Posts Multiple vulnerabilities in MIK.starlight Server (SYSS-2021-035, SYSS-2021-036, SYSS-2021-037, SYSS-2021-038, SYSS-2021-039)
Post
Cancel

Multiple vulnerabilities in MIK.starlight Server (SYSS-2021-035, SYSS-2021-036, SYSS-2021-037, SYSS-2021-038, SYSS-2021-039)

During a penetration test project, SySS IT security consultant Nicola Staller identified multiple issues in the MIK.starlight Server. The software serves as a back end to different client applications and therefore offers a multitude of functionalities. Multiple offered functions were found to be vulnerable to remote code execution due to insecure deserialization. Creating a crafted serialized object and sending it to a vulnerable endpoint allowed full system compromise as the software was running with administrative privileges. This issue was reported in the course of our responsible disclosure program to the manufacturer via our security advisory SySS-2021-035 (CVE-2021-36231).

Moreover, issues in the authorization concept were identified. Any authenticated user can utilize functions that the server offers. This includes functions only intended for administrators, therefore enabling privilege escalation. See SySS-2021-036 (CVE-2021-36232) for further details.

Among the functions only intended for administrators, one particularly sensitive function was identified. “AdminGetFirstFileContentByFilePath” allows administrators to read files from the file system. Due to the highly privileged user running the software, arbitrary files can be read. This might, besides disclosing sensitive information, even enable remote code execution under certain cirumstances. Note that this function can be used by any authenticated user as described before. See SySS-2021-037 (CVE-2021-36233) for further details.

Furthermore, it was found that the application source code contains hardcoded secrets. This includes a password whose purpose could not be determined during the assessment and an encryption key, which is used to symmetrically encrypt user-provided credentials written to a file. The credentials can thus be decrypted by anyone with knowledge of that key. See SySS-2021-038 and SySS-2021-039 (CVE-2021-36234).

At the time of writing, SySS is not aware of a solution to any of the described issues. Therefore it is recommended to use this software with caution, possibly in a separate network segment.

This post is licensed under CC BY 4.0 by the author.