Multiple critical vulnerabilities in Miss Marple Enterprise Edition

Project Description

Using the hardcoded AES key/iv, an attacker can decrypt the password for a remote server and execute code remotely on this server. The attacker can then deploy malicious updates via this server to all Miss Marple Agents.


Vendor description

As a global IT company with thirty years of experience, COMPAREX is one of the world’s leading IT service providers and no. 1 software license management company in the EMEA markets. COMPAREX develops innovative services that support management and leverage software products, leading to an overall improvement of workforce productivity. COMPAREX serves corporate customers spanning from small businesses to large international corporations as well as the public institutions supporting every customer during their digital journey towards productivity optimization. The portfolio has a solid foundation in license management, software procurement and cloud services. Substantial professional and managed services complete the portfolio to support customers with services tailored to their business demands.

Source: https://comparexusa.com/about-us/about/

Business recommendation

The vendor provides a patch and users of this product are urged to immediately upgrade to the latest version available.

Vulnerability overview/description

Miss Marple is an inventory software that consists of a client and a server part. The client (agent) is gathering system information and uploads the results to a remote server in an encrypted ZIP file.

 

1) Hardcoded AES key (CVE-2018-19233)

A username and an encrypted password were identified in the Miss Marple Inventory Agent configuration file. By decompiling the binary, the encryption method was identified as AES-256 with a hardcoded key and initialization vector. The credentials are used to deploy the inventory files to a remote server.

 

2) Uploading arbitrary files

There are two ways an attacker can upload arbitrary files to the server.

2.1) Patching the application binary to bypass the ZIP file extension check

Using this method, it is possible to upload any file to the server, even if the credentials are unknown to the attacker! This works because every file in a specific directory gets uploaded, as long as the file has the correct file extension. This can be bypassed because the file extension is only checked on the client side and not on the server side. Patching the binary is done by replacing the extension string with the file extension of the attackers file eg. “.aspx” in the MMIA.exe binary itself.

2.2) Using cURL to upload arbitrary files

If the credentials are known to the attacker, it is possible to use tools like cURL to upload arbitrary files to the remote server.

Both ways can be used by an attacker to upload a web-shell to the server and execute arbitrary commands.

 

3) Missing update validation (CVE-2018-19234)

Besides the Miss Marple Inventory Agent, an Miss Marple Updater Service is running on all clients. This service checks for new versions on the same server. If the files are uploaded to the right directory on the server, the updater will download and execute them with the highest privileges (NT Authority\SYSTEM) without validating the binaries.

This can also be used for escalating privileges on the client. By uploading a web-shell using the methods described in vulnerability 2, an attacker gets sufficient write permissions to access the update directory and to place malicious files on the server. This will execute arbitrary code on all clients using Miss Marple.

Proof of concept

1) Hardcoded AES key (CVE-2018-19233)

No proof of concept will be provided.

2) Uploading arbitrary files

2.1) No proof of concept will be provided. E.g. the Unicode string for “.zip” just has to be replaced with the file extension for the uploaded web-shell.

2.2) Using cURL to upload arbitrary files It is possible to upload arbitrary files using cURL and the credentials obtained in 1).

3) Missing update validation (CVE-2018-19234)

No proof of concept will be provided.

 

Vulnerable / tested versions

The following versions have been tested and found to be vulnerable:

  • Miss Marple Inventory Agent / Miss Marple Updater Service 1.13.

 

Vendor contact timeline

2018-06-13:Contacting vendor through support-mmee@comparex.com.
2018-07-04:Meeting with the vendor. Reviewed planned fixes.
2018-07-10:Meeting with the vendor. Release of fix dated to 2018-09-30.
2018-09-16Meeting with the vendor. Reviewed implemented fixes.
2018-10-11Meeting with the vendor. Scheduled the roll-out for the fixed version.
2018-10-22Vendor releases patched version.
2018-11-16Public release of security advisory.

Solution

According to the vendor, all the identified issues have been fixed in version 2.0.

Please update to the latest version immediately.

Workaround

None.

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

EOF Marius Schwarz / @2018

 

 

Interested to work with the experts of SEC Consult? Send us your application.
Want to improve your own cyber security with the experts of SEC Consult?
Contact our local offices.

Project Details

  • TitleMultiple critical vulnerabilities
  • ProductMiss Marple Enterprise Edition
  • Vulnerable version<2.0
  • Fixed version2.0
  • CVE numberCVE-2018-19233, CVE-2018-19234
  • ImpactCritical
  • Homepagewww.comparex-group.com
  • Found2018-05-29
  • ByMarius Schwarz (Office Munich) | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Blog. Blog

Back