ReCrystallize Server, a software suite popular for hosting and managing Crystal Reports for web-based delivery, has recently been found vulnerable to an authentication bypass (CVE-2024-26331). This vulnerability affects ReCrystallize Server version 5.10.. and potentially earlier versions. The problem lies in the authorization mechanism, which relies on the value of a cookie but does not bind the cookie value to a session ID. This omission means that attackers can bypass the authentication mechanism by simply modifying the cookie to have an expected value.

This post will delve into how this vulnerability can be exploited, analyze relevant code snippets, provide links to original references, and discuss the potential impact of the issue.

Code Snippet

The following code snippet illustrates the problem within the ReCrystallize Server authorization mechanism. The cookie "auth_token" is used to store the authorization token, but the session ID is not tied to it.

function check_auth_cookie() {
    var auth_token = getCookie("auth_token");
    if (auth_token) {
        var req = new XMLHttpRequest();
        req.open('GET', '/validate_token?token=' + auth_token, true);
        req.onreadystatechange = function() {
            if (req.readyState == 4 && req.status == 200) {
                var valid = JSON.parse(req.responseText);
                if (valid) {
                    // Authentication successful
                } else {
                    // Authentication failed
                }
            }
        };
        req.send();
    } else {
        // No auth_token cookie present
    }
}

Exploit Details

To exploit this vulnerability, an attacker can modify the "auth_token" cookie value within the browser or by implementing client-side code outside the browser. By doing so, they can gain unauthorized access to the ReCrystallize Server and potentially access sensitive data or tamper with the hosted reports.

The following is an example of a JavaScript snippet that can be used to change the "auth_token" cookie value and thereby bypass the authentication mechanism:

document.cookie = "auth_token=<expected_auth_token_value>; path=/";

Alternatively, an attacker can use browser developer tools to manually edit the cookie value to match the expected valid token value.

1. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26331
2. ReCrystallize Server: https://www.recrystallize.com/products/re_crystallize_pro_version_5/index.htm
3. Related Issue: https://owasp.org/www-community/attacks/session_fixation

Tampering with or deletion of hosted reports, leading to potential business disruption.

4. Abuse of server resources, if the attacker leverages their unauthorized access to perform other malicious activities.

Conclusion

CVE-2024-26331 is a vulnerability that affects ReCrystallize Server 5.10.. and potentially earlier versions, allowing attackers to bypass authentication through cookie modification. Users of the affected software are advised to stay informed about the issue and follow any updates or patches released by the ReCrystallize Server team to address the problem. In the meantime, organizations should review their ReCrystallize Server environments and consider implementing additional security measures, such as IP restrictions or multi-factor authentication, to mitigate the risks posed by this vulnerability.

Timeline

Published on: 04/30/2024 19:15:23 UTC
Last modified on: 08/06/2024 19:35:02 UTC