Affected Product: Stimulsoft Designer (Desktop), Stimulsoft Designer (Web), Stimulsoft Viewer (Web)

Affected Versions: Stimulsoft Designer (Desktop) 2023.1(confirmed), Stimulsoft Designer (Web) 2023.1.3 (confirmed) 2023.1.4 (allegedly), Stimulsoft Viewer (Web) 2023.1.3 (confirmed) 2023.1.4 (allegedly)

Fixed Version: 2023.2.1

CVE-Number: CVE-2023-25261

Severity: 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Discovered by Ing. Simon Schönegger, BSc, MSc, Lejla Sarcevic, BSc, MSc, Dipl-Ing. Rainer Seyer, BSc

During a penetration test for a customer, the penetration testers identified that this customer was using Stimulsoft Reporting Designer as well as Stimulsoft Reporting Viewer 2023.1.3 as a tool to design and view specifically crafted reports for their customers. During this penetration test the researchers discovered that these versions were prone to remote code execution. The exploitation of this vulnerability was also tested with a trial version of Stimulsoft Designer 2023.1.4 (Desktop) and this version was proven to be exploitable. Since the researchers were limited to a trial version, Stimulsoft Designer 2023.1.4 (Web) and Stimulsoft Viewer 2023.1.4 (Web) where not tested for their exploitability. However, since Stimulsoft Designer 2023.1.4 (Desktop) is prone to this vulnerability, it can be conducted that the corresponding web versions are also exploitable.

The .mrt report files used by Stimulsoft are extendable by C# source code. The mentioned versions take measures to avoid remote code execution by limiting the choice of libraries callable by reports’ source code. For example, calls to System.Net.HTTPClient as well as System.Net.Sockets are restricted. However, access to the local file system is not prohibited in any way.

No privileges are required to execute this exploit if the reporting viewer or designer are embedded in a page which lacks authentication. Since the authentication and authorization are measurements that the person who embeds the viewer and designer must implement, the privileges that are required to exploit this vulnerability are referenced as “None”.

Proof of Concept

No detailed Proof of concept for this vulnerability is disclosed, since we will not include any payloads in the disclosed vulnerabilities. However, as stated above it is possible to embed C# source code in the reports .mrt file. Examples on how such source code can be embedded can be found here.

Vendor contact timeline

2023/01/17Discovery of the vulnerability
2023/01/20Bulk disclosure of multiple vulnerabilities using the vendors support mail
2023/01/20Vendor responds that is possible to set a property which is not set in the default configuration and that this a by design feature
2023/01/21Researchers respond that this property should be set in the default configuration and mention that it would be advised to run the code in a sandboxed environment or blacklist more DLLs
2023/01/30Vendor responds that they can not change the default behaviour of their systems. The described behaviour can be deactivated by the developers, but they have to do it on their own. Stimulsoft will not change any behaviour, since they consider this to be the responsibility of the developer.
2023/01/30Vendor once again responds that they will disable all code compilation by default in the march release
2023/01/30Disclosure of the vulnerability to MITRE
2023/03/02MITRE assigns CVE-2023-25261
2023/03/02Researchers inform vendor about the CVE assignment and ask when the march version will be released
2023/03/02Vendor responds that the version to fix this vulnerability will be released in the second part of march
2023/03/02Agreement to publish the vulnerability as soon as the fix is released