SEC Consult SA-20170308-0 :: Multiple vulnerabilities in Navetti PricePoint

--------------ms040901080407030808010902
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

SEC Consult Vulnerability Lab Security Advisory < 20170308-0 >
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
              title: Multiple vulnerabilities
            product: Navetti PricePoint
 vulnerable version: 4.6.0.0
      fixed version: 4.7.0.0 or higher
         CVE number: -
             impact: high/critical
           homepage: http://www.navetti.com/
              found: 2016-07-18
                 by: W. Schober (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Mo=
scow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Z=
urich

                     https://www.sec-consult.com

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Vendor description:
-------------------
"Navetti PricePoint is the ultimate business tool for controlling, managi=
ng and
measuring all aspects of your pricing. Our clients have been able to incr=
ease
their revenue and profitability substantially, implement market- and valu=
e-based
pricing, increase customer trust and implement a common business language=

throughout their organization. In addition, with Navetti PricePoint our c=
lients
are able to implement governance processes, manage risk and ensure organi=
zation
compliance, and attain business sustainability."

Source:
http://www.navetti.com/our-expertise/navetti-pricepoint/


Business recommendation:
------------------------
During a quick security check, SEC Consult identified four vulnerabilitie=
s,
which are partially critical. As the time frame of the test was limited, =
it is
suspected that there are more vulnerabilities in the application.

It is highly recommended by SEC Consult to apply the patch resolving the
identified vulnerabilities before using Navetti PricePoint in an environm=
ent
with potential attackers.


Vulnerability overview/description:
-----------------------------------
1) SQL Injection (Blind boolean based)
Navetti PricePoint is prone to SQL injection attacks. The attacks can be
executed by all privilege levels, ranging from the lowest privileged user=
s to
the highest privileged users.

By exploiting this vulnerability, an attacker gains access to all records=

stored in the database with the privileges of the database user.

2) Multiple persistent cross site scripting vulnerabilities
The web application suffers from multiple persistent cross site scripting=
 issues.
Low privileged users as well as high privileged users, are able to inject=

malicious JavaScript payloads persistently in the application. This
vulnerability is even more critical, because it can be used by a low priv=
ileged
user who wants to elevate his privileges. The low privileged attacker can=

place a payload which creates a new superuser, or add his own account to =
the
superuser group. If a superuser logs in to the application, the JavaScrip=
t
payload is executed with the rights of the superuser and the new user is
created or added to the superuser group.

3) Multiple reflected cross site scripting vulnerabilities
Navetti PricePoint suffers from multiple reflected cross site scripting i=
ssues.
The code which is used to generate error messages inside of the applicati=
on,
does not correctly escape/sanitize user input. Due to that all error mess=
ages
containing user input are prone to reflected cross site scripting attacks=
=2E
Furthermore the file upload dialog does not correctly sanitize the file n=
ame of
uploaded files. If a file name contains a JavaScript payload, it is execu=
ted in
the file upload dialog.

4) Cross Site Request Forgery
Navetti PricePoint doesnt implement any kind of cross site request forge=
ry
protection. Attackers are able to execute arbitrary requests with the pri=
vileges
of any user. The only requirement is, that the victim clicks on a malicio=
us
link. For example an administrator can be forced to execute unwanted acti=
ons.
Some of these actions are:

  -) Add users
  -) Delete users
  -) Add users to an arbitrary role
  -) Change internal settings of the application


Proof of concept:
-----------------
1) SQL Injection (Blind boolean based)
The search function in the tree structure, which displays various groups,=
 does
not properly validate user input, allowing an attacker with any privilege=
 level
to  inject arbitrary SQL commands and read the contents of the whole data=
base.

