2VobsS4pSVc8lv1QVrkj2T1L7NljUTpqCECBBQscrudGlzQB3CgGPuE  
H0+bCtbJkXU3inV49S/ulVIzUA/4V2C4Xxn+pwb/2xochonsJ81NL9YOB2sE4I7Z  
gG0usf3T3ArMvLVJCD2b0oyjS6BmTTo4JXFEEg+NglBjw8Y+f6ptr5fN6qYYsiVW  
mzod+PHJJO+GloirTJcpPkhtkzwwAepSPM044g0CUPUhXVpKaOMBCdb+ovNq4SV/  
ktKLr3nhuCa2IWjBOIjo7lpokSsEwblrF7h2weLe4mXKxes0oWtXdWOySoy7Z65p  
1UJG4a/0+KbaOhyuaZQk  
=5LZ8  
-----END PGP SIGNATURE-----  
`