Multiple vulnerabilities in Readsoft Invoice Processing and Process Director

SEC Consult Vulnerability Lab Security Advisory < 20140805-0 >

=======================================================================

title: Multiple vulnerabilities

product: Readsoft Invoice Processing / Process Director

vulnerable version: Invoice Servicepack 5.6, Process Director 7.2

fixed version: -

impact: Critical

homepage: www.readsoft.com

found: 2014-02-27

by: J. Greil, M. Hofer, B. Kopp

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

Vendor/product description:

---------------------------

"ReadSoft has been a pioneer in P2P invoice automation since the 1990s, when

the company first brought free-form technology for invoice processing to

market. Today, ReadSoft continues to be a global leader in business document

process automation, with 2,500+ accounts payable solution applications

worldwide - more than double the total applications of all major competitors

put together."

 

URL: www.readsoft.com/about-us/who-we-are

 

 

Business recommendation:

------------------------

Vulnerabilities have been identified that are based on severe design flaws in

the application. It is highly recommended by SEC Consult not to use this

software until a thorough security review has been performed by security

professionals and all identified issues have been resolved.

 

 

Vulnerability overview/description:

-----------------------------------

1) Reflected & stored Cross-Site Scripting

An unauthenticated user is able to perform Cross-Site Scripting attacks e.g.

create relogin Trojan Horses or steal session cookies in the context of the

affected web application "Process Director". Over 120 XSS issues have been

identified and it is assumed that many more exist.

 

Attackers are able to take over other user accounts and potentially gain

access to invoice data or other sensitive data.

 

 

2) Critical design issues

The Readsoft Invoice Processing software e.g. contains the tools / software

products "Manager", "Verify" or "Optimize". Those programs are usually

stored/installed locally on the user's system. They contain configuration

files that point to the global configuration which is stored on a file server

in a multi-user environment and accessed via network shares.

 

The software then reads this global configuration file which contains user

accounts and passwords (some of them in cleartext!) for other integrated

systems such as SAP or database connections.

The client program also connects to the database with a high-privileged user

and access rights are managed locally on the client!

 

All users of the software suite must be able to access this network share with

full access rights (read/write) in order for the program to work properly.

 

Therefore, attackers can not only gain access to sensitive data such as passwords in

cleartext (SAP backend connection, database), scanned invoices, log &

licensing files etc. but potentially manipulate configuration files /

invoices or replace existing executables with malicious code.

 

 

Proof of concept:

-----------------

1) Reflected & stored Cross-Site Scripting

 

The following URLs are only an example of vulnerable functionality which can

be exploited without authentication. Over 120 different issues have been

identified during the crash test:

 

[ Proof of concept details removed as no patch is available ]

 

 

2) Critical design issues

The file "..." contains configuration parameters for the SAP and also database

backend connections.

 

The SAP password is stored in cleartext. The database password is encrypted

which can easily be retrieved by using a debugger (method [...] in [...].dll).

Anti-debugging mechanisms can be circumented by patching the application.

 

The database user needs full access rights to the database as the rights

management is done on the client. The user account information is stored in

the table "[...]".

 

 

Vulnerable / tested versions:

-----------------------------

The vulnerability has been verified to exist in Invoice Servicepack 5.6 &

Process Director 7.2, which was the most recent version at the time of

discovery.

 

 

Vendor contact timeline:

------------------------

2014-06-03: Requesting security contact via online contact form (no security

contact or other suitable email addresses found online)

2014-06-06: (no reply) Sending email to info@, info-de@ and CTO of Readsoft

Attaching responsible disclosure policy & encryption keys

2014-06-12: Asking again for a security contact

2014-06-12: Vendor provides PGP key

2014-06-13: Sending encrypted advisory

2014-06-13: Vendor: will come back with further info

2014-06-24: Asking for status update

2014-07-02: Asking again for the status update, reminder regarding planned

advisory release date

2014-07-09: Answer from vendor that draft response is created, will send

approved version as soon as it's ready

2014-08-05: SEC Consult releases security advisory

 

 

Solution:

---------

The vendor did not provide any patch information.

 

 

Workaround:

-----------

No workaround available.

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

 

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

 

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

EOF J. Greil / @2014