Unauthorized access to PraxisMMT simulator(Business Talents 2014) results

Twitter: @teh_h3ck

Email: teh3ck@gmail.com

I participated in Business Talents 2014 competition. BusinessTalents is a four-month long simulation using a Praxis MMT simulator. The goal is to manage a company and perform all of the associated analysis, planning and control activities in a realistic and competitive emulated environment, and for applying theoretical knowledge and developing the skills necessary to run and administer a business.

Timeline:

07/06/2014 | Initial Report
15/06/2014 | First Fix by BusinessTalents, PraxisMMT team
28/06/2014 | Full Report sent to PraxisMMT with fix bypass
28/06/2014 | BusinessTalents, PraxisMMT reply
29/12/2014 | Public Disclosure

Full exploit:

http://vagmour.eu/exploit/praxismmt_exploit.txt

Impact

There are some information disclosure vulnerabilities that a malicious user is able to determine the type of software and versions of applications that are running on the server.

The main vulnerability is about how the pdf document files are stored on the server. They are stored with a predicted way, so a malicious user could see all the decisions, results and researches on an on going competition for all years and all competitors even without making a lot of requests to the webserver!

Also, it is possible to find all other competitions which have finished and browse all the pdf files.

I would like to thank the PraxisMMT company for the PraxisMMT | BusinessTalents Security Award i received for disclosing the vulnerabilities to them.

Details

Unauthorized Access to PDF files

The following vulnerability reported by me in the day of Gr Business Talents finals (7th of June, 2014). As mentioned, an unsecure way of storing the pdf results is used on the server.

Information about md5 algorithm that it is used on the url scheme can be found at : http://en.wikipedia.org/wiki/MD5.

-Here is a Url example of a pdf stored in the server:

https://ybt15.praxismmt.com/results/meta2x//A67FEED265569D77DAB39D56003A027E/279F4FE9DB63A9F4B87E18073956D7CF/4BDC2E193F2EAF77E9B7DAE0BF9D3D5B/64D194C120F922D317DD9CB46FF42B2E/1/DIR0081SI00221TE1Y1DEP.PDF  

-Url analysis: https:// [server address]/results/meta2x//[1]/[2]/[3]/[4]/[5]/[6]

[1] : MD5([XX]participante), [XX] is a number from 01 to 99
[2] : MD5(00[XX])
[3] : MD5(000[YY]), [YY] = simulation number
[4] : MD5(00[XX]000[YY][Z]), [XX]: number of [1], [YY]: simulation number, [Z]: team number
[5] : [L], plaintext number of the year (1, 2 or 3)
[6] : DIR00[XX]SI000[YY]TE[Z]Y[L][AAA].PDF, [AAA] = (DEP for decisions, REP for results, INV for researches)

**The fix by the software team didn’t patch the whole vulnerability, so i was able to exploit it again:

-URL example (after 1st fix):

https://ybt15.praxismmt.com/results/meta2x//5AA4196BA121E584B67BBD9DDE861F4B/F5102568D9EBD64F1FB698D6BA575E7A/775183910BEA8A04E63625B64DBCC340/29B513AE08332FDCD0D502F184EEEDEE3/1/DIR0086SI00015TE3Y1DEP.PDF  

-URL analysis(after 1st fix):

https://[server_address]/results/meta2x//[1]/[2]/[3]/[4]/[5]/[6]  
[1] : MD5([XX]participante)
[2] : MD5(00[XX])
[3] : random_md5()
[4] : MD5(00[XX]000[YY][Z])[Z]
[5] : [L]
[6] : DIR00[XX]SI000[YY]TE[Z]Y[L][AAA].PDF

So the changes are:
the random_md5() in the [3], the addition of [Z] at the end of [4] (outside of MD5() function)

That change protects from unauthorized view of results for other simulations but the ability of viewing teams from the same simulation still exists. The only number that must change for it, is the [Z].

Competition Bruteforcing:

There is also the ability to find all the competitions stored on the server. Some examples are:

(At the time of the post, the links are unavailable because the vulnerability is fixed.)

71  
https://ybt15.praxismmt.com/results/meta2x//A7C83C749CA84BAADC1C1FD55F59066A/43692F46E3168B32434DD507EBC85DBE/4C68CEA7E58591B579FD074BCDAFF740/97630FD6EE79398EA2560297B6EBB7AC/1/DIR0071SI00001TE1Y1DEP.PDF

72   https://ybt15.praxismmt.com/results/meta2x//16B43C29A40DDA83B742E98D4EC77BBF/C76B3D3AB1522B66814253D642932E9E/4C68CEA7E58591B579FD074BCDAFF740/0EE124179C7AC47449F5483DEC765761/1/DIR0072SI00001TE1Y1DEP.PDF  
`... snipped ...`

Directory Traversal Vulnerability

Also there is directory traversal here https://ybt15.praxismmt.com/meta2x/theme/ which reveals a lot about the system structure and how the simulator internals are organised.

Result:
results

So, if a user does a connection to this link “https://ybt15.praxismmt.com/meta2x/theme/catalina.jar”, he will be able to browse the source code of these files.

As an example, versions of several system packages are visible

version_manifest

And an exaple of catalina.jar source code:

catalina_source