During an engagement, Jack Moran from ZX Security discovered a Server-Side Request Forgery (SSRF) and a Path Traversal sequence within the Precisely Spectrum Spatial Analyst ecosystem.
What is Precisely Spectrum Spatial Analyst?
Precisely Spectrum Spatial Analyst is an interactive mapping and analysis application, part of the Precisely Spectrum Spatial suite. It is an off the shelf product that offers a range of features out of the box to create and modify ‘vector thematic maps and reports’. Precisely Spectrum Spatial Analyst offers an interactive mapping service and provides ‘access to mapping and geographic-based information, addresses and postcode searches’.
Server-Side Request Forgery
What is Server-Side Request Forgery?
Server-Side Request Forgery allows a threat actor to induce the back-end server of a vulnerable application to make requests. These requests can be used to target internal systems that are not initially accessible from the internet.
Where was the Server-Side Request Forgery?
The Server-Side Request Forgery issue was discovered in the
/connect/analyst/controller/externalTileServiceProxy endpoint. This endpoint accepted an arbitrary URL as part of the
REQUEST_URL= parameter. When the request is made, the server-side application is induced to make a request to an unintended location and embed the associated response. An example request can be seen below:
GET /connect/analyst/controller/externalTileServiceProxy?MAP_URL=[REDACTED]&REQUEST_URL=[REDACTED]&TYPE=XYZ&mapcfg=[REDACTED]&TILE_PROFILE=/Analyst/NamedExternalTilingConfigurations/Drone HTTP/1.1 Host: [REDACTED] Connection: close
Path Traversal Sequence Leads To Authentication Bypass
What is Path Traversal?
Path Traversal vulnerabilities allows a threat actor to request and access files and directories within a vulnerable application, which are usually protected or restricted by authentication methods.
Where was the Path Traversal Sequence?
The Path Traversal sequence vulnerability was discovered on multiple endpoints that accepted an arbitrary URL via the
URL= parameter. Unlike traditional Path Traversals which requests a file or directory, this Path Traversal sequence allowed the inclusion of previously authenticated SOAP and REST API endpoints within the platform. Allowing additional functionality to be used bypassing the BASIC authentication that was previously preventing access to them. An example request can be seen below:
GET /connect/analyst/controller/connectProxy/rest/Spatial/ProjectService?url=../../../soap/&now=1655252233022 HTTP/1.1 Host: [REDACTED] Connection: close
Vulnerability Disclosure Timeline:
- 19/08/2022 - ZX Security was sent confirmation that the vulnerabilities are being addressed by the vendor in the next release.
- 08/10/2022 - Version 2022.1.0 S06 Released.
- 18/10/2022 - CVE-2022-42182 and CVE-2022-42183 Reserved.
- 16/11/2022 - Blog published :).