Marmind Authorization Bypass
An Authorization Bypass vulnerability in the Marmind web application with version 22.214.171.124 allows users with lower privileges to gain control to files uploaded by administrative users. The accessed files were not visible by the low privileged users in the web GUI. The vulnerability was reported as CVE-2020-26506.
We discovered a security issue within the Marmind web application with version 126.96.36.199. It is a software that combines campaigns, budgets and results into one central marketing plan. An attacker that has access to the network or a disgruntled employee can access files, which should not be available to the assigned roles that they have.
Steps to Reproduce
Upon creating a new campaign, an administrative user is able to upload new files in the part “Assets” of the web application. Users with adequate permissions could download all the existing assets from a specific campaign. After successful navigation to the URL of the asset from the campaign that is targeted, the user without privileges gets a HTTP response that the access to the asset has been denied. However, even though the user is not authorized to access the asset, a successful download has been automatically started and the file has been downloaded to the computer of the user.
The following pictures show how we are able to exploit the vulnerability:
Accessible campaigns by the user “GADMINE”
Assets visible in the "testest" campaign
Users included to the “testtest” campaign that are privileged to see its assets
User “SADMINE” is not privileged to access the “testtest” campaign and its assets
Unauthorized download of asset from campaign of an administrative user
This issue exists due to broken access controls of the web application. In order to mitigate the issue, we recommend that the server should verify whether the given user has the necessary privileges before performing any actions. The verification should be done with the help of the server side session (identified by the session token sent by the client).
Fix/ Producer Statement
The issue was reported to Marmind. The identified business threat was evaluated and a fix has been implemented.
In the current version 188.8.131.52, general changes have been made in providing binary data through the API of Marmind. In the previous versions of Marmind, the binaries were directly accessed over a reverse proxy hosted in the dedicated Media Asset Management Service, which has no user authorization functionalities. The direct routes to the Media Asset Management Service are now removed and a new API gateway has been implemented that ensures proper authorization checks upon a request to a specific application’s asset.
Credit for finding and reporting the issue:
• Evgeni Sabev (Deloitte)