In this Section

Security Advisory – ClickSoftware ClickMobile Multiple Security Vulnerabilities

Sense of Security – Security Advisory – SOS-15-003

Release Date.	14-Apr-2015
Last Update.	–
Vendor Notification Date.	24-Jun-2014
Product.	ClickSoftware ClickMobile Mobile Application
Platform.	iOS
Affected versions.	ClickMobile 8.1.9 (v17) and lower
Severity Rating.	High
Impact.	Privilege escalation
	Security bypass
	Manipulation of data
Attack Vector.	Remote with authentication
Solution Status.	Vendor Patch
CVE reference.	–
SAP Security Notes	2111169

Details.

ClickSoftware ClickMobile is a mobile application which provides workforce

management functionality to field engineers. The ClickMobile application

has vertical and horizontal privilege escalation vulnerabilities which

allow mobile users to impersonate other users by only knowing their

username (without their password). The ClickMobile web service has no

access control after the initial NTLM authentication exchange. Attackers

can use this vulnerability to impersonate a privileged user to obtain

unauthorised access to SAP resources or to manipulate SAP data which

requires higher privileges.

ClickMobile also allows verifying the file extension, size, and amount

being uploaded from the client side. Once this verification is performed on

the client side and passed, there is no ability to control the insertion of

files into the MiddleTier DB. Whereby allowing the upload of insecure files.

Solution.

Install the 8.1.10 P2 Security Enhancement msi on the ClickMobile

MiddleTier server.

Make the below configuration changes to fix the insecure file upload

vulnerability:

(This is the DLL name, should be located under the bin folder of the

ClickMobileWeb site)

(This is the <namespace>.<class name> of the code.)

Make the below configuration changes to fix privilege escalation and

unauthorised access vulnerabilities:

Discovered by.

Fatih Ozavci from Sense of Security Labs.