In this post, we will take a malicious look at the open-source digital asset management framework, ResourceSpace, and go over the entire process we can use to audit and compromise the software.
What is ResourceSpace?
According to their website, they say the following about their product…
ResourceSpace open source digital asset management software is the simple, fast, & free way to organize your digital assets.
ResourceSpace is known as a Digital Asset Manager, or DAM, and usually involves the creation and management of different collections containing various digital assets for sharing among your team. The asset being managed is stored in a digital format and is detailed by its metadata. The metadata can describe the asset content, the means of encoding, ownership, and rights of access.
The ResourceSpace website provides a number of White Papers that explain more about Digital Asset Management (DAM) and how it may be able to work with your organization. I took a look at each of the 6 PDF documents to get a better idea of the DAM process.
The website also has an impressive client list with a handful of high-profile testimonials. After reading some of their client testimonials, a specific client caught my eye with a description of the product…
ResourceSpace is a fantastic tool that enables us to effectively collaborate internally and with external partners around the globe. We use it for everything from managing brochure production to hosting our branding portal. It is the most cost-effective system of its kind that I have ever come across. The customer support is honestly second to none which make it the perfect package.
—DEAN CLARKE, Head of Group Digital Communications and Marketing, BAE Systems PLC
BAE Systems Inc. (formerly BAE Systems North America) is the wholly owned U.S. subsidiary of the British defence, security, and aerospace company BAE Systems plc, the world’s second biggest defense company.
Once I noticed that companies like Toshiba and BAE Systems were using this product both internally and with external “partners”, I had to take a closer look at the code as a security researcher. Fortunately for me, the ResourceSpace product does have a ZIP version for those who want to self-host the DAM instead of using their Cloud-based version of the product.
Plan of Attack
Since we have a ZIP version of the ResourceSpace DAM, I will set up a Ubuntu web server on a Virtual Machine using VMWare Workstation. This way we can have all of our code separated from our host environment to avoid cross-contamination, and set up a quick host-only adapter connection for faster network speed.
The ResourceSpace DAM is written mostly in PHP, so we will need to set up a PHP specific testing environment for both static and dynamic analysis of the code. There are a lot of good tools available for PHP code analysis, such as Exakat, PHPStan, RIPStech, and SonarQube to name a few. For this specific engagement, I will be using PHPTrace, Xdebug and RIPS open-source, along with PHPStorm’s PHP Inspections extension. With these tools set up correctly, we should be able to see the PHP execution process with a full stack trace of all values, not to mention the static code analysis from RIPS and PHP Inspections extension.
To make sure we are keeping track of each request, we are going to set up an attack proxy. The attack proxy will also assist in discovering and attacking different insertion points as you browse the web application. For this, I will be using BurpSuite, with the CO2 module, along with some custom fuzzing wordlists specific to PHP web applications.
To start, we will be manually scanning the web application for pages that contain forms for user input. User input sanitation is a big part of web application security, and when it’s done incorrectly, it can be disastrous to the company or corporation that is hosting the web application. Because most DAM frameworks are heavily dependent on user input, this will be a good place to start.
If we find a vulnerability that we can exploit, we will then write a payload in Python to automate the attack, and hopefully, gain admin permissions before it’s all over with.
Now that we have a good plan of attack, we need to go ahead and build the attack environment for this engagement. In part 2 of this series, we will build our environment, and set up all the tools needed to audit the web application.