Introduction

During an engagement, Jack Moran from ZX Security discovered a Server-Side Request Forgery (SSRF) and a Path Traversal sequence within the Precisely Spectrum Spatial Analyst ecosystem.

What is Precisely Spectrum Spatial Analyst?

Precisely Spectrum Spatial Analyst is an interactive mapping and analysis application, part of the Precisely Spectrum Spatial suite. It is an off the shelf product that offers a range of features out of the box to create and modify ‘vector thematic maps and reports’[1]. Precisely Spectrum Spatial Analyst offers an interactive mapping service and provides ‘access to mapping and geographic-based information, addresses and postcode searches’[1].

Server-Side Request Forgery

What is Server-Side Request Forgery?
Server-Side Request Forgery allows a threat actor to induce the back-end server of a vulnerable application to make requests. These requests can be used to target internal systems that are not initially accessible from the internet.

Where was the Server-Side Request Forgery?
The Server-Side Request Forgery issue was discovered in the /connect/analyst/controller/externalTileServiceProxy endpoint. This endpoint accepted an arbitrary URL as part of the REQUEST_URL= parameter. When the request is made, the server-side application is induced to make a request to an unintended location and embed the associated response. An example request can be seen below:

GET /connect/analyst/controller/externalTileServiceProxy?MAP_URL=[REDACTED]&REQUEST_URL=[REDACTED]&TYPE=XYZ&mapcfg=[REDACTED]&TILE_PROFILE=/Analyst/NamedExternalTilingConfigurations/Drone HTTP/1.1
Host: [REDACTED]
Connection: close

CVE-2022-42183

Path Traversal Sequence Leads To Authentication Bypass

What is Path Traversal?
Path Traversal vulnerabilities allows a threat actor to request and access files and directories within a vulnerable application, which are usually protected or restricted by authentication methods.

Where was the Path Traversal Sequence?
The Path Traversal sequence vulnerability was discovered on multiple endpoints that accepted an arbitrary URL via the URL= parameter. Unlike traditional Path Traversals which requests a file or directory, this Path Traversal sequence allowed the inclusion of previously authenticated SOAP and REST API endpoints within the platform. Allowing additional functionality to be used bypassing the BASIC authentication that was previously preventing access to them. An example request can be seen below:

GET /connect/analyst/controller/connectProxy/rest/Spatial/ProjectService?url=../../../soap/&now=1655252233022 HTTP/1.1
Host: [REDACTED]
Connection: close

CVE-2022-42182

Vulnerability Disclosure Timeline:

  • 19/08/2022 - ZX Security was sent confirmation that the vulnerabilities are being addressed by the vendor in the next release.
  • 08/10/2022 - Version 2022.1.0 S06 Released.
  • 18/10/2022 - CVE-2022-42182 and CVE-2022-42183 Reserved.
  • 16/11/2022 - Blog published :).

References

Latest event

WAO Summit 2024

to

Wanaka and Queenstown.

Attend WAO Summit 2024 and bring deeper meaning and purpose to business and everyday life. Its workshops and masterclass sessions will set you on a pathway to action, helping you lead with purpose, and be part of the transformation towards a thriving future.

See all events
Contact us

Take the next step and talk to us today.