Spectrum Spatial Analyst 20.1 – Multiple issues

Jack Moran discovered a Server-Side Request Forgery vulnerability and a Path Traversal sequence that leads to an authentication bypass in Precisely Spectrum Spatial Analyst version 2020.1.0 S44. Spectrum Spatial Analyst is an interactive mapping and analytic application and is part of the Precisely suite.

Published on 16th November 2022

Introduction

During an engagement, Jack Moran from ZX Security discovered a Server-Side Request Forgery (SSRF) and a Path Traversal sequence within the Precisely Spectrum Spatial Analyst ecosystem.

What is Precisely Spectrum Spatial Analyst?

Precisely Spectrum Spatial Analyst is an interactive mapping and analysis application, part of the Precisely Spectrum Spatial suite. It is an off the shelf product that offers a range of features out of the box to create and modify ‘vector thematic maps and reports’^[1]. Precisely Spectrum Spatial Analyst offers an interactive mapping service and provides ‘access to mapping and geographic-based information, addresses and postcode searches’^[1].

Server-Side Request Forgery

What is Server-Side Request Forgery?
Server-Side Request Forgery allows a threat actor to induce the back-end server of a vulnerable application to make requests. These requests can be used to target internal systems that are not initially accessible from the internet.

Where was the Server-Side Request Forgery?
The Server-Side Request Forgery issue was discovered in the /connect/analyst/controller/externalTileServiceProxy endpoint. This endpoint accepted an arbitrary URL as part of the REQUEST_URL= parameter. When the request is made, the server-side application is induced to make a request to an unintended location and embed the associated response. An example request can be seen below:

GET /connect/analyst/controller/externalTileServiceProxy?MAP_URL=[REDACTED]&REQUEST_URL=[REDACTED]&TYPE=XYZ&mapcfg=[REDACTED]&TILE_PROFILE=/Analyst/NamedExternalTilingConfigurations/Drone HTTP/1.1
Host: [REDACTED]
Connection: close

CVE-2022-42183

Path Traversal Sequence Leads To Authentication Bypass

What is Path Traversal?
Path Traversal vulnerabilities allows a threat actor to request and access files and directories within a vulnerable application, which are usually protected or restricted by authentication methods.

Where was the Path Traversal Sequence?
The Path Traversal sequence vulnerability was discovered on multiple endpoints that accepted an arbitrary URL via the URL= parameter. Unlike traditional Path Traversals which requests a file or directory, this Path Traversal sequence allowed the inclusion of previously authenticated SOAP and REST API endpoints within the platform. Allowing additional functionality to be used bypassing the BASIC authentication that was previously preventing access to them. An example request can be seen below:

GET /connect/analyst/controller/connectProxy/rest/Spatial/ProjectService?url=../../../soap/&now=1655252233022 HTTP/1.1
Host: [REDACTED]
Connection: close

CVE-2022-42182

Vulnerability Disclosure Timeline:

19/08/2022 - ZX Security was sent confirmation that the vulnerabilities are being addressed by the vendor in the next release.
08/10/2022 - Version 2022.1.0 S06 Released.
18/10/2022 - CVE-2022-42182 and CVE-2022-42183 Reserved.
16/11/2022 - Blog published :).

References

Sidebar

Insights

View all insights

Green Team Tree Planting at Ōwhiro Bay

26th June 2023

ZX Green Team gets muddy planting native trees.

View insight: Green Team Tree Planting at Ōwhiro Bay

Events

View all events

BSides San Francisco

4 May to 5 May 2024

CityView at SF Metreon

BSidesSF is an Information / Security conference that's different. Presenters at BSides SF conferences are engaging the participants and getting the discussions started on the "Next Big Thing", not preaching at you from the podium about last month's news.

View event: BSides San Francisco