<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2114085292224199&amp;ev=PageView&amp;noscript=1">

Security Advisory: Knowage Access Control Bypass

Posted by David Chadwick - 28 July, 2019

header-picture

Knowage Access Control Bypass

 

Release date: 29/07/2019

Last update: 29/07/2019

Vendor: Knowage-suite

Vendor site: https://www.knowage-suite.com/site/home/

Product: Knowage

Affected version(s): 6.1.1

Remediated version: 6.4

Severity Rating: High

Impact: Exposure of sensitive information

Attack vector: Remote without authentication

CVE: CVE-2019-13188

Details: It is possible to perform administrator functions without being authenticated. The parameter “user_id” needs to be added to each request and it must contain a valid administrator username. Guessing a valid username is trivial, as it is usually called “biadmin”, “admin” or “administrator”.

The following link provides a proof of concept:

https://<HOST>/knowage/restful-services/2.0/users?user_id=admin

The following screenshot shows the result of the proof of concept, which displays all current users and their password hash from the application.

authbypass-redacted

It is possible to use this vulnerability to perform any administrator function in the application, which includes adding another administrator user to the application and then logging on as that new user.

The following shows a screenshot of adding a new administrator user to the system:

auth bypass4

The sbiExtUserRoleses attribute uses an id for each access group, in this instance, this applies all access groups to the user.

This vulnerability allows for an unauthenticated user to obtain application administrator access.

Recommendation: Update to the latest patch.

Discovered by: David Chadwick from Content Security Pty. Ltd.

 


Recent Posts

How to implement largescale IT programs without losing your mind

read more

Every Business Is a Cyber Security Business, Even Yours

read more

CPS 234: An Overview of What You Need to Know

read more