Share
## https://sploitus.com/exploit?id=PACKETSTORM:177959
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Title  
=====  
  
SCHUTZWERK-SA-2023-003: Authentication Bypass in Visual Planning REST API  
  
Status  
======  
  
PUBLISHED  
  
Version  
=======  
  
1.0  
  
CVE reference  
=============  
  
CVE-2023-49231  
  
Link  
====  
  
https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-003/  
  
Text-only version:  
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-003.txt  
  
Affected products/vendor  
========================  
  
All versions prior to Visual Planning 8 (Build 240207) by STILOG I.S.T.  
  
Summary  
=======  
  
A wildcard injection inside a prepared SQL statement was found in an   
undocumented Visual Planning[0] 8 REST API route. The combination of   
fuzzy matching (via LIKE operator) and user-controlled input allows   
exfiltrating the REST API key based on distinguishable server responses.   
If exploited, attackers are able to gain administrative access to the   
REST API v2.0.  
  
Risk  
====  
  
The vulnerability allows attackers to obtain a valid API key for the   
Visual Planning REST API v2.0. With such a key, attackers can use   
corresponding endpoints to exfiltrate company data or upload/download   
files. If no external user management (e.g. LDAP) is configured, the API   
key can also be used for user management tasks including the creation of   
administrative users. Since administrators are allowed to upload modules   
using the Visual Planning Admin Center, a compromise of the underlying   
server is likely.  
  
Description  
===========  
  
During a recent red teaming assessment, Visual Planning was identified   
as part of the customers internet-facing assets. The software is   
developed by STILOG I.S.T. and provides resource management and   
scheduling features. A security assessment conducted by SCHUTZWERK found   
an authentication bypass in Visual Planning's administrative REST API   
v2.0.[1]  
  
Corresponding API routes are implemented in the PlanningWSRestV2.java   
file. A comparison between the documentation and implemented routes   
revealed an undocumented route (documentation accessed on 2024-03-05),   
which is externally reachable via a GET request to the /session endpoint.  
  
The following code snippet shows the corresponding undocumented route,   
which takes the value of the apikey header as an argument:  
  
vp.jar.src/com/visualplanning/webservice/PlanningWSRestV2.java  
/* */ @GET  
/* */ @Path("/session")  
/* */ public Response openSession(@HeaderParam("apikey") String   
apikey, @HeaderParam("keepalive") String keepalive) {  
/* 123 */ if (apikey == null || apikey.trim().isEmpty()) {  
/* 124 */ return   
WSResponse.instance().errorApikey((Response.StatusType)Response.Status.FORBIDDEN,   
apikey);  
/* */ }  
/* */  
/* 127 */ WSSession session = WSSession.existsSession(apikey);  
/* 128 */ if (session != null) {  
/* 129 */ return   
WSResponse.instance().error((Response.StatusType)Response.Status.FORBIDDEN,   
"Already opened session for apikey : ", apikey);  
/* */ }  
/* */  
/* 132 */ if (WSSession.getSession(apikey, (keepalive != null &&   
Boolean.parseBoolean(keepalive) == true)) == null) {  
/* 133 */ return   
WSResponse.instance().errorApikey((Response.StatusType)Response.Status.FORBIDDEN,   
apikey);  
/* */ }  
/* 135 */ return WSResponse.instance().success("WSSession created   
for apikey : " + apikey);  
/* */ }  
  
Line 132 shows a call to the getSession(apikey, ...) method of the   
WSSession class. Subsequently, the getSession(..) method will call the   
makeSession(apikey, ..) method of the same class.  
  
The following code snippet shows the makeSession(..) method. Line 646   
contains the vulnerable prepared SQL statement, which is prone to   
wildcard injections[2] due to the usage of the LIKE operator in   
combination with user-controlled input:  
  
vp.jar.src/com/visualplanning/webservice/WSSession.java  
/* */ private static WSSession makeSession(String apiKey,   
WSSessionType type) {  
/* 634 */ WSSession wsSession = new WSSession();  
/* 635 */ WebApplicationContext applicationContext =   
WebApplicationContext.getDefaultApplication();  
/* 636 */ UserSession userSession =   
applicationContext.createUserSession();  
/* */  
/* 638 */ DBConnection connection =   
applicationContext.createUserSession().getDBConnection();  
/* 639 */ String databaseName =   
applicationContext.getProperty("Application", "Databasename",   
"VisualPlanning7");  
/* */  
/* 641 */ connection.setPoolMode(false);  
/* 642 */ connection.setDatabase(databaseName);  
/* */  
/* */ try {  
/* 645 */ if (type == WSSessionType.CLIENT) {  
/* 646 */ String planningQuery = "SELECT XMLContent FROM   
Planning WHERE XMLContent LIKE ?";  
/* 647 */ PreparedStatement stmt =   
connection.createPreparedStatement(planningQuery);  
/* 648 */ stmt.setString(1, "%<APIKey>" + apiKey + "</APIKey>%");  
/* 649 */ ResultSet rs = stmt.executeQuery();  
/* */  
/* 651 */ if (!rs.next()) {  
/* 652 */ return null;  
/* */ }  
  
  
The following GET request demonstrates the behavior of injecting a   
percent sign as wildcard character:  
  
GET /vplanning/api/v2/session HTTP/1.1  
Host: vp-host  
apikey: %  
[..]  
  
