Authored by Rizal Muhammed

Wipro Holmes Orchestrator version 20.4.1 allows unauthenticated re-downloading of priorly exported reports in Excel.

advisories | CVE-2021-38147

# Exploit Title: Wipro Holmes Orchestrator 20.4.1 Unauthenticated Excel Report Download
# Date: 09/08/2021
# Exploit Author: Rizal Muhammed @ub3rsick
# Vendor Homepage: https://www.wipro.com/holmes/
# Version: 20.4.1
# Tested on: Windows 10 x64
# CVE : CVE-2021-38147

In the Wipro Holmes Orchestrator 20.4.1 application, if at some point some user has exported any of the Reports as excel, these files remain in the server. When an unauthenticated user attempts to access any of the below endpoints such files are downloaded. Details of the vulnerable endpoints and the information exposed by the reports from these endpoints are provided below.

User Report:-
API: http://HOLMES_ORCH_HOST:PORT/processexecution/DownloadExcelFile/User_Report_Excel
Exposed Information: Username, Email, Role, First Name, Last Name, User Level and User Domain of different users.

Domain Credentials Report:-
API: http://HOLMES_ORCH_HOST:PORT/processexecution/DownloadExcelFile/Domain_Credential_Report_Excel
Exposed Information: Domain Credential Names, Type, Domain Names

Other Endpoints:-
http://HOLMES_ORCH_HOST:PORT/processexecution/DownloadExcelFile/Process_Report_Excel
http://HOLMES_ORCH_HOST:PORT/processexecution/DownloadExcelFile/Infrastructure_Report_Excel
http://HOLMES_ORCH_HOST:PORT/processexecution/DownloadExcelFile/Resolver_Report_Excel