Almost all major Internet service providers (ISPs) in Canada were impacted by a local file disclosure vulnerability in the SOLEO IP Relay service that was recently addressed.
Telecommunications relay services (TRSs) developed by Soleo Communications are IP relay services used by major Internet service providers (ISPs) in Canada.
The SOLEO IP Relay service is a cloud-based IP Relay service for telecommunications providers that allows people who are deaf, hard of hearing, or have a speech disorder to place calls through a TTY or other assistive telephone device.
According to Project Insecurity researcher Dominik Penner, the flaw ties the improper input sanitization and leads to the exposure of sensitive user information.
“This vulnerability exists due to the fact that there is improper sanitization on the
“page” GET parameter in servlet/IPRelay. A developer should always check for
dangerous characters in filenames. In this case, we were able to navigate our way
through the server and into the WEB-INF directory by using directory traversal
characters (../)” states the vulnerability report published by the researcher.
The impact of such vulnerability is severe, a foreign attacker can trigger the vulnerability to compromise over 30 million Canadian records.
An attacker can exploit the security vulnerability to determine the composition of the IPRelayApp directory and find the location of the source files on the IP Relay server and then download them.
The experts highlighted that WEB-INF directory is within the IPRelayApp directory, this means that they were able to load web.xml, a XML document that has a few mappings for Tomcat to understand where to pull certain files from.
“At this point, we wrote a nice little proof-of-concept to parse the web.xml file and
find the location of the source files.” continues the report.
“All of the following files can be downloaded by loading them from
WEB-INF/classes/*. ” “Once again, to confirm severity, we tried to load one of these
files. After loading this file into our text editor, it was evident that these classes had been compiled in Java bytecode. However, a determined attacker would easily be able to convert this directly back to source, compromising source code and other sensitive
An attacker accessing the source code could retrieve the passwords the servlet uses to communicate with other services could escalate his privileges on the server or use the information in other attacks.
“ An attacker could extract these passwords from within the source files, and further escalate their privileges on the server, or even use said information in a social engineering attack. The end result could be escalated to yield remote code execution, though we were not comfortable attempting to do this before getting in contact with the vendor” the researcher continues.
Penner discovered that at least ten of major Canadian ISPs were running the vulnerable Soleo IP Relay.
“To conclude this report, we have confirmed that a determined attacker (APT/foreign
entity) could leverage this vulnerability to steal passwords from configuration files
across multiple providers, compromise said providers using the stolen passwords,
and then potentially launch a large scale identity theft operation against Canadians.” concludes the report.
The expert reported the flaw to SOLEO on July 19 and it was patched on August 10.