SEC Consult Vulnerability Lab Security Advisory < 20140805-0 >
=======================================================================
title: Multiple vulnerabilities
product: Readsoft Invoice Processing / Process Director
vulnerable version: Invoice Servicepack 5.6, Process Director 7.2
fixed version: -
impact: Critical
homepage: www.readsoft.com
found: 2014-02-27
by: J. Greil, M. Hofer, B. Kopp
SEC Consult Vulnerability Lab
=======================================================================
Vendor/product description:
---------------------------
"ReadSoft has been a pioneer in P2P invoice automation since the 1990s, when
the company first brought free-form technology for invoice processing to
market. Today, ReadSoft continues to be a global leader in business document
process automation, with 2,500+ accounts payable solution applications
worldwide - more than double the total applications of all major competitors
put together."
URL: www.readsoft.com/about-us/who-we-are
Business recommendation:
------------------------
Vulnerabilities have been identified that are based on severe design flaws in
the application. It is highly recommended by SEC Consult not to use this
software until a thorough security review has been performed by security
professionals and all identified issues have been resolved.
Vulnerability overview/description:
-----------------------------------
1) Reflected & stored Cross-Site Scripting
An unauthenticated user is able to perform Cross-Site Scripting attacks e.g.
create relogin Trojan Horses or steal session cookies in the context of the
affected web application "Process Director". Over 120 XSS issues have been
identified and it is assumed that many more exist.
Attackers are able to take over other user accounts and potentially gain
access to invoice data or other sensitive data.
2) Critical design issues
The Readsoft Invoice Processing software e.g. contains the tools / software
products "Manager", "Verify" or "Optimize". Those programs are usually
stored/installed locally on the user's system. They contain configuration
files that point to the global configuration which is stored on a file server
in a multi-user environment and accessed via network shares.
The software then reads this global configuration file which contains user
accounts and passwords (some of them in cleartext!) for other integrated
systems such as SAP or database connections.
The client program also connects to the database with a high-privileged user
and access rights are managed locally on the client!
All users of the software suite must be able to access this network share with
full access rights (read/write) in order for the program to work properly.
Therefore, attackers can not only gain access to sensitive data such as passwords in
cleartext (SAP backend connection, database), scanned invoices, log &
licensing files etc. but potentially manipulate configuration files /
invoices or replace existing executables with malicious code.
Proof of concept:
-----------------
1) Reflected & stored Cross-Site Scripting
The following URLs are only an example of vulnerable functionality which can
be exploited without authentication. Over 120 different issues have been
identified during the crash test:
[ Proof of concept details removed as no patch is available ]
2) Critical design issues
The file "..." contains configuration parameters for the SAP and also database
backend connections.
The SAP password is stored in cleartext. The database password is encrypted
which can easily be retrieved by using a debugger (method [...] in [...].dll).
Anti-debugging mechanisms can be circumented by patching the application.
The database user needs full access rights to the database as the rights
management is done on the client. The user account information is stored in
the table "[...]".
Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in Invoice Servicepack 5.6 &
Process Director 7.2, which was the most recent version at the time of
discovery.
Vendor contact timeline:
------------------------
2014-06-03: Requesting security contact via online contact form (no security
contact or other suitable email addresses found online)
2014-06-06: (no reply) Sending email to info@, info-de@ and CTO of Readsoft
Attaching responsible disclosure policy & encryption keys
2014-06-12: Asking again for a security contact
2014-06-12: Vendor provides PGP key
2014-06-13: Sending encrypted advisory
2014-06-13: Vendor: will come back with further info
2014-06-24: Asking for status update
2014-07-02: Asking again for the status update, reminder regarding planned
advisory release date
2014-07-09: Answer from vendor that draft response is created, will send
approved version as soon as it's ready
2014-08-05: SEC Consult releases security advisory
Solution:
---------
The vendor did not provide any patch information.
Workaround:
-----------
No workaround available.
Advisory URL:
-------------
www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: www.sec-consult.com
Blog: blog.sec-consult.com
Twitter: twitter.com/sec_consult
EOF J. Greil / @2014