Release Date: 14-Apr-2015

Last Update: –

Vendor Notification Date: 24-Jun-2014

Product: ClickSoftware ClickSchedule Web Application

Platform: –

Affected versions: –

Severity Rating: High

Impact: Privilege escalation
Security bypass
Manipulation of data

Attack Vector: Remote with authentication

Solution Status: Vendor patch

CVE reference: –

Details

ClickSoftware ClickSchedule is a web application which provides workforce management and scheduling functionality to field engineers and managers. The ClickSchedule application and the backend web service have vertical and horizontal privilege escalation vulnerabilities which allow mobile users to impersonate other users by only knowing their username (without their password). The ClickSchedule web service which is connected with the web application itself has no access control after the initial NTLM authentication exchange. Also it uses the CallerIdentity and ID variables in requests as the user identity instead of the identity in the authenticated session data. This allows users to spoof their identities to manipulate the system logging or access control. Attackers can use these vulnerabilities to impersonate a privileged user to obtain unauthorised access to SAP resources or to manipulate SAP data which requires higher privileges.

Please refer to the PDF version of this advisory for proof of concept code examples.

Solution

Install the 8.2 Patch002 Security Enhancement .msi and follow the vendor
instructions contained in the security note.

Discovered By

Fatih Ozavci from Sense of Security Labs.