Vulnerability Disclosure -Improper FileSystem Permission : Misconfigured ACLs @ Zoho R.A.P.

Weak Access Control

Status: Possibly Fixed (As on 08-Sep-2021)

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = 7.8 (High Severity)

CVE-2021–42954

Fixed version: 10.1.2121.1 (Change log)

Impacted Component: Remote Access Plus (RAP) Server & Agent both (Desktop App)

Vulnerability Description: It was noticed that the application has weak file permission ACL (access control list) assigned in various locations.

Full control: There are few locations where for any authenticated user group (non-admin user), full permission is assigned. This may contain database, config, executable batch file, log, etc. This would lead to loss of confidentiality, integrity and availability. This may help in privilege escalation/log tampering etc.

Read: There are multiple files/folders which contain server private key, logs, agent communication keys, config files, backup, etc. which have read permission for all users (non-admin). Conventionally looking, even guest users would have read to some items (as per Windows Guest user role, if enabled). Causing loss of data confidentiality.

Execute: There are multiple bat files, which can perform reset-pasword/delete/update/migrate etc. operations, which have execute permission for non-admin user group. Which might cause loss of availability/integrity if those do not required higher privilege.

Attached POC for few such instances.

Impact rational: Amongst all the hardcoded values, one of them being DB connection string password was found. Logs contained credentials of DB. Where the DB contains all sensitive info like server config, deployed agent config., all other system info., their vulnerability/patch status, user accounts, keys and many other details. Private key which helps in server Authentication was also present.

Reset password executable file can be invoked by non-admin and password can be reseted for web login easily.

Executables can be replaced with fake ones, to have privilege escalation/backdoor etc. by non-admin users.

Exploitability rational:

Person needs system access where the application is installed, with any user role may it be admin/non-admin.

Supportive Evidence:

Back Files with Read for All Users

Logs with DB Password Read for Authenticated Users group (Non-admin also)

Full Control for any Authenticated Users (Non-admin also) within Pgsql folder

Executables with write permission any Authenticated Users (Non-admin also)

Read for all Users — private key of server

Read for all Users — config files with sensitive info.

Recommendation:

1. Have read-write-execute only to admin/pre-defined users.
2. Run batch job, which checks ACL for files generated on runtime to prevent mis-configurations in file permission.