This research began in early September and I’ve been waiting on several confirmations to publish said investigation.
End-users include very large corporations and Government entities in dozens of countries. Given the recent supply-chain attacks, it only recently exacerbated my professional opinion regarding this research.
The software I discovered this vulnerability in is kind of like Git, but for modelling things.
What initially appeared to be a rather benign vulnerability, actually turned out to be much more penetrating than initially thought…
Using Google to find vulnerabilities.
On 2020-09-09, I was searching on Google for stupidly vulnerable code.
The search term that I used to find this vulnerability was (no joke):
"chmod 777 /etc/environment"
For those who are unaware what this command would do, /etc/environment is a very special file in GNU/Linux. It is the same as ~/.bashrc or ~/.profile, but for the whole system. Shell code in that file is executed by all users, including root, when they log in, or when the system is rebooted.
Therefore, having full read/write access to the /etc/environment file essentially renders the system completely vulnerable to attack, namely local privilege escalation.
After hitting “Search” for the above term, I was immediately presented with documentation from a company called NoMagic. Like many readers, I had not heard of this company before.
If you don’t believe me, you can check the Google Images search below, it should still be in the cache. Here are the first 6 results anyway, and they are all from NoMagic, Inc.:
NoMagic has an extensive 3 page Customer Support Service Policy, which I will entertain you with:
When submitting a Case, Customer will also propose an urgency level according to the impact of the Case regarding Customer’s day-to-day operation.
Four levels of urgency are available.
Urgent: Customer is unable to use the Licensed Programs and have severe/critical impacts on operations, and no Workaround exists.
High: Customer is able to use the Licensed Programs but operations are severely restricted by the incident. A Workaround exists.
Medium: Customer can use the Licensed Programs with some restrictions on one or several functions. These restrictions, however, do not have a
severe impact on Customer’s operations.
Low: The Case causes little or no impact to Customer’s operations.
That’s funny, I don’t remember signing into an agreement just to send a support ticket!
Second to that, you must register on the website to submit a support ticket.
Thirdly, at the time of discovery (and right now), the support system was a broken link: http://knowledgebase.nomagic.com/.
Since I didn’t have time to waste at that moment, I planned to revisit the support portal when it was alive again, or when the CVE was assigned, whichever came first.
Big companies and forgotten vulnerabilities
A few weeks later, on 2020-09-22, I returned to NoMagic’s website and noticed that the vulnerable documentation was still live on their website.
Having not heard from MITRE yet, I decided to return again later. Given this is unpaid Security Research (3DS does not have a bounty program), I didn’t have time to jump through hoops.
A few more weeks of customers using vulnerable installation scripts won’t hurt, right?
This actually surprised me because I assumed MITRE just wasn’t interested in that software.
Little did I know, MITRE actually uses the NoMagic software!
Now that it had been assigned a CVE, it was now my responsibility to follow through with the research.
I proceeded to email NoMagic at a range of different email addresses:
sales@, security@, privacy@ & jobs@.
Unsurprisingly, the security email bounced, which is rarely a good sign.
Since I was not in the North American timezone at that moment, I decided to call NoMagic’s Asia office on the phone and prod the vulnerability along. Here is the phone call I had with NoMagic Asia:
After a very brief call, I forwarded the CVE request to salesasia@.
Big companies owned by even bigger companies
The next day, I finally worked out that NoMagic is actually owned by a very large parent company named Dassault Systèmes SE (3DS). 3DS appears to have purchased NoMagic back in June 2018.
As I had not heard from them yet, I began to wonder… What kind of company doesn’t respond to emails?
Why would a company not respond to sales emails? Do they not want to make any sales?
The answer is: A company that is owned by a larger company!
I didn’t know much about Dassault Systèmes, however, I definitely do now… 3DS is an enormous company. They are a Fortune 50 software company that specialize in 3D design.
The reason why NoMagic has still, to this day, not responded to any emails, pretty much explains the situation.
When 3DS purchased NoMagic, they inherited all the old code base.
However… they forgot to do something important… they forgot to audit the giant Pull Request!
In my professional opinion, I honestly couldn’t think of anything more ridiculous than:
>Buying a software company.
>Merging all of their code into your software suite.
>Forgetting to audit all the incoming code.
You’d think that when a multinational, high profile company with many, many clients, some of which are defense contractors for Governments all around the world, that they would at least spend a few days auditing the product that they bought?
For this reason, I would encourage readers who are faimiliar with this scenario, or who have been part of two companies merging before:
Would you merge unknown code into your code without vigorously testing it?
Without auditing the code base that you are inheriting, a company puts itself, and its loyal customers, at great risk.
New Cyber Attack vector 2021:
Make your SAAS so corporately buyable that it gets trojan-horsed into the true upstream target.
Moral of the story: audit code when two companies merge.
Bug bounty hunters: find companies with multiple intertwining products.
3DS Security Team gets an A+
Although it’s now very obvious to me that Dassault Systemes owns NoMagic, it wasn’t until I understood that did I know who to send the vulnerability report to.
Fortunately, once I realised who owned NoMagic, I checked the place I always check first for security contacts:
I sent them the report, writing that I had had trouble getting onto NoMagic.
Dassault Systemes were actually fantastic, they responded the very next day.
In fact, the timezones are messy, but I think they first responded in 30 minutes lol.
Sent: mercredi 4 novembre 2020 06:37:
Replied: Nov 4, 2020, 07:05
@3DS Why don’t you put the link to the 3DS security page on NoMagic’s site?
Not only that, but once the right team had the info, they followed up on their Saturday night!
In my opinion, 3DS needs to merge the two support teams into one, given that the software has already been merged.
I kindly recommend that all vendors add security contact details to their site; I discovered this vulnerability back in early September and 3DS only received the report at the start of November, because the submission process wasn’t exactly optimized.
So what does the NoMagic software actually do?
NoMagic is part of a software suite by 3DS called CATIA, which is used by enterprise 3D modelling teams to work on products collaboratively, but also other stuff that I don’t know about, like business process modelling:
NoMagic must make an exceptional product because their client list is not only impressive, it is practically the Forbes list!
MagicDraw Teamwork Server is the name of the software that allows more than one developer to work with the same model at the same time, and Teamwork Cloud is the upgraded version of Teamwork Server.
Who can exploit this vulnerability?
If the server is using native authentication, as in, normal Linux user accounts, then any user who has been provisioned an account, even if only temporary access, can effectively take complete control over the system.
I set up a CentOS7 test server, as per the installation scripts, and was subsequently instructed to connect to the system using SSH tunnel. Therefore, if the default sshd configurations are kept, then a user who can SSH into the server can also edit /etc/environment.
Althought it might appear that this Local Privilege Escalation exploit is not that important…
I encourage you to ask yourself:
What could possibly be stored on the self-hosted 3D modelling version control system for pretty much all of the world’s largest aeronatuical and defense engineering teams?
I think I know, but it would be on par with:
Maybe half of a decade’s top secret and highly confidential designs, plans, and business process models?