usd-2018-0017 | Lexware Professional 2017/17.02
Advisory ID: usd-2018-0017
CVE Number: N/A
Affected Product: Lexware Professional 2017
Affected Version: 17.02
Vulnerability Type: Broken Authentication
Security Risk: Critical
Vendor URLL: https://shop.lexware.de/reisekosten-abrechnung
Vendor Status: Fixed
Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user.
The vulnerability that merits mention, is the hardcoded encryption/decryption key used in the Lexware client. At a glance, the process setup works by encrypting the user delivered password by the client and delivering the same to the database and the decrypting works vice-versa, wherein encrypted password is fetched from the database and decrypted by the Lexware client. Even though this might appear a sound process on a first look, the presence of decrypting algorithm implies an alternate method to obtain user passwords. A simplified option would be to use the client’s decryption feature to do the work.
For example, in the user management options, the decrypted password is hidden by the client with a dot option. This highly simplified method can be easily bypassed with existing tools.
Proof of Concept
A sample screenshot is provided to enhance the ease of understanding. It shows the decrypted administrator password.
This security vulnerabilities were found by Brenda Anthony and Sebastian Puttkammer of usd AG.