[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Hyland OnBase 19.x and below - Insecure Deserialization
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] Hyland OnBase 19.x and below - Insecure Deserialization
- From: AdaptiveSecurity Consulting via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
- Date: Tue, 08 Sep 2020 00:39:59 +0000
CVSSv3.1 Score
-------------------------------------------------
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Vendor
-------------------------------------------------
Hyland Software - (https://www.hyland.com/en/ and https://www.onbase.com/en/)
Product
-------------------------------------------------
Hyland OnBase
All derivatives based on OnBase
Versions Affected
-------------------------------------------------
All versions up to and prior to OnBase Foundation EP1 (tested: 19.8.9.1000) and
OnBase 18 (tested: 18.0.0.32). OnBase Foundation EP2 and OnBase Foundation EP3
were not available to test, but Hyland's response indicates that they are not
likely to have fixed the vulnerabilities, especially given how numerous the
instances of insecure deserialization are.
Credit
-------------------------------------------------
Adaptive Security Consulting
Vulnerability Summary
-------------------------------------------------
Because Hyland OnBase largely relies on client-side validation, the server-side
contains a number of critical deserialization flaws allowing remote attackers
to run arbitrary code on the OnBase server. All versions of OnBase were found
to be equally vulnerable.
Technical Details
-------------------------------------------------
Hyland OnBase uses ASP.NET's BinaryFormatter.Deserialize to deserialize user
input allowing attackers to directly inject bytecode into SOAP messages. Using
ysoserial.net, we were able to create payloads that were then encoded and sent
to the OnBase server where they were executed.
It was also noted that the OnBase server also allows several XML-based attacks,
including insecure XML deserialization using several XML deserialization
libraries, however the use of BinaryFormatter made attacks significantly easier
as ysoserial.net and other tools support it by default while XML-based
deserialization required more manual proof of concept creation. The XML-based
deserialization vulnerabilities are less frequent than the BinaryFormatter
because different deserializers seem to be used within the application.
Two instances of insecure JSON deserialization were also noted that allowed
executing arbitrary code.
It is likely that the Unity Client is also vulnerable, however it was not a
major focus of the penetration test.
Solution
-------------------------------------------------
Unfortunately, attempts to notify Hyland of the vulnerabilities have been
rebuffed as not being something that they have to fix since fixing
vulnerabilities, according to the Director of Application Security, is
"creating custom code" and no known fix is in place. It is recommended that
users try to mitigate the vulnerability by ensuring that the OnBase server is
inaccessible to anyone other than trusted users and that a WAF be used (note
that OnBase can use "optimized" communication that is pure binary -- if this is
used, it will be much harder to configure the WAF to protect against these
vulnerabilities).
Timeline
-------------------------------------------------
07 May 2019 - Adaptive Security Consulting discovered a series of
vulnerabilities in medical records management and search applications being
considered by our client
15 May 2019 - The client was provided with the results of the assessment,
including POCs for a number of high and critical vulnerabilities
12 July 2019 - Client asked for more information and demonstrations
01 October 2019 - Client asked to test latest version of Hyland software
15 October 2019 - Client was informed that EP1 contained many of the same
vulnerabilities
March 2020 - Client contacted Hyland and spoke with the Director of Application
Security who said that fixing vulnerabilities was "writing custom code" and
that Hyland "doesn't write custom code"
21 April 2020 - Adaptive Security Consulting attempted to contact Hyland's
Application Security Team via email on behalf of client, but attempts were
ignored
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/