During an authorised penetration testing assessment of Xpand IT Write-Back software, Balwurk’s security team found a vulnerability that allows an attacker to craft its own Write-Back commercial licenses, unlocking the software’s full features without paying for it.
What is Write-Back?
Write-Back is a Tableau extension that enables users to submit data directly from a Tableau dashboard to your database, allowing them to implement any actionable use case without leaving the analysis flow.
Write-Back allows users to take the Tableau usage further and implement use cases where you need users to input data, such as forecasting, planning, adding comments, or any actionable process. Includes features like on-premise execution, audit, multiple back-end databases, and integrated authentication.
Before diving into more technical details, we should describe the layout of Write-Back’s high-level back-end architecture:
Write-Back (Server): Tableau extensions are web-based and deployed on a separate application server from the Tableau Server/Cloud. This means that Write-Back should be placed side by side with Tableau, ideally on a separate machine. Users will interact with the Write-Back extension through the Tableau dashboards on different Tableau platforms, i.e., Tableau Desktop, Tableau Server, or even Tableau Cloud.
Write-Back Manager: Centralizes all configurations and enables platform administrators to fully control how Write-Back is configured. All of this is done on a web UI. Each Write-Back installation has its own Write-Back manager deployed on the same machine, allowing one to manage that instance.
Unfortunately, due to this vulnerability’s sensitive nature, we cannot provide a full exploitation description.
Reminiscing back to another blogpost: CVE-2023-27169, we know the secret used by the Write-Back manager to encrypt the licenses is static and relies on a symmetric encryption algorithm, so an attacker could reverse the whole process, change the expiration date, company name and other attributes which compose the license object.
Figure 1 – License decryption process.
The license validator only checks if the expiration date and user limit have not been met. The remaining attributes, despite the necessity to fulfil the product activation, are not actually validated. This way, an attacker can effectively forge and activate a commercial license the vendor did not emit.
Figure 2 – Creation of a forged license.
Does not represent any security risk to Write-Back customers. Crafting a fake license would only result in financial loss for the seller.
Bruno Pincho | Penetration Tester at Balwurk