Full Report
TL&DR – While on an assessment, I found an instance of ReCrystallize Server. It had many problems, some of which had to do with insufficient hardening on the client’s side while others were new vulnerabilities I found that when chained together, achieve Remote Code Execution (RCE). These vulnerabilities were disclosed to ReCrystallize Software and MITRE. Besides the disclosed vulnerabilities, some “features” were also used for malicious purposes. The replication and validation of the findings were done on my own test environment.
Analysis Summary
# Vulnerability: Chained Flaws Leading to RCE in ReCrystallize Server
## CVE Details
- CVE ID: CVE-2024-26331, CVE-2024-28269 (Note: The specific severity for the chained RCE resulting from the combination is not explicitly detailed, but the components include significant flaws.)
- CVSS Score: Not explicitly provided for the combined RCE chain.
- CVE-2024-26331 (Likely related to Authentication Bypass, based on disclosure timeline).
- CVE-2024-28269 (Likely related to Unrestricted File Upload, based on disclosure timeline).
- CWE: Insufficient Authorization/Authentication (CVE-2024-26331), Potential for Improper Input Validation leading to Upload Vulnerability (CVE-2024-28269).
## Affected Systems
- Products: ReCrystallize Server
- Versions: Not explicitly specified, but instances were found during an assessment and later confirmed to be exploitable by the researcher.
- Configurations:
- Instances running with default credentials (e.g., admin/pw).
- Functionality that allows configuration of absolute paths for file viewing/downloading.
- Instances where hardening measures were insufficient.
## Vulnerability Description
The researcher identified multiple issues in ReCrystallize Server which, when chained, achieve Remote Code Execution (RCE). Key issues discovered include:
1. **Authentication Bypass/Weak Defaults:** The application was accessible using simple, default credentials (e.g., 'admin/pw').
2. **Unrestricted File Download/Viewing:** An administrative function (accessible via the 'folderName' parameter when absolute paths were enabled) allowed viewing folder contents. This evolved into an unauthenticated file download capability, even when absolute paths were disabled. This allowed exfiltration of sensitive files (e.g., database credentials, AD information).
3. **Over-Privileged Process:** The application process was running as `NT AUTHORITY\SYSTEM`, granting the highest local privileges.
4. **Other Issues:** The report mentions an "unrestricted file upload vulnerability" (linked to CVE-2024-28269) that, combined with other flaws, contributes to the RCE path. Malicious use of application "features" was also noted.
## Exploitation
- Status: PoC available (Implied by the description of chaining vulnerabilities to achieve RCE and disclosure timeline).
- Complexity: Low to Medium (Default credentials and exploitable features simplified initial access and impact).
- Attack Vector: Network (Remote exploitation via web interface features).
## Impact
- Confidentiality: High (Access to system files, network share information, and database credentials).
- Integrity: High (Potential for RCE under the highest privileges, `NT AUTHORITY\SYSTEM`).
- Availability: Potential Impact (Due to RCE capabilities).
## Remediation
### Patches
- **No formal patch is currently available as of the publication date (March 2024).** The vendor (ReCrystallize Software) had not provided a definitive patch despite disclosures dating back to September 2022.
### Workarounds
- **Isolate the Server:** Restrict network access to the server/service, making it available only to necessary users.
- **Harden Configuration (Immediate Actions):**
1. Change all default passwords immediately.
2. Disable the use of absolute paths if the function is used.
3. Ensure encryption is turned on (if applicable to the application configuration).
- **System Hardening:**
1. Apply the principle of least privilege to the underlying service account (do not run as `NT AUTHORITY\SYSTEM`).
2. Keep the underlying web server (hosting ReCrystallize) up-to-date.
3. Block outbound SMB traffic if possible.
## Detection
- **Indicators of Compromise (IOCs):**
- Use of default credentials (admin/admin, admin/pw).
- Unusual network connections originating from the ReCrystallize Server host (especially SMB connections outbound).
- Arbitrary file downloads occurring from the server application logs/web server access logs.
- Presence of unexpected web shells or unauthorized scripts if RCE was achieved.
- **Detection Methods and Tools:**
- Monitor application logs for suspicious requests involving parameters like `folderName` or attempts to access configuration/system files.
- Network intrusion detection systems (NIDS) configured to look for command execution indicators or exploitation attempts against known vulnerable parameters.
- Vulnerability scanning tools configured to check for default credentials on the application login.
## References
- Vendor Advisory: None publicly available due to lack of patch.
- Disclosure Timeline/Blog: hxxps://sensepost.com/blog/re-crystallize-server-vulnerabilities
- CVE Records: CVE-2024-26331, CVE-2024-28269