The server will respond with a success message, indicating that a   
session was created for the used API key:  
  
HTTP/1.1 200  
[..]  
  
WSSession created for apikey : %  
  
Further tests showed that an apikey header payload of '1%' will result   
in a similar success response, if the api key starts with the character   
'1'. A payload with a different non-matching first apikey character like   
'2%' will result in a status code 403 and the error message 'Invalid API   
key (2%)'.  
  
The proof-of-concept script brute_vp_apikey.py[3] was developed in order   
to automate the process of exfiltrating the full apikey. The script can   
be executed as follows against a vulnerable Visual Planning instance and   
to extract the administrative api key:  
  
$ python3 brute_vp_apikey.py --url http://127.0.0.1:8080  
Visual Planning API Key: 79d4add3-6995-8cae-976b-4aaaddd90616  
  
Solution/Mitigation  
===================  
  
The vendor suggests to update to Visual Planning 8 (Build 240207)  
  
Disclosure timeline  
===================  
  
2023-11-01: Vulnerability discovered  
2023-11-09: Contact vendor in order to determine security contact  
2023-11-10: Received generic sales response from vendor  
2023-11-14: Contacted CTO of vendor directly  
2023-11-16: Vulnerabilities demonstrated in call with contact at vendor  
2023-11-24: CVE assigned by Mitre  
2023-11-24: Additional technical details provided to vendor  
2023-12-19: Vendor informed SCHUTZWERK that work on fixing the findings   
is in progress  
2024-01-30: Inquired about mitigation status regarding the reported   
vulnerabilities  
2024-01-30: Vendor informed SCHUTZWERK that some of the issues were   
already fixed  
2024-03-08: Sent advisory drafts to vendor  
2024-03-28: Received patch information and release of advisory  
  
Contact/Credits  
===============  
  
The vulnerability was discovered by Lennert Preuth of SCHUTZWERK GmbH.  
  
References  
==========  
  
[0] https://www.visual-planning.com/en/  
[1]   
https://app.swaggerhub.com/apis-docs/VisualPlanning/visual-planning_api_rest_v_2_0_us/2.0-oas3  
[2]   
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection#sql-wildcard-injection  
[3] https://www.schutzwerk.com/en/43/assets/advisories/brute_vp_apikey.py  
  
Disclaimer  
==========  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may   
be updated in order to provide as accurate information as possible. The   
most recent version of this security advisory can be found at SCHUTZWERK   
GmbH's website ( https://www.schutzwerk.com ).  
  
Additional information  
======================  
  
SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/  
  
SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/  
-----BEGIN PGP SIGNATURE-----  
  
iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmYF0QkaHGFkdmlzb3Jp  
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrvAZhAArh5MI5kM1lTjcIPPMiDS  
VXJ51Z39qgcXySyrqrKslnP/2a/pfpakD8g161oOTSK/tt9Yd6L/6O5Vywe7Kx5V  
lkVw7bs9J0WCY8aYzJ9RxdALt7HexAG+USgbjFWFajdSNNJ8giBu3P3ZCE8/GbHJ  
0bKd8AN88NKL954olnI6qGbbnOr/QXWuIOWAYF9wXLgEk992hszYgt7SJIrFHuX6  
2TC4iWOv4+72HQiQ8QYXCAZZVBDr3mUPQRBSJ9AZ3x7mxtJtMg8DyW0OATNe9Qlq  
IUO7HFqrPwTQmFKf9whk8QD7/Y9dKTpAjlVzvXe49COqbjOzxmIe7muxwyVlOrqO  
J9ZqreOr/ENLUgYDBaTLSTAHdEFNeqRGPK3dG0yiRSi3dtavJwr8PN1L52qTqLzT  
C+Yrruu6Ac6pSin1Ea9WaXF+YS1ErRcbZxkRD5pS4s6V4NMkV4bDWlDtraQ0rDfL  
AA+TxtA25p34S2MV/b3qAiA66UjrXEb6IJVNx4Rx7X3+gcLgI2w7t3DQEVuPaB3k  
ltT1oV6ei7tqeQpn7usHzlfa6lq7Q3PIRpxYAo0g4kp4cVVblLRNWDpZMK+cBj1N  
MrGP2f50gbpYej/yYHsXNU2pMfbUPoSq3X8uwVCoLvaBSBWx7I3TM1hl0/3wBi/w  
phO+Bauh2QYGX2mFw/mduZM=  
=ycwQ  
-----END PGP SIGNATURE-----  
  
--   
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany  
Zertifiziert / Certified ISO 27001, 9001 and TISAX  
  
Phone +49 731 977 191 0  
  
advisories@schutzwerk.com / www.schutzwerk.com  
  
Geschäftsführer / Managing Directors:  
Jakob Pietzka, Michael Schäfer  
  
Amtsgericht Ulm / HRB 727391  
Datenschutz / Data Protection www.schutzwerk.com/datenschutz