Multiple Critical Vulnerabilities in SALTO ProAccess SPACE

Project Description

In the software SALTO ProAccess Space, a management software for an access control system from SALTO Systems, which is used to manage RFID cards, RFID card readers, users and various settings, multiple typical web application vulnerabilities got identified. An authenticated attacker was able to exploit a path traversal vulnerability to backup arbitrary files into the web root. This allowed an attacker to export the database into the web root and download it.

Furthermore, it was possible to combine another export feature with the path traversal vulnerability to write arbitrary contents to arbitrary locations on the backend Windows server. Due to the fact, that the web server was running with SYSTEM privileges, privilege escalation and execution of arbitrary code was possible by combining the vulnerabilities described beforehand. Last but not least, an attacker was able to exploit a stored XSS vulnerability and call some API endpoints without authentication, leading to information disclosure.


Vendor description

“SALTO ProAccess SPACE Software is a powerful access control management tool that enables you to program access time zones for each user, manage different calendars and obtain audit trails from each door to see who has passed through it. The software includes special functions such as automatic door status changes, anti-passback and relay management. Thanks to its advanced software features, SALTO ProAccess SPACE is also one of the most user-friendly and powerful software products for the access control management of stand-alone wireless devices, and IP online devices in one converged complete access control platform for the user, keys and doors management.

Source: http://proaccess-space.saltosystems.com/features/

Business recommendation

The vendor provides a patch which should be installed immediately. SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues.

Vulnerability overview/description

1. Path Traversal (CVE-2019-19458)

Path traversal vulnerabilities allow attackers access to files and directories outside the application root through relative file paths in the user input. During a quick security check, multiple locations in the web application were identified, which allow an attacker to traverse outside of the application root. The vulnerabilities got identified in the “Data Export” as well as “Database Export” functionality. Those vulnerabilities can for example be used to dump the whole database into the web root, by traversing outside of the application root.

2. Arbitrary File Write (CVE-2019-19459)

By further exploiting the path traversal vulnerability inside of the “Data Export” feature, an attacker is able to traverse into arbitrary paths and write arbitrary files with arbitrary contents. Some examples are files to the web root, or bat files into auto start. This allows an attacker to execute arbitrary commands on the server.

3. Stored Cross-Site-Scripting (CVE-2019-19457)

By adding devices to the SALTO network with a JavaScript payload inside of certain parameters, an attacker is able to permanently embed arbitrary JavaScript payloads inside of the web application.

4. Webserver running as SYSTEM (Windows Service) per Default (CVE-2019-19460)

The webserver of the SALTO ProAccess SPACE is running as a Windows Service with local SYSTEM permissions per default. This is against the principle of least privilege. An attacker, who is able to exploit the path traversal, or arbitrary file write vulnerability, is basically able to write to every single path on the file system, because the webserver is running with the highest privileges available.

5. Authorization Issues

Multiple API calls were identified in the SALTO ProAccess SPACE web application, that could normally only be called by high privileged users. Nevertheless, by directly calling the API with the OAuth token of a low privileged user, it was possible to call some API calls that shouldn’t be available to them.

6. Cleartext transmission of sensitive data

The SALTO ProAccess SPACE web application allows their users to create so called event streams. Those streams can be used to log events centrally. The stream is transmitted via TCP/UDP in JSON, or CSV format. The stream is transmitted in cleartext and leaks sensitive data such as who opened which door and when including card ids etc.

 

Proof of concept

1. Path Traversal (CVE-2019-19458)

The “Data Export” as well as the “Database Export” features in SALTO ProAccess SPACE allow users to specify a filename for the different exports. By using special characters inside of the filename, an attacker is able to traverse outside of the designated export path and place the exports in arbitrary locations. For example, the following filename can be used in the database export to store the database backup inside of the webroot:
..\..\..\..\SALTO\ProAccess Space\bin\webapp\backup.db
The file can then be easily retrieved via the following link without authentication: http(s)://$IP/backup.db

2. Arbitrary File Write (CVE-2019-19459)

The vulnerability described above can be further developed into an arbitrary file write vulnerability by using the “Data Export” functionality. The webapp lets their users choose an export filename and the fields, which should be exported (e.g. Username, Notes field). To store a file with arbitrary contents on the file system the following steps have to be conducted:

  1. Store the payload inside of an arbitrary field, that can be manipulated by the user. (E.g. Username is set to <img src=x onerror=alert(document.location)> as an example for stored XSS)
  2. Create a new export with the following export file name
    ..\..\SALTO\ProAccess Space\bin\webapp\sectest.html
  3. Finalize the export
  4. Access the file without authentication via http(s)://$IP/sectest.html

 

3. Stored Cross-Site-Scripting (CVE-2019-19457)

By injecting arbitrary JavaScript payloads inside of the name of a SALTO network device (e.g. RFID Wall Reader) an attacker is able to permanently embed malicious JavaScript code inside of the web application that is executed as soon as certain pages are visited.

 

4. Webserver running as SYSTEM (Windows Service) per Default (CVE-2019-19460)

In a standard configuration the SALTO service, which is also serving the webserver on port 8100 is running as a local windows service. Naturally, this results in multiple issues. One of them is, that the webserver is automatically running with SYSTEM privileges.

 

5. Authorization Issues

The following API calls can be accessed by a low privileged user without any permissions (except login permissions) set:

/rpc/DirectoryExists
/rpc/GetLicense

Those API calls can be perfectly used to evaluate, which folders exist on thefile system.

 

6. Cleartext transmission of sensitive data

No PoC available.

Vulnerable/Tested versions

The following versions have been tested:

  • SALTO ProAccess SPACE 5.4.3.0
  • Service Binary Version 4.13.3.404

Vendor contact timeline

2019-05-24Contacting vendor through info@saltosystems.com
2019-05-24Initial response from Salto Systems; providing a PGP public key for encrypted communication
2019-05-24Sending the encrypted advisory to Salto Systems
2019-06-11Requesting a status update.
2019-06-12Vendor responded with a detailed plan on how and when the vulnerabilities are going to be fixed.
2019-09-02Requesting status update.
2019-09-04Vendor provides version information and further release plan updates.
2019-09 – 2019-11Multiple emails exchanged and telephone conferences discussing the vulnerabilities.
2019-12-02Coordinated advisory release.

Solution

Update to SALTO ProAccess SPACE 5.6 which is available to customers through the vendor’s software area.

 

Workaround

None.

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

EOF Werner Schober / @2019

Interested to work with the experts of SEC Consult? Send us your application
Want to improve your own cyber security with the experts of SEC Consult? Contact our local offices.

Project Details

  • TitleMultiple Critical Vulnerabilities in SALTO ProAccess SPACE
  • ProductSALTO ProAccess SPACE
  • Vulnerable version<= v5.5
  • Fixed version>= v5.6
  • CVE numberCVE-2019-19457, CVE-2019-19458, CVE-2019-19459, CVE-2019-19460
  • Impactcritical
  • Homepagehttps://www.saltosystems.com/en/
  • Found2019-05-22
  • ByWerner Schober (Office Vienna) | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Blog. Blog

Back