Pre- and post-auth path to pwnage

Yellowfin tackles auth bypass bug trio that opened door to RCE

A trio of authentication bypass bugs stemming from the use of hardcoded keys have been patched in popular enterprise analytics platform Yellowfin BI.

After uncovering the pre-authentication vulnerabilities, security researchers from Assetnote then found a post-authentication path to command execution.

The flaws, which were discovered by Assetnote’s Max Garrett, have been assigned CVE numbers but not, as yet, CVSS scores.

Bypasses

The issues were discovered via instances of authentication logic as indicated by session.setAttribute("SessionData",BEAN).

One authentication bypass (CVE-2022-47884) arose because com/hof/mi/web/action/StoryBodyAction.java contained “logic where StoryBoardAction allowed us to sign in as any user, as long as a signature check was passed”, according to a blog post published by Garrett and Assetnote CTO and co-founder Shubham Shah yesterday (January 24). The hardcoded private RSA key meant anyone could pass the signature check.

A second bypass, found in the JsAPI servlet, meant attackers could authenticate through the EXTAPI-IPID cookie, which was AES-encrypted using the hardcoded key’s user id (CVE-2022-47885).

“So it is possible for anyone who knows the victim’s user id to create a valid session as their account,” explained the blog post.


Read more of the latest enterprise security news


The third and final bypass (CVE-2022-47882) centered on Yellowfin’s suboptimal implementation of JWTs inside the REST API.

A valid refresh token id and extracted hardcoded key enabled the creation of a valid JWT as any user, although the impact was limited to privilege escalation given the need for a valid refresh token ID generated from a successful /api/refresh-tokens login.

Having performed an authentication bypass, a fourth bug – CVE-2022-47883 – then enabled attackers to perform remote code execution (RCE).

Noting Yellowfin BI’s connection to arbitrary data sources to pull data into the application, the researchers investigated whether JNDI or JDBC injections might enable command execution – and the JNDI mechanism, by using the forceString gadget, duly proved fruitful.

Assetnote has published the full proof-of-concept exploit chain on GitHub.

The vulnerabilities have been patched in Yellowfin BI 9.8.1.

Monolith application advice

“In our assessment of enterprise applications, we often find hardcoded keys that lead to significant security impact (for example, our bug in VMWare AirWatch),” Shah told The Daily Swig. “Many enterprise products can be difficult to obtain due to qualification and sales processes. However once the source code has been obtained, there are often many critical vulnerabilities that can be exploited readily and easily.”

Yellowfin is a Java monolith application, and Shah and Garrett offered methodological advice to other security researchers hunting in similar codebases: “Map out the pre-authentication attack surface in as much detail as possible,” they said.

“Understand all of the routes, both static and dynamic, and then determine which portion of these routes are actually accessible without any authentication.”

After mapping pre-authentication routes, “determine how user input is processed by these routes and understand which routes take in what user input”, they continued. This will uncover issues warranting further investigation “simply based off the names of the controllers or parameters”.


YOU MIGHT ALSO LIKE AWS patches bypass bug in CloudTrail API monitoring tool