The following URL could be used to perform blind SQL injection attacks:
-) URL: /NBN.Host/PMWorkspace/PMWorkspace/FamilieTreeSearch
  (Parameter: searchString, Type: GET)

2) Multiple persistent cross site scripting vulnerabilities
The following URL parameters have been identified to be vulnerable agains=
t
persistent cross site scripting:

-) URL: /NBN.Host/Component/Competitors/AddEdit (Parameter: name,POST)
-) URL: /NBN.Host/Component/ItemSearchGrid/EditData (Parameter: Quality10=
5,POST)
-) URL: /NBN.Host/component/GroupInfo/SaveGroup (Parameter: name,POST)

The proof of concept shows just selected examples of cross-site scripting=

vulnerabilities. Based on the conducted tests, SEC Consult identified tha=
t
proper input validation is lacking.
Due to the limited time frame of the test, it was not possible to verify =
every
single parameter of the application. Therefore, it can be assumed, that t=
here
are similar flaws in other parts of the web application.

3) Multiple reflected cross site scripting vulnerabilities
The application is also prone to reflected cross site scripting attacks. =
The
vulnerabilities were observed in at least two main parts of the applicati=
on.
Those two parts are error messages and the file upload functionality.

-) Error Messages
    Every user input which is reflected in error messages, is not correct=
ly
    escaped and injection of malicious JavaScript code is possible.

-) File uploads
    The file upload functionality is not correctly escaping the filename =
of
    uploaded files. If a victim is forced to upload a special crafted fil=
e, an
    arbitrary JavaScript payload can be triggered and executed in the vic=
tims
    context. An example for a working, but very obvious payload in the fi=
lename
    would be the following example:

    -) <img src=3Dx onerror=3Dalert(document.cookies)>.xlsx

4) Cross Site Request Forgery
The application is prone to cross site request forgery attacks because no=

measures such as CSRF tokens or nounces, are in place. The following proo=
f of
concept deletes the user account
with ID 18:

<html>
<body>
 <script>
    function submitRequest()
    {
        var xhr =3D new XMLHttpRequest();
        xhr.open("POST", "https://($IP|$Domain)/NBN.Host/PermissionsManag=
ement/
        PermissionsManagement/DeleteUsers", true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=3D0.5");
        xhr.setRequestHeader("Content-Type", "text/plain");
        xhr.withCredentials =3D true;
        var body =3D "{"DeleteAll":false,"UserIDs":["18"]}";
        var aBody =3D new Uint8Array(body.length);
        for (var i =3D 0; i < aBody.length; i++)
                aBody[i] =3D body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
    }
</script>
<form action=3D"#">
 <input type=3D"button" value=3D"Submit request" onclick=3D"submitRequest=
();" />
</form>
</body>
</html>

If a victim visits a website, which is hosted by an attacker, the script =
above
would be executed and the user with the userID 18 would be deleted. Due t=
o the
complete absence of measures against cross site request forgery, it can b=
e
assumed that the application is vulnerable for this
kind of attack.


Vulnerable / tested versions:
-----------------------------
SEC Consult tested Navetti PricePoint 4.6.0.0.
This version was the latest version at the time of the discovery.


Vendor contact timeline:
------------------------
2016-07-27: Contacting vendor through info@navetti.com
2016-07-27: Vendor provided a technical contact who is responsible for
            vulnerability coordination, furthermore clear-text communicat=
ion
            was requested.
2016-07-27: Providing advisory and proof of concept through insecure chan=
nel
            as requested.
2016-08-05: Navetti provided a status update concerning a new version of
            Navetti Price Point. The release date of the version, where a=
ll
            the vulnerabilities are fixed, will be provided soon
2016-08-11: Navetti sent an update containing their upcoming release sche=
dule.
            The update of Navetti Price Point, which should fix all the
            vulnerabilities, will be released on 2016-10-01.
2016-10-01: Patch available
2017-03-08: SEC Consult releases security advisory


Solution:
---------
Update to the latest version available. According to Navetti, all the
vulnerabilities are fixed in release 4.7.0.0.

According to the vendor, they have further improved their software securi=
ty
since our initial contact.


