TreasuryXpress's data integration feature can be exploited to expose saved credentials.

TreasuryXpress is a SaaS (Software as a Service) company that offers treasury management and cash forecasting solutions.

A feature found within the TreasuryXpress web application (version 19191105) can be abused to expose saved SSH/SFTP credentials.

This feature is used to automate the integration of bank statements and other financial data from remote locations.

Using the editor functionality within the application, it is possible to perform changes to the configuration of any saved SSH/SFTP hosts. Opening the editor reveals the configuration options stored within each host. Options such as the username and directory are visible, although the existing password is not displayed and thus thought to be secure.

When appending changes using the editor, the existing password is not required as stated:

“Leave the password field blank if you do not want to change your password.”

Upon editing an existing configuration and replacing the Host IP option with a malicious host, selecting the Check Connectivity option would force the application to use the existing password in a connection attempt. This will expose the existing SSH/SFTP credentials to the malicious host.

It was also noted that upon adding an SSH/SFTP configuration, the Check Connectivity option must be used and successfully complete. Therefore any passwords exposed using this method would likely be valid.

As TreasuryXpress is primarily a SaaS solution, the TreasuryXpress website mentions their on-premise offering as a deployment option. If the affected TreasuryXpress version was found to be deployed on-premise, the vulnerability could be exploited in the same way.

Posted by Sion Evans on August 20, 2020