Multiple Vulnerabilities in PubliXone

Project Description

Several vulnerabilities have been identified in the software publixone from the vendor Konzept-iX. Among other things an attacker can take over arbitrary accounts. Furthermore, an unauthenticated attacker can execute several functions by abusing unprotected API endpoints. This can result in the escalation of privileges in the application, leakage of all user profiles and arbitrary email sending.


Vendor description

“Since it was founded in 1996, our company has been developing and integrating software solutions to organize and streamline processes within print and media prepress as well as in marketing. We have achieved an excellent market position and established our solutions across Europe with our pioneering spirit and our evangelism. Proof of this can be seen in hundreds of installations with countless users. We deliver innovative, unrivalled concepts in the areas of web-to-print, marketing management, print-/marketing-on-demand as well as file management and synchronization. A very important part of the process for us is continuously developing our products and precisely adapting them to our users’ needs.”

Source: https://konzept-ix.com/

Business recommendation

SEC Consult recommends to update publiXone to the latest version (2020.015)

Vulnerability overview/description

1) Account Takeover (CVE-2020-27179)

The password reset functionality can be abused to reset the password of any user. The token for the password-reset is encrypted and contains the user ID and a timestamp. The password for the encryption is hardcoded in the source-code of the Java applet. By using this key, an attacker can create valid tokens for any user and set the set password to a chosen value.

2) Missing Access Control for API Endpoints (CVE-2020-27183)

In the source-code of the Java applet, several endpoints were identified. The endpoints are public and don’t require authentication. The components communicate via serialized Java Objects. Among others, the following actions are available:

  • UploadFile
  • DownloadFile
  • GetUserData
  • SendMail
  • SetUserData
  • CreateDir

3) Unauthenticated File Download (CVE-2020-27180)

Via the IXCopy endpoint, files can be downloaded by specifying a unique file ID. The ID is iterative and can be enumerated. No authentication is required to download the files, which are mostly Adobe XCopy files. This issue is not related to the ‘DownloadFile’ vulnerability described in 2).

4) Hardcoded AES Keys (CVE-2020-27181)

The web application uses a Java applet for editing marketing materials. In the decompiled source-code of the applet a hardcoded AES key has been identified. This can be exploited to accomplish the account takeover, described in 1).

5) Reflected Cross-Site Scripting (XSS) (CVE-2020-27182)

Several reflected cross-site scripting vulnerabilities have been identified.

Proof of concept

[ Proof of concept has been removed ]

Vulnerable / tested versions

The vulnerabilities were identified in version 2019.045 of publiXone.

Vendor contact timeline

2020-08-03Sending vulnerability details to vendor.
2020-08-18Asking vendor for further information (no response).
2020-09-21Sending reminder to vendor (no response).
2020-10-05Sending another reminder to vendor (no response).
2020-10-20Phone call with the vendor confirming the vulnerabilities are fixed in the latest version (2020.015).
2020-10-23Publishing advisory without the proof of concept code.

Solution

The vulnerabilities have been fixed in version 2020.015.

Workaround

No workaround available.

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

EOF Marius Schwarz / @2020

Interested to work with the experts of SEC Consult? Send us your application
Want to improve your own cyber security with the experts of SEC Consult? Contact our local offices.

Project Details

  • TitlePubliXone - Multiple Vulnerabilities
  • Productkonzept-ix publiXone
  • Vulnerable version2019.045
  • Fixed version2020.015
  • CVE numberCVE-2020-27179, CVE-2020-27183, CVE-2020-27180, CVE-2020-27181, CVE-2020-27182
  • Impactcritical
  • Homepagehttps://konzept-ix.com/publixone/
  • Found2020-05-15
  • ByMarius Schwarz (Office Munich) | SEC Consult Vulnerability Lab