Security
Headlines
HeadlinesLatestCVEs

Headline

Serenity / StartSharp Software File Upload / XSS / User Enumeration / Reusable Tokens

Serenity and StartSharp Software versions prior to 6.7.1 suffer from file upload to cross site scripting, user enumeration, and reusable password reset token vulnerabilities.

Packet Storm
#xss#vulnerability#web#mac#ubuntu#js#git#java#perl#nginx#auth#asp.net

SEC Consult Vulnerability Lab Security Advisory < 20230516-0 >

           title: Multiple Vulnerabilities  
         product: Serenity and StartSharp Software  

vulnerable version: < 6.7.1
fixed version: 6.7.1 or higher
CVE number: CVE-2023-31285, CVE-2023-31286, CVE-2023-31287
impact: high
homepage: https://serenity.is
found: 2023-02-28
by: Fabian Densborn (Office Vienna)
SEC Consult Vulnerability Lab

                  An integrated part of SEC Consult.  
                  SEC Consult is part of Eviden, an Atos business  
                  Europe | Asia | North America

                  https://www.sec-consult.com

=======================================================================

Vendor description:

Serenity Software is a software vendor that distributes the Serenity Platform.
“Serenity is an ASP.NET Core / TypeScript application platform designed to
simplify and shorten development of data-centric business applications with
a service based architecture.”

Source: https://github.com/serenity-is

Business recommendation:

SEC Consult recommends Serenity users to install the latest update and review
the vendor’s changelog for further information.

Furthermore, an in-depth security analysis performed by security professionals
is highly advised, as the software may be affected from other security issues.

Vulnerability overview/description:

  1. Arbitrary File Upload to Stored Cross-Site Scripting (XSS) (CVE-2023-31285)
    The application allows users to upload profile pictures for users.
    It was identified that an attacker has the possibility to upload
    arbitrary malicious files. Although some specific file endings are
    not allowed, it is still possible to upload files without an extension.

It was possible to:
• Upload malicious HTML files that will infect the user’s browser with malicious
JavaScript. As a result, the user’s DOM is fully compromised.
• Upload malware that will infect the user’s operating system upon download and
local execution.

Note:
Although the option for uploading new profile pictures is only visible to power users,
users with lower privileges can still trigger the upload functionality.

  1. User Enumeration (CVE-2023-31286)
    It is possible to collect valid email addresses by interacting with the
    “forgot password” function of the application. This vulnerability is
    useful to increase the efficiency of brute-force attacks. If the email
    address is known, it is easier to find the corresponding password.

  2. Reusable Password Reset Tokens (CVE-2023-31287)
    The web application provides the possibility to reset the password via
    email. The corresponding email contains a password reset link which includes
    a user-specific token. When visiting the link, the user can set a new
    password for this account. After changing the password, the password reset link
    remains valid (3 hours) and can be used a second time to change the password
    of the user.

Proof of concept:

  1. Arbitrary File Upload to Stored Cross-Site Scripting (XSS) (CVE-2023-31285)
    A user can upload arbitrary files to the server, but some file extensions
    like .aspx are not allowed. Nevertheless, malicious files like Word documents
    with enabled macros or other executable malware can be uploaded. There also
    seems to be no anti-virus scan enabled for these files, as it is possible to
    upload the EICAR test file which is flagged as malicious by all antivirus
    software.

Additionally, it is also possible to attack a privileged power user, by
generating a malicious HTML page, that on visit escalates the role of the
attacker user. This is possible, because the file is uploaded to the same
domain and therefore the containing JavaScript executes in the same context as
the application. The impact of this vulnerability is therefore equal to that
of a stored XSS vulnerability.

To upload a malicious HTML file an authenticated user without the role of a
power user can send the following request:


POST /File/TemporaryUpload HTTP/2
Host: demo.serenity.is
Cookie: […]
Content-Type: multipart/form-data; boundary=–boundary
Origin: https://demo.serenity.is
[…]

–boundary
Content-Disposition: form-data; name="Serenity_ImageUploadEditor31[]“; filename="test.html”
Content-Type: image/png

<html>
<head></head>
<body>
<h1>SEC Consult</h1>
<script>alert(document.domain)</script>
</body>
</html>
–boundary–


The response reveals the path of the uploaded file:

HTTP/2 200 OK
Server: nginx/1.18.0 (Ubuntu)
Content-Type: application/json
[…]

{
"TemporaryFile":"temporary/f3c960aca7724409a3c4c6e597ce5b92.html",
"Size":110,
"IsImage":false,
"Width":0,
"Height":0
}


The uploaded file can then be found under /upload/temporary/f3c960aca7724409a3c4c6e597ce5b92.html.

