Affected Product: Stimulsoft Designer (Desktop), Stimulsoft Designer (Web), Stimulsoft Viewer (Web)
Affected Versions: Stimulsoft Designer (Desktop) 2023.1(confirmed), Stimulsoft Designer (Web) 2023.1.3 (confirmed) 2023.1.4 (allegedly), Stimulsoft Viewer (Web) 2023.1.3 (confirmed) 2023.1.4 (allegedly)
Fixed Version: 2023.2.1
Severity: 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Discovered by Ing. Simon Schönegger, BSc, MSc, Lejla Sarcevic, BSc, MSc, Dipl-Ing. Rainer Seyer, BSc
During a penetration test for a customer, the penetration testers identified that this customer was using Stimulsoft Reporting Designer as well as Stimulsoft Reporting Viewer 2023.1.3 as a tool to design and view specifically crafted reports for their customers. During this penetration test the researchers discovered that these versions were prone to remote code execution. The exploitation of this vulnerability was also tested with a trial version of Stimulsoft Designer 2023.1.4 (Desktop) and this version was proven to be exploitable. Since the researchers were limited to a trial version, Stimulsoft Designer 2023.1.4 (Web) and Stimulsoft Viewer 2023.1.4 (Web) where not tested for their exploitability. However, since Stimulsoft Designer 2023.1.4 (Desktop) is prone to this vulnerability, it can be conducted that the corresponding web versions are also exploitable.
The .mrt report files used by Stimulsoft are extendable by C# source code. The mentioned versions take
measures to avoid remote code execution by limiting the choice of libraries callable by reports’ source code.
For example, calls to
System.Net.HTTPClient as well as
System.Net.Sockets are restricted. However,
access to the local file system is not prohibited in any way.
No privileges are required to execute this exploit if the reporting viewer or designer are embedded in a page which lacks authentication. Since the authentication and authorization are measurements that the person who embeds the viewer and designer must implement, the privileges that are required to exploit this vulnerability are referenced as “None”.
Proof of Concept
No detailed Proof of concept for this vulnerability is disclosed, since we will not include any payloads in the disclosed vulnerabilities. However, as stated above it is possible to embed C# source code in the reports .mrt file. Examples on how such source code can be embedded can be found here.
Vendor contact timeline
|2023/01/17||Discovery of the vulnerability|
|2023/01/20||Bulk disclosure of multiple vulnerabilities using the vendors support mail|
|2023/01/20||Vendor responds that is possible to set a property which is not set in the default configuration and that this a by design feature|
|2023/01/21||Researchers respond that this property should be set in the default configuration and mention that it would be advised to run the code in a sandboxed environment or blacklist more DLLs|
|2023/01/30||Vendor responds that they can not change the default behaviour of their systems. The described behaviour can be deactivated by the developers, but they have to do it on their own. Stimulsoft will not change any behaviour, since they consider this to be the responsibility of the developer.|
|2023/01/30||Vendor once again responds that they will disable all code compilation by default in the march release|
|2023/01/30||Disclosure of the vulnerability to MITRE|
|2023/03/02||MITRE assigns CVE-2023-25261|
|2023/03/02||Researchers inform vendor about the CVE assignment and ask when the march version will be released|
|2023/03/02||Vendor responds that the version to fix this vulnerability will be released in the second part of march|
|2023/03/02||Agreement to publish the vulnerability as soon as the fix is released|