Vulnerabilities CVE-2023-33871, CVE-2023-38257, CVE-2023-35763 and CVE-2023-35189 were discovered by Synack Red Team (SRT) members Neil Graves, Jorian van den Hout, Bui Bao and Malcolm Stagg in early 2023. France-based software company Iagona patched these in July 2023 with version 2.1.38 of its ScrutisWeb web application.
As part of the Synack Red Team (SRT) global network of security researchers, I routinely find vulnerabilities in Synack clients’ infrastructure and web servers. On some Synack targets, SRT members are allowed to collaborate, maximizing our broad range of skill sets.
That was the case during a recent engagement with a Synack client in which a small team of us SRT discovered concerning software flaws in ScrutisWeb, a secure solution for monitoring banking and retail ATM fleets.
ScrutisWeb is accessible from any browser and helps organizations worldwide monitor ATMs and reduce response time if there are problems, according to its developer, Iagona. ATM fleets can include sensitive equipment like check deposit machines as well as payment terminals in a restaurant chain.
ScrutisWeb has a litany of capabilities:
- Rebooting or shutting down a terminal or the entire fleet
- Retrieving information on banking services
- Monitoring the bank card reader (of ATMs)
- Sending and receiving files (to ATMs)
- Modifying data remotely (on ATMs)
Target Enumeration
The Synack client in this engagement had more than 1,000 unique IP addresses in scope for assessment. During initial reconnaissance, we noticed a web server sending an exceptionally large 23MB JavaScript file to visitors.
We discovered a function in the file that allows a client to download full paths within the server’s webroot:
this.window.location.href = "/Download.aspx?folder=" + name;
We determined that supplying a folder name of “/” results in ScrutisWeb compressing the entire webroot and sending it to the browser as a download. We used the feature, in the capacity in which it was designed, to download the webroot. While inspecting Download.aspx, we found it calls the library “Scrutis.Front.dll”, which appears to handle most of the user functions.
CVE-2023-33871: Absolute Path Traversal
We noticed “Download.aspx” takes a parameter of either “file” or “folder”. We saw what “folder” does, which is neat, but we quickly keyed in on the really interesting part, the string that handles individual file downloads:
str = !path1.Contains(":") ? this.Server.MapPath(path1) : path1;
This bit of code looks at the “path1” variable, which is passed to the method as the URL’s “file” parameter. We discovered that if the parameter doesn’t contain a colon, the web server would return the file in relation to the webroot, e.g. “https://example.com/Download.aspx?file=thisfile.txt” would download the file located at “https://example.com/thisfile.txt”. However, with a colon in it, the web server returned the file in relation to the system, for example: “https://www.example.com/Download.aspx?file=c:\file.txt” would download the file located on the server at “c:\file.txt”. Success! We were able to download configurations, logs and databases from the server.
CVE-2023-35189: Remote Code Execution
Further examination of Scrutis.Front.dll showed the method AddFile(). AddFile() accepted a multi-part form POST request and stored the uploaded file into the web directory “/Files/telechar/”.
This meant an unauthenticated user was able to upload any file and then view it again from a web browser. One of many problems is the directory that ended up hosting the uploaded file had been configured to allow interpretation and execution of uploaded scripts. We created a proof of concept (poc.asp) that runs the simple command “ipconfig /all” and uploaded that to the server. Afterward, we visited the website at “https://[redacted]/poc.asp”, and the server executed the system command “ipconfig /all” and returned the response. Success! Command injection.
Normally, one would expect the RCE to be the culmination of an exploit chain. In this case, even more malicious value could be achieved by exploiting the remaining vulnerabilities to gain user access to the ATM controller. Each of the vulnerable calls could be found in Scrutis.Front.dll and used without authentication.
CVE-2023-38257: Insecure Direct Object Reference
We found the GetUserDetails method prototype takes a single integer as the input to an HTTP POST request.
[HttpPost]
public UIUser GetUserDetails([FromBody] int idUser)
We noticed the idUser parameter appears to be a sequential integer value starting at the number 1. By sending a POST with the number 1 to this function, the service returned information about the user “administrateur”, including an encrypted password. Success! Leaked account information about all users on the system.
CVE-2023-35763 Hardcoded encryption key
Since the password was clearly encrypted, we decided to try to reverse engineer the encryption mechanism. Searching the method names for the word “crypt” showed a decrypt function that takes a cipher text as an input and returns a plaintext UTF8 string. We discovered the function includes a line that discloses the plaintext string that is used as the encryption key for encrypting/decrypting the users’ passwords:
public static string Decrypt(string cipherString, bool useHashing)
{
...
numArray = cryptoServiceProvider.ComputeHash(Encoding.UTF8.GetBytes("ENCRYPTIONKEY"));
...
return Encoding.UTF8.GetString(bytes);
}
We wrote a simple python script that takes the encrypted password discovered using CVE-2023-38257 and decrypts the password into plaintext. Success! Plaintext administrator credentials. At this point, we were able to log into ScrutisWeb as the administrator.
Impact
Although CVE-2023-33871 describes the vulnerability of accessing files outside of the webroot, this same functionality is what allowed us to download the web application for inspection. CVE-2023-38257 and CVE-2023-35763 make it possible to log into the ScrutisWeb management console as an administrator. From here, a malicious actor would be able to monitor activities on individual ATMs within the fleet. The console also allows for dropping ATMs into management mode, uploading files to them, rebooting them, and powering them completely off. Further examination would be required to determine if custom software could be uploaded to individual ATMs to perform bank card exfiltration, Swift transfer redirection, or other malicious activities. However, such additional testing was out of scope of the assessment.
Finally, CVE-2023-35189 can be used to clean logs on ScrutisWeb and remove evidence a malicious actor was ever there. Additional exploitation from this foothold in the client’s infrastructure could occur, making this an internet-facing pivot point for a malicious actor.
Fixing the vulnerabilities
Update to ScrutisWeb version 2.1.38!
Iagona takes security very seriously and was prompt to mitigate the four findings while keeping the researchers informed on progress. We’d like to give a special shout-out to Brandon Tarr for coordinating through the Cybersecurity and Infrastructure Security Agency, which issued its own advisory about the risks posed by these software flaws.