CVE-2018-6847, 6848: CONARC ICHANNEL PORTAL 2017 AND BELOW INFORMATION DISCLOSURE, SESSION STEALING, SESSION HIJACKING ATTACKS

A vulnerability is a mistake, exposure, misconfiguration or weakness in software code or systems that can allow an attacker to compromise, access, damage or otherwise perform unintended actions on an affected system or network.

DFDR continually researches systems and software to expose vulnerabilities and encourages organizations to improve their security through disclosure and coordination. Research findings and exposures are disclosed publicly for the purposes of public awareness and remediation. Vendors and clients are typically made aware of these issues when discovered, coordinating on public disclosure when appropriate.

Many of these are discovered during the course of an engagement with our clients. DFDR’s security team regularly performs penetration tests, web application assessments and security review for a wide range of industries, clientele and organizations. Results of these assessments are vetted and findings are confidential.

Public disclosure typically takes place when a third-party component is publicly distributed, affects a large number of organizations and the discovery or exploit has been communicated to the affected organization. Direct engagement results and findings are not released unless the affected organization requests it.

# Exploit Title: Conarc iChannel Portal 2017 and below Information Disclosure, Session Stealing, Session Hijacking attacks
# Date: 1/31/18
# Exploit Author: Ken Pyle, DFDR Consulting
# consult@dfdrconsulting.com
# Vendor Homepage: https://www.conarc.com
# CVE : CVE-2018-6847

Conarc iChannel Portal 2017 and below
allows remote attackers to obtain sensitive information by guessing filenames under
/elmah,
/temp, or
/output, as demonstrated by reading authentication tokens in an XML document under /elmah.

——————————————

[Additional Information]
An issue was discovered in Conarc iChannel Portal 2017 and below.
Unauthenticated access / Information Disclosure / Session Hijacking / File Access:

/elmah
/temp
/output

iChannel does not properly secure these folders. This allows an
unauthenticated attacker to obtain, through brute force and known file
name attacks, all content stored in these folders.

The /output and /temp folders of iChannel’s portal allows
unauthenticated access to all files contained within it. This is a
repository of processed files uploaded to the application. Using brute
force or known file name attacks, it is possible to retrieve any
content in this folder.

/elmah

iChannel implements the ELMAH error reporting function. The /elmah
folder contains detailed error messages for iChannel. These files are
stored in XML format and are also retrievable via known file name or
brute force attacks. As these files follow a standardized naming
schema, brute forcing of these is relatively simple. These XML files
contained detailed, sensitive information about error messages,
configurations, user information, queries and AUTHENTICATION TOKENS
via Client Queries contained in the logs. An attacker can extract
tokens from this log file and inject them via cookie tampering or
parameter injection using an intercepting proxy. They may also
retrieve passwords, access detailed error message for attack/parameter
refinement and view other sensitive information.

This is a critical authentication bypass exploitation. For session
tokens, if they expire, it provides a window of time to access. For
clients using AUTOLOGIN cookies, it allows for full bypass of access
to the portal without a password.

Suggested Remediation:

Apply ACLs to these directories immediately and restrict access to these files at the OS level. Remove all content from these folders.

/DataService/iChannelRestDataService.svc in
Conarc iChannel Portal 2017 and below
uses session tokens in URL requests. An attacker can
intercept the requests to this page via various methods and perform a
session hijacking attack. An attacker can craft URLs to bypass
authentication or perform unintended actions via various vectors.