Workaround:
-----------
No workaround available


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. I=
t
ensures the continued knowledge gain of SEC Consult in the field of netwo=
rk
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evalu=
ation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and v=
alid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consu=
lt?
Contact our local offices https://www.sec-consult.com/en/About/Contact.ht=
m
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF W. Schober / @2017


--------------ms040901080407030808010902
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
CxgwggSvMIIDl6ADAgECAhEA4CPLFRKDU4mtYW56VGdrITANBgkqhkiG9w0BAQsFADBvMQsw
CQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4
dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTE0MTIyMjAwMDAwMFoXDTIwMDUzMDEwNDgzOFowgZsxCzAJBgNVBAYTAkdCMRswGQYD
VQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNP
TU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVu
dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAImxDdp6UxlOcFIdvFamBia3uEngludRq/HwWhNJFaO0jBtgvHpRQqd5jKQi3xdh
TpHVdiMKFNNKAn+2HQmAbqUEPdm6uxb+oYepLkNSQxZ8rzJQyKZPWukI2M+TJZx7iOgwZOak
+FaA/SokFDMXmaxE5WmLo0YGS8Iz1OlAnwawsayTQLm1CJM6nCpToxDbPSBhPFUDjtlOdiUC
ISn6o3xxdk/u4V+B6ftUgNvDezVSt4TeIj0sMC0xf1m9UjewM2ktQ+v61qXxl3dnUYzZ7ifr
vKUHOHaMpKk4/9+M9QOsSb7K93OZOg8yq5yVOhM9DkY6V3RhUL7GQD/L5OKfoiECAwEAAaOC
ARcwggETMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1QaMB0GA1UdDgQWBBSSYWuC
4aKgqk/sZ/HCo/e0gADB7DAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVybmFs
Q0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVz
ZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQELBQADggEBABsqbqxVwTqriMXY7c1V86prYSvACRAj
mQ/FZmpvsfW0tXdeDwJhAN99Bf4Ss6SAgAD8+x1banICCkG8BbrBWNUmwurVTYT7/oKYz1gb
4yJjnFL4uwU2q31Ypd6rO2Pl2tVz7+zg+3vio//wQiOcyraNTT7kSxgDsqgt1Ni7QkuQaYUQ
26Y3NOh74AEQpZzKOsefT4g0bopl0BqKu6ncyso20fT8wmQpNa/WsadxEdIDQ7GPPprsnjJT
9HaSyoY0B7ksyuYcStiZDcGG4pCS+1pCaiMhEOllx/XVu37qjIUgAmLq0ToHLFnFmTPyOInl
tukWeh95FPZKEBom+nyK+5swggZhMIIFSaADAgECAhAriv4GJbNgG4KONRhUqx20MA0GCSqG
SIb3DQEBCwUAMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVy
MRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UE
AxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h
aWwgQ0EwHhcNMTcwMzAxMDAwMDAwWhcNMjAwMjI5MjM1OTU5WjCCAVcxCzAJBgNVBAYTAkFU
MQ0wCwYDVQQREwQyNzAwMRowGAYDVQQIExFOaWVkZXJvZXN0ZXJyZWljaDEVMBMGA1UEBxMM
V3IuIE5ldXN0YWR0MRkwFwYDVQQJExBLb21hcmlnYXNzZSAxNC8xMS4wLAYDVQQKEyVTRUMg
Q29uc3VsdCBVbnRlcm5laG1lbnNiZXJhdHVuZyBHbWJIMUkwRwYDVQQLE0BJc3N1ZWQgdGhy
b3VnaCBTRUMgQ29uc3VsdCBVbnRlcm5laG1lbnNiZXJhdHVuZyBHbWJIIEUtUEtJIE1hbmFn
MR8wHQYDVQQLExZDb3Jwb3JhdGUgU2VjdXJlIEVtYWlsMSYwJAYDVQQDEx1TRUMgQ29uc3Vs
dCBWdWxuZXJhYmlsaXR5IExhYjEnMCUGCSqGSIb3DQEJARYYcmVzZWFyY2hAc2VjLWNvbnN1
bHQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5+LisxDXcLwArMnTESPr
