[CVE-2020-29041] Source code vulnerability disclosure discovered in the Web-Sesame application of TIL TECHNOLOGIES
Introduction
A few months ago, BSSI performed an internal penetration test against its client’s perimeter. It appeared that this perimeter included a web application linked to a system device called MICRO-SESAME whose editor is TIL TECHNOLOGIES (French company).
This device allows centralized monitoring of all building data and electronic functions. More precisely, it is composed of a piece of software and hardware (with different specific modules) connected to access control readers, intrusion detectors, barriers, etc.
During this audit, BSSI auditors were faced to an old version (v2015.3.x), but they nevertheless discovered a DOM-XSS[1] vulnerability on the authentication form (thus pre-authentication). Unfortunately, this editor does not provide public security release notes, therefore the auditors contacted the support in order to see if it could provide them with an updated version of this software. The support was very reactive and supplied us a completely updated demo instance (iso-production).
Shortly after, it appeared that the DOM-XSS was not present anymore. Indeed, between 2015 and 2020, the editor migrated to more recent technologies (React & NodeJS).
This article describes a vulnerability discovered by the BSSI auditing team on this last stable version (2020.1.1.3375).
The Web-Sesame web application authentication form looks like this:

When analyzing the HTTP stream, it appeared that the application uses React and NodeJS:

However, the web application has been packaged with a tool allowing to compress and organize/classify all the files properly (webpack-generated bundles and sources). But development teams have left JavaScript source maps in its production Webpack configuration. This allows attackers to ease their comprehension of the application (with little code review).
Moreover, source map contains the sources used to generate that bundle (with configuration settings or API keys for examples). It can also contain developers’ comments and doc strings.
With the .map file (shown above), the attacker is now able to automatically download all files (source code) from the server thanks to the paths disclosed within this file.
The screenshot below illustrates the fact that an attacker can get the application source code and see developers’ comments:

To further illustrate the vulnerability, here are the different endpoints reachable from the web application once authenticated (note: to download the source code it is not necessary for an attacker to be authenticated):

Conclusion
Upon discovery of the vulnerability, the BSSI auditing team contacted and reported the vulnerability to the TIL TECHNOLOGIES support team (responsible for the product). A security patch has been released (the 2020.1.5.5462 version fixes the identified vulnerability).
This vulnerability is now identified as CVE-2020-29041.
Timeline
09/23/2020 – Discovery of the initial vulnerability (DOM-XSS)
10/06/2020 – Contact with TIL TECHNOLOGIES’ Support team established
10/13/2020 – Raise to Support team getting feedback
10/20/2020 – Contact with TIL TECHNOLOGIES’ CTO established
11/04/2020 – Call with the CTO
11/17/2020 – Provision of the demo instance (iso-production)
11/19/2020 – No DOM-XSS and discovery of the above-described vulnerability
11/20/2020 – Report and remediation sent
11/23/2020 – Vulnerability patch (2020.1.5.5462 version)
01/06/2021 – Vulnerability disclosure (90 days after notification to TIL TECHNOLOGIES)