Lucene search

K
packetstormRyan WinceyPACKETSTORM:161571
HistoryFeb 26, 2021 - 12:00 a.m.

VisualWare MyConnection Server 11.x Remote Code Execution

2021-02-2600:00:00
Ryan Wincey
packetstormsecurity.com
332
`Document Title:  
  
===============  
  
VisualWare MyConnection Server 11.x Remote Code Execution Vulnerability  
  
  
  
  
  
References (Source):  
  
====================  
  
https://www.securifera.com/advisories/cve-2021-27198/  
  
https://myconnectionserver.visualware.com/download.html  
  
  
  
Release Date:  
  
=============  
  
2020-02-25  
  
  
  
Product & Service Introduction:  
  
===============================  
  
MCS tests, measures & reports the performance and health of any network  
connection, LAN or WAN. MCS is an access everywhere web based enterprise  
solution.  
  
  
  
  
  
Vulnerability Information:  
  
==============================  
  
Class: CWE-434: Unrestricted Upload of File with Dangerous Type  
  
Impact: Remote Code Execution  
  
Remotely Exploitable: Yes  
  
Locally Exploitable: Yes  
  
CVE Name: CVE-2021-27198  
  
  
  
Vulnerability Description:  
  
==============================  
  
An unauthenticated remote code execution vulnerability was discovered in  
Visualware MyConnection Server 11.0 through 11.0b build 5382. The web  
endpoint at "https://example.com/myspeed/sf" provides an unauthenticated  
user the ability to upload an arbitrary file to an arbitrary location via a  
specially crafted POST request. This application is written in Java and is  
thus cross-platform. The Windows installation executes the web server as  
SYSTEM which means that exploitation provides Administrator privileges on  
the target system.  
  
  
  
Vulnerability Disclosure Timeline:  
  
==================================  
  
2021-01-11: Contacted VisualWare About Issue via Website Contact Form  
  
2021-02-03: Emailed Multiple VisualWare POCs Requesting Disclosure  
Assistance  
  
2021-02-11: Requested CVE from MITRE for vulnerability  
  
2021-02-12: Messaged Lead VisualWare Developer on LinkedIn After Seeing They  
Had Looked At My Profile. I assume because of my attempts to contact them  
  
2021-02-18: Notified VisualWare About Issue Again via Website Contact Form  
And Notified Them I Would be Disclosing if they did not respond  
  
2021-02-25: Publicly releasing vulnerability because company refuses to  
respond to any attempts to coordinate disclsoure  
  
  
  
  
  
Affected Product(s):  
  
====================  
  
VisualWare MyConnection Server 11.0 through 11.0b build 5382  
  
  
  
Severity Level:  
  
===============  
  
High  
  
  
  
Proof of Concept (PoC):  
  
=======================  
  
A proof of concept will not be provided at this time.  
  
  
  
Solution - Fix & Patch:  
  
=======================  
  
None  
  
  
  
Security Risk:  
  
==============  
  
The security risk of this remote code execution vulnerability is estimated  
as high. (CVSS 10.0)  
  
  
  
Credits & Authors:  
  
==================  
  
Securifera, Inc - b0yd (@rwincey)  
  
  
  
Disclaimer & Information:  
  
=========================  
  
The information provided in this advisory is provided as it is without any  
warranty. Securifera disclaims all   
  
warranties, either expressed or implied,   
  
including the warranties of merchantability and capability for a particular  
purpose. Securifera is not liable in any   
  
case of damage,   
  
including direct, indirect, incidental, consequential loss of business  
profits or special damages, even if Securifera   
  
or its suppliers have been advised   
  
of the possibility of such damages. Some states do not allow the exclusion  
or limitation of liability for consequential   
  
or incidental damages so the foregoing   
  
limitation may not apply. We do not approve or encourage anybody to break  
any licenses, policies, or hack into any   
  
systems.  
  
  
  
Domains: www.securifera.com  
  
Contact: contact [at] securifera [dot] com  
  
Social: twitter.com/securifera  
  
  
  
Copyright C 2021 | Securifera, Inc  
  
  
  
`
Related for PACKETSTORM:161571