5G/6PY0xWAvPc81sZGgHbf4at31qtZn9eVMGAPx4nJShJVZsB3+0OavWSM1PvcsMgVp8ovIf
gnE05A/LZ4k38pMU+Zl0pcGx5TFQevKmCDwqV9JqLIoleIKHCeQVmZhGC7zccEYvKtvQqWsq
VJDFHPZisoIGl9YS048T8c9al1FQtIx3SDtxZhyigHI1t8kFAHloWGP8KCMIMX6g9FlTIlnQ
YFUAkQ/49KRyUDEHdRZey9hQLuvrgRKWZn1TxeTWW41IZKUQC6Lhb3LgrQzUQoR7dbdASh+3
sqiw1642dkyxChRoOptpoC1Wo5HLTELzYQIDAQABo4IB4DCCAdwwHwYDVR0jBBgwFoAUkmFr
guGioKpP7GfxwqP3tIAAwewwHQYDVR0OBBYEFBEBR5dneBkup36i0hf8pUVsEpMlMA4GA1Ud
DwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcD
AjBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEDBTArMCkGCCsGAQUFBwIBFh1odHRwczovL3Nl
Y3VyZS5jb21vZG8ubmV0L0NQUzBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vY3JsLmNvbW9k
b2NhLmNvbS9DT01PRE9TSEEyNTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWls
Q0EuY3JsMIGQBggrBgEFBQcBAQSBgzCBgDBYBggrBgEFBQcwAoZMaHR0cDovL2NydC5jb21v
ZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFp
bENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMCMGA1UdEQQc
MBqBGHJlc2VhcmNoQHNlYy1jb25zdWx0LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAQ9HL1/pw
/3RSCgHwSKfAejchG11KoLrm+7xdqBC1nVgJaQeX8smjraljd1PAL4KthtNP0Tr+DNr4d4hQ
WwHz/LnB0iap44v8LTaHTDUbWYD5NsOg8sD1JMQI8Jt6vC7Im+9O/rHxmvhL18hWoK4aIK/k
QG7eOfO5UmurKh7StuhE3t4KKEQnSTUCy+kNe8ut4KZdRs+o+mpSH09ecLo99Qs/FuaZMTgh
hZWkcSC1YT1jQDIF3lRDk+/+HbQ0h34tgPi/wJlI/7moci7B2AzYWFeHWcrGnuE6kZkRWtQV
F/u1NODSMp1DU3EzHLueYNufSYLWHh+yyzNnaoP5u7oLeDGCBEEwggQ9AgEBMIGwMIGbMQsw
CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm
b3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0y
NTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECECuK/gYls2Ab
go41GFSrHbQwDQYJYIZIAWUDBAIBBQCgggJhMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw
HAYJKoZIhvcNAQkFMQ8XDTE3MDMwODA5MzUxOVowLwYJKoZIhvcNAQkEMSIEIFih4eIox7pU
kP4CXTfLrAV3+aPgPHaMzo6EWIgdborkMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEq
MAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwIC
AUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgcEGCSsGAQQBgjcQBDGBszCBsDCBmzELMAkG
A1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9y
ZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAriv4GJbNgG4KO
NRhUqx20MIHDBgsqhkiG9w0BCRACCzGBs6CBsDCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RP
IENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNh
dGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAriv4GJbNgG4KONRhUqx20MA0GCSqGSIb3DQEB
AQUABIIBAKeV2AB4jxK6SPS1urN0/tnkB7zT17BlgwY4sr+nFSx/sEWKJZnr9yRm2dU5+Wx1
N+Q4zuUvd+m78kaVwerSpwxgONYHivC0nyPrfAnSCQw9j1EVCF0fXwo62gZDWkMSido9gaUO
u8t6IlfrP3VVKwyyJRQ4KS9Y3kDrXa/Rcmuuxehr1oKudAT2qJ3F9NdMvF153rBaw9fDvVdg
zRayRvgOVX3V5SLWM84GEs2Q5KW7v8HXcOdXfUh/ySHjviBdEOeRR/b6iqtmjXlCnDEIGLcV
qK6DwWJn22HLZ7iaPBNHbVxid9emlw6v62fVYNjirI1zMf5An7fYX1q4MVMJjRAAAAAAAAA=
--------------ms040901080407030808010902--