Technical Advisory – DelTek Vision – Arbitrary SQL Execution (SQLi)

 Virtual Security Research, LLC.
                  http://www.vsecurity.com/
                     Security Advisory

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 

Advisory Name: Deltek Vision - Arbitrary SQL Execution
 Release Date: 2019-04-09
  Application: Deltek Vision
     Versions: 7.x before 7.6 March 2019 CU (Cumulative Update)
     Severity: High
       Author: Robert Wessen 
Vendor Status: Updates available, see vendor for information. 
CVE Candidate: CVE-2018-18251
    Reference: https://www.vsecurity.com/download/advisories/2018-18251.txt

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


Product Description
~-----------------~
From Deltek's website [1]: "Project-Based ERP for Professional Services Firms.
Manage the complete project lifecycle and increase profitability."

Vision 7.6 is run on IIS with MSSQL as a backend. It supplies a Microsoft 
"ClickOnce" [3] .NET 4.0 application to clients. This .NET client binary 
interacts with the IIS server and backend DB to allow customers to manage, 
bill and track service based projects.


Vulnerability Overview
~--------------------~
In mid-September 2018 VSR identified an arbitrary SQL execution vulnerability in 
the Vision 7.6 system. This vulnerability permits the execution of any attacker 
supplied SQL statement though a custom RPC over HTTP protocol. The query is 
executed as a user with the role of db_owner allowing access to all data within
the Deltek system. Other similar impacts may also be possible, as security is 
enforced on the client for multiple operations.


Vulnerability Details
~-------------------~
The Vision system relies on the client binary to enforce security rules and
integrity of SQL statements and other content being sent to the server. Client 
HTTP calls can be manipulated by one of several means to execute arbitrary SQL 
statements (similar to SQLi) and potentially have other impacts. To perform 
these attacks an authenticated session is first required. In some cases client 
calls are obfuscated by encryption, which can be bypassed due to hard-coded keys 
and an insecure key rotation protocol.

Impacts may include remote code execution in some deployments; however, the 
vendor states that this cannot occur when the installation documentation is 
heeded.


Versions Affected
~---------------~
The issue was originally discovered in version 7.6, although it likely
exists in prior versions which use the same client server architecture.


Vendor Response
~-------------~
The following timeline details Deltek's response to the reported issue:

2018-09-26    VSR contacted Deltek's application development team directly.

2018-09-26    Deltek replied and set up time for additional information to be
              provided.

2018-09-27    Intial vulnerability description communicated.

2018-10-01    Proposed build correcting issues provided to VSR, condition still 
              exploitable.

2018-10-04    Additional conversations around potential mitigations/corrections.

2018-10-05    Additional conversations around potential mitigations/corrections.
              VSR agreed to 180 day disclosure due to a combination of impact 
              level and required product architectual challenges.

2018-10-11    CVE reserved, Deltek provided with all technical details, PoC code 
              and draft advisory.

2019-01-29    New build with aditional protections provided to VSR.

2019-02-12    New build tested, remains exploitable, although exploitation is 
              harder due to additional obfuscation and new RPC integrity checks 
              in place.

2019-04-09    Public advisory release.


Recommendation
~------------~
Upgrade Vision installs to the latest version of Deltek Vision software as soon 
as possible. [7.6 March 2019 CU (Cumulative Update) or later]

In addition to updates, Deltek recommends:

1) Ensuring the installation is deployed to only use HTTPS.

2) Confirming that "encrypted requests" are enabled in web.config as demonstrated
below.


...

...



Common Vulnerabilities and Exposures (CVE) Information
~----------------------------------------------------~
The Common Vulnerabilities and Exposures (CVE) project has assigned
the number CVE-2018-18251 to this issue. This is a candidate for
inclusion in the CVE list (https://cve.mitre.org), which standardizes
names for security problems.


Acknowledgments
~--------------~
Deltek's development and security teams were quick to reply and eager 
to communicate regarding the issue.


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

References:

1. https://www.deltek.com/en/products/project-erp/vision

2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18251

3. https://msdn.microsoft.com/en-us/library/ms996413.aspx


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

This advisory is distributed for educational purposes only with the sincere 
hope that it will help promote public safety.  This advisory comes with 
absolutely NO WARRANTY; not even the implied warranty of merchantability or 
fitness for a particular purpose.  Neither Virtual Security Research, LLC nor
the author accepts any liability for any direct, indirect, or consequential
loss or damage arising from use of, or reliance on, this information.

See the VSR disclosure policy for more information on our responsible 
disclosure practices:
  https://www.vsecurity.com/company/disclosure

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
     Copyright 2018 Virtual Security Research, LLC.  All rights reserved.

To view the advisory as a txt. click here.

Editor’s note: This work was originally published by VSR on their website at https://www.vsecurity.com/resources/advisories.html. VSR is now a part of NCC Group, so we have migrated this content to research.nccgroup.com. The advisory text as above has been copy-pasted to this blog for historical reference.