Security Advisories for Omnis Studio!! - Do we need an Omnis Studio bug bounty program?

Andrew McVeigh surfway at bigpond.com
Fri Aug 4 07:20:12 UTC 2023 

Any news on the blacking out of screens when clicking on button areas?

As per the sample library I sent you

Andrew McVeigh
Surfway Real Solutions
Phone 02 44412679 Mobile 0418428016
www.surfway.com.au
www.berrarabeach.com.au


 <http://www.surfway.com.au/>
 <http://www.surfway.com.au/>
> On 31 Jul 2023, at 7:07 am, Vik Shah <OmnisList at Keys2Solutions.com.au> wrote:
> 
> Heya listers…
> 
> Recently I got multiple alerts and security advisories for Omnis Studio.  
> 
> My brain took about 5 minutes to register that… while my face did the meme...   Wait… What…!?!?  [just in case —> https://imgflip.com/i/3noe3u]  😅
> My first thought… 
> *** OMG...! We are famous! ***  (I think that’s from a movie or a TV show where something bad had happened, yet they were happy because it put them on the news…) 😂
> 
> Hold on to your chairs ppl…. I bring you NOT one … … but TWO vulnerabilities!
> 
> The vulnerabilities are classified as follows…
> Risk level — Low
> Vulnerability Type — Expected Behaviour Violation (CWE-440). 
> 
> Both the vulnerabilities are published by Matthias Deeg, a German Cyber Security and Pen-testing firm SySS GmbH [https://www.syss.de/].
> 
> The two reports are…
> 1. CVE-2023-38335 - https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-005.txt  
> 2. CVE-2023-38334 - https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-006.txt  
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Vulnerability Details:
> 
> Omnis Studio supports an irreversible feature for locking classes within Omnis libraries.
> 
> According to the Omnis Studio software, it should be no longer possible to delete, view, change, copy, rename, duplicate, or print a locked class.
> 
> However, during a security analysis of an application developed with Omnis Studio using this feature, Matthias Deeg found out that it is possible to unlock previously locked classes of Omnis libraries, for instance by simply bypassing specific checks in Omnis Studio.
> 
> This allows for further analyzing and also deleting, viewing, changing, copying, renaming, duplicating, or printing previously locked Omnis classes.
> 
> This violates the expected behavior of an "irreversible operation".
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Proof of Concept (PoC):
> 
> For demonstrating the described security issue, Matthias Deeg developed a proof-of-concept software tool which allows unlocking locked classes within Omnis libraries and further analyzing and modifying them within Omnis Studio.
> 
>> OmnisUnlocker.exe
>                _____________________________________________________________
>               /    _____       _____ _____                                  \
>              /    /  ___|     /  ___/  ___|                                  \
>             |     \ `--. _   _\ `--.\ `--.                                    |
>             |      `--. \ | | |`--. \`--. \                                   |
>             |     /\__/ / |_| /\__/ /\__/ /                                   |
>              \    \____/ \__, \____/\____/   ... unlocks Omnis Studio!       /
>               \          __/ |                                              /
>               /         |___/    __________________________________________/
>              / _________________/
>        (__) /_/
>        (oo)
>  /------\/
> / |____||
> *  ||   ||
>   ^^   ^^
> SySS Omnis Unlocker v1.0 by Matthias Deeg <matthias.deeg at syss.de> - (c) 2023
> 
> [+] The Omnis Studio process was patched successfully.
>    Now you can:
>        * load private Omnis libraries in the browser, and
>        * analyze locked classes.
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Solution:
> SySS GmbH is not aware of a solution for the described security issue.
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> The bug even has a PoC (not available publicly OR NOT published in the open) and a YouTube Video youtube.com/watch?v=lkdKV4imSbE <http://youtube.com/watch?v=lkdKV4imSbE>  
> 
> 
> Final thoughts…
> I love the fact that Omnis Studio is gaining visibility/popularity and this leads to me thinking would it be the right time for Omnis to start an Omnis Studio bug bounty program?!? 
> 
> This will help Omnis gain transparency and also encourage engagement and invite people to download Omnis Studio, use it, study it and publish their findings.
> 
> Are we (or should we be) ready for this?!? I know I am... and I love this… =) 
> 
> Vik Shah
> Keys2Solutions 
> m: +61 411 493 495
> 
> _____________________________________________________________
> Manage your list subscriptions at https://lists.omnis-dev.com
> Start a new message -> mailto:omnisdev-en at lists.omnis-dev.com

More information about the omnisdev-en mailing list