Vladimir had the opportunity to test the security of the Windchill PLM software published by PTC during an intrusion test mission.
Using basic website security auditing techniques, he discovered a vulnerability affecting all versions of the software. It allowed him to read the configuration files accessible in the application folder.
These files, if badly configured, can contain service accounts in plain text, and thus allow an attacker to pivot in the Information System.
The Security Advisory of the vulnerability is available on the PTC’s support interface.
URL Fuzzing
An essential step during a pentest is the discovery and enumeration of the exposed applications. On a web interface, this will usually result in a bruteforce of files and folders.
The most used tools for this purpose are Dirbuster, Gobuster, wfuzz or Burp with its Intruder.
It is a dictionary attack: a list of known paths and files is given to these tools, which will make an HTTP request to the server to determine if the item exists.
The dictionaries used by our pentesters are numerous and depend on the technologies used by the clients. However, the fuzz.txt file remains a safe bet and has proven itself on many missions.
Many “modern” technologies do not expose the file system directly and instead interpret the URL in terms of application routes. We will rather talk about URL fuzzing even if the technique remains the same. A very common case is URL fuzzing on a REST API to discover exposed actions and objects.
Fuzzing as many paths as possible generally pays off and allows you to discover new functionalities, generate application errors or find vulnerabilities such as inclusion/arbitrary file reading (LFI).
Discovery of the vulnerability
The pentester, authenticated on Windchill, observes the requests that pass between his browser and the website thanks to an offensive proxy: an HTML page generates many transparent requests for the user. For example the downloading of images, JavaScript files, but also requests essential to the operation of the application such as an API call. All these calls are made on very specific URLs that the pentester undertakes to fuzz.
After several routes that yielded nothing, one of the URLs looks promising: the application responded with an HTTP code 200 to an entry from fuzz.txt. The entry in question is as follows:
/WEB-INF/web.xml
Connoisseurs will have recognized the path to the configuration file of a Java web application. Although not directly accessible, the Windchill developers seem to have misconfigured the https://WINDCHILLURL/Windchill/vulnerable/path/ route and expose the server file system behind the vulnerable servlet!
The vulnerability
By accessing the filesystem behind the vulnerable servlet, the attacker actually lands in the codebase folder. Various configuration files are accessible and may contain interesting information such as internal host names and Information System user names. In rare cases, secrets may be left unencrypted in these configuration files. By default, Windchill encrypts the secrets used at installation.
We are therefore on an authenticated information disclosure, relatively inocuous in most cases, but which can also reveal secrets when good practices are not followed.
This vulnerability discovered by Vladimir TOUTAIN presents a risk qualified as important with a CVSS score of 6.5. It impacts all versions of Windchill.
Communication with the software publisher
PTC’s Coordinated Vulnerability Disclosure process is well documented at the following URL: https://www.ptc.com/en/documents/security/coordinated-vulnerability-disclosure.
Communication with PTC was very professional although a bit long to set up: a meeting was organized by the Chief Product Security Officer with several PTC employees in connection with the Windchill software in order to establish a clear roadmap of actions to perform. PTC addressed the vulnerability within 120-days, which is industry standard.
The vulnerability is documented by the publisher at the following link : https://www.ptc.com/en/support/article/CS375403.
18/05/2022 : First contact email sent
25/05/2022 : Reminder email
21/06/2022 : Reminder email
21/06/2022 : First response from the CPSO apologizing for the delay: the vulnerability is being analyzed, proposal for a meeting within 7-10 days.
30/06/2022 : Meeting attended by CPSO and PTC employees directly related to Windchill. Vulnerability validation, acknowledgments, and planning next steps.
01/08/2022 : New meeting to take stock of the deployment of the fix and the communication around the vulnerability.
11/08/2022 : Validation of the article and the advisory by both parties.
31/08/2022 : Agreement on the publication date of this article.
🛡️ DSecBypass accompanies you on the security audit of your Web applications. Do not hesitate to contact us for additional information and/or a personalized quote 📝.
