Vulnerability in RiskNet Acquirer (TWSL2013-031)

Last week we released an advisory for a vulnerability discovered in the RiskNet Acquirer application. This software is a fraud management solution developed to protect major financial institutions including banks and payment processors.

RiskNet Acquirer is what we often refer to as a "thick client". This particular thick client communicated with exposed web services that in-turn interacted with a database on the backend. The communication with the web services utilised transport layer encryption. We used a tool called Echo Mirage to hook into the application and find out exactly what information is sent and received "under the hood" (inside of the encrypted tunnel) and to get a general picture of how things work together.

The thick client first sends a request to the web service authenticating the user, as one might expect as shown below:

POST /ApplicationServiceBean HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Content-Type: text/xml; charset=utf-8
SOAPAction: ""
Host: WEBSERVER
Content-Length: 625
Expect: 100-continue
Connection: Keep-Alive

HTTP/1.1 100 Continue

http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd=" http://www.w3.org/2001/XMLSchema"> xmlns=" http://REMOVED/wsdl"> xmlns="">HASH USERNAME PASSWORD IP HOSTNAME 2820

http://schemas.xmlsoap.org/soap/envelope/"> xmlns:ns1=" http://REMOVED/wsdl"> GUID_VALUE;InactivePeriod =15;DBUser=DB_USER;DBPassword=DB_PASSWORD;UserID=USERNAME;Password_Expired=false;UserFlags=0;DATABASE=DATABASE_NAME;PORT=1433;SERVER=DATABASE_SERVER;INSTANCENAME=;SSL=false>