Checkmarx CxQL Sandbox bypass (CVE-2014-8778)
Vendor: Checkmarx - www.checkmarx.com
Product: CxSuite
Version affected: 7.1.5 and prior
Credit: Huy-Ngoc DAU (@ngocdh) of Deloitte Conseil, France
Checkmarx is a static source code analysis suite (https://www.checkmarx.com).
CxQL (Checkmarx Query Language) is a CSharp-based language defined by Checkmarx to query source code. CSharp critical classes/functions calls are however not allowed due to security reasons.
CxQL can be executed on two locations:
We identified a possibility of bypass that would allow execution of arbitrary and unauthorized CSharp code in those contexts, and thus compromise the security of the machine on which the code is executed, either a Checkmarx server or an auditor's workstation.
The following scenarios describe attacks where this bypass is possible:
However, the following error message is returned:
Request for the permission of type 'System.Net.WebPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=xxx' failed.
We found that this permission issue could be bypassed by adding the following line before the code:
(new System.Net.WebPermission(System.Security.Permissions.PermissionState.Unrestricted)).Assert();
By adding the following line, the code would be executed successfully:
(new System.Security.Permissions.SecurityPermission(System.Security.Permissions.SecurityPermissionFlag.AllFlags)).Assert();
25/10/2014 - bypass discovery
04/11/2014 - vendor notification
29/12/2014 - vendor asked to delay advisory publication
21/07/2015 - patch confirmation from vendor in version 7.1.8
03/09/2015 - advisory publication
https://checkmarx.atlassian.net/wiki/display/KC/Working+in+CxAudit
https://checkmarx.atlassian.net/wiki/display/KC/Working+with+Queries
https://checkmarx.atlassian.net/wiki/download/attachments/5406733/CxQL%20API%20Guide%207%201%204.pdf
About Deloitte:
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. In France, Deloitte SAS is the member firm of Deloitte Touche Tohmatsu Limited, and professional services are provided by its subsidiaries and affiliates.
Our Enterprise Risk Services practice is made up of over 11,000 professionals providing services relating to security, privacy & resilience; data governance and analytics; information and controls assurance; risk management technologies; and technology risk & governance. We help organizations build value by taking a "Risk Intelligent" approach to managing financial, technology, and business risks.