6 January 2021

[CVE-2020-29041] Source code vulnerability disclosure discovered in the Web-Sesame application of TIL TECHNOLOGIES

Introduction

A few months ago, BSSI performed an internal penetration test against its client’s perimeter. It appeared that this perimeter included a web application linked to a system device called MICRO-SESAME whose editor is TIL TECHNOLOGIES (French company).

This device allows centralized monitoring of all building data and electronic functions. More precisely, it is composed of a piece of software and hardware (with different specific modules) connected to access control readers, intrusion detectors, barriers, etc.

During this audit, BSSI auditors were faced to an old version (v2015.3.x), but they nevertheless discovered a DOM-XSS[1] vulnerability on the authentication form (thus pre-authentication). Unfortunately, this editor does not provide public security release notes, therefore the auditors contacted the support in order to see if it could provide them with an updated version of this software. The support was very reactive and supplied us a completely updated demo instance (iso-production).

Shortly after, it appeared that the DOM-XSS was not present anymore. Indeed, between 2015 and 2020, the editor migrated to more recent technologies (React & NodeJS).

This article describes a vulnerability discovered by the BSSI auditing team on this last stable version (2020.1.1.3375).

The Web-Sesame web application authentication form looks like this:

Web-Sesame authentication form

When analyzing the HTTP stream, it appeared that the application uses React and NodeJS:

Sourcemap file disclosing the underlying components used (React/NodeJS)

However, the web application has been packaged with a tool allowing to compress and organize/classify all the files properly (webpack-generated bundles and sources). But development teams have left JavaScript source maps in its production Webpack configuration. This allows attackers to ease their comprehension of the application (with little code review).

Moreover, source map contains the sources used to generate that bundle (with configuration settings or API keys for examples). It can also contain developers’ comments and doc strings.

With the .map file (shown above), the attacker is now able to automatically download all files (source code) from the server thanks to the paths disclosed within this file.

The screenshot below illustrates the fact that an attacker can get the application source code and see developers’ comments:

Config.ts content file disclosure

To further illustrate the vulnerability, here are the different endpoints reachable from the web application once authenticated (note: to download the source code it is not necessary for an attacker to be authenticated):

Routes file disclosure (containing the different endpoints)

Conclusion

Upon discovery of the vulnerability, the BSSI auditing team contacted and reported the vulnerability to the TIL TECHNOLOGIES support team (responsible for the product). A security patch has been released (the 2020.1.5.5462 version fixes the identified vulnerability).

This vulnerability is now identified as CVE-2020-29041.

Timeline

09/23/2020 – Discovery of the initial vulnerability (DOM-XSS)
10/06/2020 – Contact with TIL TECHNOLOGIES’ Support team established
10/13/2020 – Raise to Support team getting feedback
10/20/2020 – Contact with TIL TECHNOLOGIES’ CTO established
11/04/2020 – Call with the CTO
11/17/2020 – Provision of the demo instance (iso-production)
11/19/2020 – No DOM-XSS and discovery of the above-described vulnerability
11/20/2020 – Report and remediation sent
11/23/2020 – Vulnerability patch (2020.1.5.5462 version)
01/06/2021 – Vulnerability disclosure (90 days after notification to TIL TECHNOLOGIES)

[1] DOM-XSS : DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution, such as eval() or innerHTML. This enables attackers to execute malicious JavaScript, which typically allows them to hijack other users’ accounts (source: https://portswigger.net/web-security/cross-site-scripting/dom-based).

Leave a Reply

Your email address will not be published. Required fields are marked *