Technical Advisory – KwikTag Web Admin Authentication Bypass

Vendor: ImageTag
Vendor URL: https://www.kwiktag.com
Versions affected: 4.5.2 – 9.0
Systems Affected: KwikTag Web Admin
Author: Clayton Lowell
Advisory URL / CVE Identifier: https://www.kwiktag.com/admin-security-advisory_202005/
Risk: High

Summary:

KwikTag is a digital document management solution. KwikTag Web Admin is used to administrate accounts and permissions of the KwikTag instance. KwikTag Web Admin grants an active session without properly validating expired admin credentials.

Location:

~/ktadmin/Default.aspx

Impact:

An attacker can gain administrative access to KwikTag Web Admin by logging in as an admin account that has an expired password, without needing to provide a valid password.

Details:

KwikTag Web Admin does not validate the password provided for admin accounts if the password is expired. KwikTag Web Admin creates a valid session and redirects the user to ~/ktadmin/ChangePassword.aspx prompting them to change their password.

An attacker can take advantage of this by logging into KwikTag Web Admin by entering the username of an administrator whose password has expired and a random string for the password.

The attacker can then disable the built-in auditing functionality, create new accounts, modify group membership to allow access to documents, and recover credentials KwikTag uses to communicate with the underlying host.

Reproduction:

  1. Log into KwikTag Web Admin as an admin account that is not disabled and has expired credentials.
  2. Navigate to ~/ktadmin/SystemSettings.aspx.
  3. Observe that you are able to access the system settings without having provided a valid password.

Recommendation:

  • Patch KwikTag versions 7.2.5, 8.0, 8.1, 8.2 and 9.0, or update to the most recent version.
  • Do not host the Web Admin console on a public interface.
  • Require VPN or internal connectivity to access the Web Admin console.
  • Disable password expiration via the Web Admin console if you are unable to patch.

Vendor Communication:

  • 05/01/20: NCC Group reached out to vendor to identify appropriate security contact.
  • 05/06/20: NCC Group reached out to vendor again requesting appropriate security contact.
  • 05/06/20: Vendor communication established but did not yield an appropriate security contact.
  • 05/14/20: NCC Group reached out to vendor again requesting appropriate security contact.
  • 05/19/20: NCC Group reached out to vendor again requesting appropriate security contact.
  • 05/19/20: Vendor security contact emailed NCC Group to begin disclosure dialogue.
  • 05/20/20: Vendor security contact called NCC Group to begin disclosure dialogue.
  • 05/20/20: NCC Group replied to vendor security contact beginning disclosure dialogue and transmitted draft advisory to vendor security contact via secure communications channel.
  • 05/20/20: Vendor security contact acknowledge receipt of the draft technical advisory and scheduled a conference call.
  • 05/21/20: Conference call between NCC Group and the vendor detailing the vulnerability. Vendor asked for 7 days to determine scope and disclosure window.
  • 05/21/20: NCC Group emailed vendor security contact summary of the conference call, acknowledged the 7-day window.
  • 05/27/20: Vendor released Service Pack 1 for KwikTag 9.0 to address the vulnerability.
  • 05/28/20: NCC Group mailed vendor security contact seeking 30-day disclosure window and requested the version numbers of the vulnerable software.
  • 05/28/20: Vendor security contact sent draft advisory. Vendor confirmed the vulnerability was present in 4.5.2 through 9.0. Vendor stated an intention to create patches for versions 7.2.5, 8.0, 8.1, 8.2, and 9.0.
  • 05/28/20: NCC Group acknowledged receipt of vendor’s draft advisory.
  • 05/29/20: NCC Group emailed vendor security contact requesting disclosure date of 06/29/20.
  • 06/02/20: Vendor security contact confirmed receipt of request to disclose on 06/29/20.
  • 06/05/20: Vendor security contact confirmed 06/29/20 disclosure date.

Thanks to:

The security team at enChoice, Inc.

About NCC Group:

NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape.

With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate and respond to the risks they face.

We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.