ION Group: Account Takeover

Posted on by

**security-research** Public

# ION Group: Account Takeover

## Package

## Affected versions

## Patched versions

## Description

### Summary

The default configuration of authentication component of Wallstreet WebSuite application does not

validate the SAML response from the identity provider (e.g. Microsoft login) which can be leveraged to

takeover accounts of other users by modifying the email address and username assertion fields. This can

be abused to take over the application components such as Cash Manager Module [CMM] and Security

Center (administration component)

### Severity

Critical – An authenticated user with valid credentials can access any existing user account, such as a

super administrator account, without the knowledge of target user’s valid credentials. An attacker would

then be able to access all information and initiate actions while impersonating the account.

### Proof of Concept

Following steps can be followed to replicate the vulnerability:

1. Access the application using the URL and note the “RelayState” parameter in the response:

https://:/websuite/saml
2. The application redirects to login to the Identity Provider (IdP) portal e.g. Microsoft. On successful

login, a SAML response is generated.
3. Retrieve the “SAMLResponse” value either by inspecting the traffic with browser Dev Tools or using an

interception proxy such as Burp Suite.
4. The SAML response is base64 encoded and can be easily decoded to view the plain text contents.

Replace the username and email addresses in the decoded SAML response with those of another user

such as an administrative user.
5. Base64 encode the tampered SAML response and issue a request to the /saml/response endpoint of

the application using the “RelayState” parameter obtained in step 1.
6. The application authorizes the user based on the SAML token and issues a session token.

Security Center compromise

The aforementioned steps can be followed to gain super administrator access to Security Center as well.

1. Access the Security Center directly using the URL or tile from the WebSuite home page.
2. Authentication redirects to identity provider (IdP) after issuing of RelayState parameter.
3. Login at the IdP’s portal e.g. Microsoft login in this case. SAML response is returned to the Web

Suite authentication endpoint
4. SAML Response is tampered to change the username and email address to that of administrator

account. This can be done manually or using BurpSuite extension such as SAMLRaider. The

modified SAML response is forwarded to the application which redirects to the Security Center

page.

### Further Analysis

Google / Mandiant recommends properly validating the signature/Certificate along with the assertion data

originating from the IDP.

### Timeline

**Date reported**: 07/23/2024

**Date fixed**:

**Date disclosed**: 10/22/2024

Leave a Reply

Your email address will not be published. Required fields are marked *