In early 2023, Synack Red Team (SRT) members Neil Graves, Jorian van den Hout, and Malcolm Stagg discovered the CVE-2023-33871, CVE-2023-38257, CVE-2023-35763, and CVE-2023-35189 vulnerabilities.
In July 2023, France-based software company Iagona patched the vulnerabilities in version 2.1.38 of its ScrutisWeb web application.
Synack Red Team (SRT) global security researchers regularly discover vulnerabilities in Synack customers' infrastructure and network servers. On certain Synack targets, SRT members can collaborate with each other to maximize their broad skill sets.
In a recent work with a Synack customer, an SRT team discovered a software flaw in ScrutisWeb, a security solution used to monitor bank and retail ATM fleets.
Iagona, the developer of ScrutisWeb, said that ScrutisWeb can be accessed through any browser and helps organizations around the world monitor ATMs and improve response times when problems arise. ATM fleets can include sensitive equipment such as check deposit machines and payment terminals at restaurant chains.
ScrutisWeb has a range of features:
- Restart or shut down a terminal or an entire fleet
- Retrieve banking service information
- Monitor (ATM) bank card readers
- Send and receive files (to ATM)
- Modify data remotely (on ATMs)
Target enumeration
Synack customers have over 1,000 unique IP addresses to evaluate in this engagement. During initial investigation, security researchers noticed a web server sending an oversized 23MB JavaScript file to visitors. This file contains a function that allows the client to download the full path in the server's webroot:
this.window.location.href = "/Download.aspx?folder=" + name;
Security researchers discovered that providing a folder name with "/" causes ScrutisWeb to compress the entire network root and send it to the browser as a download file. So they used the function as designed to download the network root directory. Inspection of Download.aspx revealed that it calls the "Scrutis.Front.dll" library, which appears to be responsible for handling most of the user functionality.
CVE-2023-33871: Absolute path traversal
Security researchers also noticed that "Download.aspx" has a parameter of "file" or "folder". At the same time, they also quickly found the really interesting part, which was the string handling of individual file downloads:
str = !path1.Contains(":") ? this.Server.MapPath(path1) : path1.Contains(":");
This code looks at the "path1" variable passed to the method as the "file" parameter of the URL. If the parameter does not contain a colon, the web server will return the file associated with the network root, for example, "https://example.com/Download.aspx?file=thisfile.txt" will download the file located at "https://example.com" /thisfile.txt "file. However, if the parameter contains a colon, the web server will return a system-specific file, for example "https://www.example.com/Download.aspx?file=c:\file.txt" will download the server at " c:\file.txt "file. success! We can download configuration, logs and database from the server.
CVE-2023-35189: Remote Code Execution
Upon further examination of Scrutis.Front.dll, the security researchers discovered the AddFile() method. AddFile() accepts a multi-part form POST request and stores the uploaded file in the network directory "/Files/telechar/".
This means that an unauthenticated user can upload any file and then view it again via a web browser. One of the issues is that the directory where the uploaded files end up being stored has been configured to allow the uploaded scripts to be interpreted and executed. We created a proof of concept (poc.asp) that runs the simple command "ipconfig /all" and uploaded it to the server. Then, they visited the "https://[redacted]/poc.asp" website, and the server executed the system command "ipconfig /all" and returned a response, successfully command injection.
Typically, people think of RCE as the culmination of an exploit chain. In this case, greater malicious value could be achieved by exploiting the remaining vulnerabilities to gain user access to the ATM controller. Each vulnerable call can be found in Scrutis.Front.dll and used without authentication.
CVE-2023-38257: Insecure direct object reference
Security researchers discovered that the GetUserDetails method prototype takes a single integer as input to an HTTP POST request. [HttpPost] public UIUser GetUserDetails([FromBody] int idUser)
Also, the idUser parameter seems to be a consecutive integer value starting from the number 1. By sending a POST with the number 1 to this function, the service returns the user "administrateur" information, including the encrypted password.
CVE-2023-35763 Hardcoded encryption key
Since the password was apparently encrypted, the security researchers decided to try to reverse engineer the encryption mechanism. Searching for the word "crypt" in the method name reveals a decryption function that takes the ciphertext as input and returns a plaintext UTF8 string. There is a line in this function that exposes the plaintext string that is used as the encryption key to encrypt/decrypt the user's password:
public static string Decrypt(string cipherString, bool useHashing)
{
...
numArray = cryptoServiceProvider.ComputeHash(Encoding.UTF8.GetBytes("ENCRYPTIONKEY"));
...
return Encoding.UTF8.GetString(bytes);
}
Security researchers wrote a simple python script that takes encrypted passwords discovered using CVE-2023-38257 and decrypts the passwords to plaintext. At this point you can log in to ScrutisWeb as an administrator.
Influence
These two vulnerabilities, CVE-2023-38257 and CVE-2023-35763, make it possible to log in to the ScrutisWeb management console as an administrator. Malicious actors can monitor the activity of individual ATMs in a fleet. The console also allows the ATM to be downgraded to administrative mode, upload files, reboot and shut down completely. Further examination is required to determine whether custom software could be uploaded to individual ATMs to perform card exfiltration, Swift transfer redirection, or other malicious activities. However, such additional testing is outside the scope of the evaluation.
CVE-2023-35189 can also be used to clear logs on ScrutisWeb and remove evidence that malicious actors have been active there. Additional exploits can occur from this foothold in the client infrastructure, making it an internet-facing pivot for malicious actors.
Fix vulnerability: update to ScrutisWeb version 2.1.38 as soon as possible
It is worth mentioning that Iagona attaches great importance to security issues. While notifying researchers of the progress in a timely manner, it also quickly resolved the four discovered problems.