During an authorised penetration testing assessment conducted on Xpand IT’s Write-Back software, Balwurk’s security team found multiple security vulnerabilities, first disclosed to the customer and then responsibly submitted to the MITRE CVE program.

The discovered vulnerability allows an attacker to change the directory to which an uploaded file is saved on the filesystem.

This blog post will be the second of a four-part series in which we will technically describe 5 security vulnerabilities and how they were detected and exploited.

What is Write-Back?

Write-Back is a Tableau extension that enables users to submit data directly from a Tableau dashboard to your database, allowing them to implement any actionable use case without leaving the analysis flow.

Write-Back allows users to take the Tableau usage further and implement use cases where you need users to input data, such as forecasting, planning, adding comments, or any actionable process. Includes features like on-premises execution, audit, multiple back-end databases, and integrated authentication.

Before diving into more technical details, we should describe the layout of Write-Back’s high-level back-end architecture:

Write-Back (Server): Tableau extensions are web-based and deployed on a separate application server from the Tableau Server/Cloud. This means that Write-Back should be placed side by side with Tableau, ideally on a separate machine. Users will interact with the Write-Back extension through the Tableau dashboards that can be on different Tableau platforms, i.e., Tableau Desktop, Tableau Server, or even Tableau Cloud.

Write-Back Manager: Centralizes all configurations and enables platform administrators to take full control of how Write-Back is configured. All of this is done on a web UI. Each Write-Back installation has its own Write-Back manager deployed on the same machine, allowing it to manage that instance.

Technical description

CVE-2023-27170 is a path or directory traversal security vulnerability that allows an authenticated user to upload a file to any location on the file system using any of the multiple file upload features on the Write-Back Manager.

This vulnerability was initially detected by changing the uploaded filename through a man-in-the-middle attack.

In the particular case of the customised logo upload feature, the name under which the logo file would be written to disk equalled the value passed in the siteName parameter, which by default was always 00000000-0000-0000-0000-000000000000. By manipulating the value of this parameter and adding special characters such as dots ‘.’ and slashes ‘/’, an attacker can change the path to which the file will be written:


Figure 1 – Logo file upload.

In this example, the logo was placed in one folder hierarchically above the logos folder:


Figure 2 – Logo file uploaded to a different folder.

The root cause of this vulnerability can be found in the uploadLogoFile function of the ThemesManager class, which handles the upload of a custom logo file:


Figure 3 – Cause of the vulnerability.

The siteName parameter is simply concatenated together with the file extension and added to the writePath, resulting in the manipulation of the folder’s path to which the file is uploaded to.

Impact

This vulnerability could potentially be exploited in multiple manners. A malicious user could overwrite critical files, upload massive files, cause a file space denial of service, or upload dangerous files into the web tree to achieve code execution.

CVE ID: CVE-2023-27170
CVSS 3.1 Base Score: 5.5
CVSS Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L
Affected Vendor: Xpand IT
Affected Product: Write-Back
Affected Version: Write-Back Manager v2.3.1

Mitigation

Update Write-Back to at least version 4.1.

Timeline

12-12-2022 – Vulnerability detected and reported to Write-Back.

22-02-2023 – Vulnerability submitted to MITRE.

10-03-2023 – Vulnerability accepted and CVE-2023-27170 reserved.

12-07-2023 – Official Patch released by Write-Back team.

20-10-2023 – Public disclosure of CVE-2023-27170.

Credits

Bruno Pincho | Penetration Tester at Balwurk 

References

MITRE