Analysis by David Sopas and João Morais
Checkmarx Safety Analysis group reached out to Ericsson’s Accountable Disclosure Program, notifying them of the the discovering on 14th March 2023. Ericsson acknowledged the discovering and replied that the difficulty was mounted on eleventh April 2023.
ASP.NET net purposes that run with tracing enabled, could publicly expose delicate info. This characteristic permits any consumer to view diagnostic details about a single request for an ASP.NET web page. When this characteristic is enabled, Hint Viewer (Hint.axd) could also be publicly accessible, with out server’s root authentication. The Checkmarx Safety Analysis group found this vulnerability and can discover what which means for customers on this publish.
This analysis was carried out following Ericsson Vulnerability Disclosure Program.
Considered one of Ericsson’s subdomains is forecast.ericsson.internet. Nevertheless, when accessing it by way of an internet browser it redirects to https:// forecast.ericsson.internet /Login /Login. aspx. No advanced reconnaissance course of was required to know that we had been coping with an ASP.NET net utility.
There are a number of, well-known endpoints/assets of curiosity to verify for when dealing ASP.NET net purposes, and – /Hint.axd is one in all them. Hint.axd is a web-page that’s meant to offer intensive logging info in regard to net requests to the applying. – If that is uncovered, it could present attackers unauthenticated entry to the final 80 net requests made to the server. This has the potential to end in a delicate info, akin to PII information, and session particulars being disclosed. This info could then be used to probably take over consumer accounts, and additional compromise Ericsson’s purposes.
After discovering Hint Viewer (Hint.axd) on our goal subdomain (https://forecast.ericsson.internet/Hint.axd), we checked what info was accessible.
The image above exhibits the Hint Viewer important web page (Hint.axd), which is the place the bodily listing of the net utility (E:webrootsSupplyExtranet) and the final requested net utility information are printed (Provide/ChangePassword.aspx).
As you’ll be able to see, it’s attainable to view further particulars for every request. This probably can permit malicious actors entry to delicate info. The physique of POST requests, particularly these to the Login/Login.aspx endpoint, are good candidates to observe for disclosure delicate info, together with usernames and passwords. We are able to see this state of affairs, the place consumer account credentials, username and password, are each proven in plaintext within the determine beneath.
Data disclosure by way of Hint Viewer (Hint.axd) for ASP.NET net purposes is a excessive severity safety problem that may result in the compromise of delicate info and on-line techniques. This characteristic shouldn’t be enabled in manufacturing environments.
The publish Ericsson Delicate Information Publicity by way of Hint.axd appeared first on Checkmarx.com.