The final link will look benign thus it is possible to attack administrator
users and escalate the privileges of the own user.

  1. User Enumeration (CVE-2023-31286)
    The “forgot password” page lets users request a new password reset mail.
    They need to enter their email address which corresponds to their account
    and receive a mail containing a link to reset their password. Unfortunately,
    the response of this request leaks if a user with the provided email address
    exists or not. If an attacker wants to check if a user account with a
    specific email exists, he can send the following request:

POST /Account/ForgotPassword HTTP/2
Host: demo.serenity.is
Origin: https://demo.serenity.is
Content-Type: application/json
[…]

{
“Email":"[email protected]
}


If the user with this mail does not exist, the response will look like this:

HTTP/2 400 Bad Request
Server: nginx/1.18.0 (Ubuntu)
Content-Type: application/json

{
"Error": {
"Code":"CantFindUserWithEmail",
“Message":"Can’t find a user with that e-mail adress!”
}
}


If the user with this mail address does exist, the response will look like
this:


HTTP/2 200 OK
Server: nginx/1.18.0 (Ubuntu)
Content-Type: application/json
[…]

{}

  1. Reusable Password Reset Tokens (CVE-2023-31287)
    When resetting the password via the “forgot password” functionality on the
    login screen, an email containing a password reset link is sent to the user.
    When clicking on this link, a user can choose a new password for his account.
    However, after changing the password to a new one, the password reset link
    remains valid. It can be used a second time to update the user’s password
    although it was already changed. If an attacker gets access to the browser
    history of the user, he can change the password of the user’s account and
    access it afterwards.

Vulnerable / tested versions:

The following versions are affected:
< 6.7.0

Vendor contact timeline:

2023-04-05: Contacting vendor through [email protected]
2023-04-05: Vendor responds to send advisory to [email protected]
2023-04-05: Advisory sent to vendor.
2023-04-06: Vendor released fixes for all three vulnerabilities,
file upload vulnerability was not fixed properly though.
2023-04-07: SEC Consult informs vendor about not properly fixed file upload.
2023-04-07: Vendor released proper fix for file upload vulnerability in v6.7.1.
2023-04-27: CVE numbers assigned.
2023-05-16: Public release of security advisory.

Solution:

The vendor provides a patch v6.7.1 which includes the fixes for the identified
security issues.

The new version can be downloaded here:
https://github.com/serenity-is/Serenity

The vendor explicitly notes the following in the changelog:

“Serene/StartSharp users must either create a new project from the 6.7.0+ template
or manually apply the relevant changes from this commit to their existing
applications after updating Serenity packages to 6.7.0+”

Workaround:

None

Advisory URL:

https://sec-consult.com/vulnerability-lab/


SEC Consult Vulnerability Lab

SEC Consult is part of Eviden, an Atos business  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, part  
of Eviden, an Atos business. It ensures the continued knowledge gain of SEC  
Consult in the field of network and application security to stay ahead of the  
attacker. The SEC Consult Vulnerability Lab supports high-quality penetration  
testing and the evaluation of new offensive and defensive technologies for our  
customers. Hence our customers obtain the most current information about  
vulnerabilities and valid recommendation about the risk profile of new  
technologies.

Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/


Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Fabian Densborn / @2023

Related news

GHSA-93h6-wx7r-mgfp: Cross Site Scripting (XSS) in Serenity

An XSS issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. When users upload temporary files, some specific file endings are not allowed, but it is possible to upload .html or .htm files containing an XSS payload. The resulting link can be sent to an administrator user.

GHSA-2hp9-3xfr-r9w2: Insufficient token expiration in Serenity

An issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. Password reset links are sent by email. A link contains a token that is used to reset the password. This token remains valid even after the password reset and can be used a second time to change the password of the corresponding user. The token expires only 3 hours after issuance and is sent as a query parameter when resetting. An attacker with access to the browser history can thus use the token again to change the password in order to take over the account.

CVE-2023-31287: :up: 6.7.0 · serenity-is/Serenity@11b9d26

An issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. Password reset links are sent by email. A link contains a token that is used to reset the password. This token remains valid even after the password reset and can be used a second time to change the password of the corresponding user. The token expires only 3 hours after issuance and is sent as a query parameter when resetting. An attacker with access to the browser history can thus use the token again to change the password in order to take over the account.

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution