Talos IntelligenceTALOS-2017-0315Information Builders WebFOCUS Business Intelligence Portal Command Execution Vulnerability
9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
39.8%
Summary
An exploitable command execution vulnerability exists in Information Builders WebFOCUS Business Intelligence Portal 8.1 . A specially crafted web parameter can cause a command injection. An authenticated attacker can send a crafted web request to trigger this vulnerability.
Tested Versions
Information Builders WebFOCUS Business Intelligence Portal 8.1
Product URLs
<http://www.informationbuilders.com/products/intelligence>
CVSSv3 Score
8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-77 - Improper Neutralization of Special Elements used in a Command (βCommand Injectionβ)
Details
WebFOCUS Business Intelligence Portal 8.1 was found to be vulnerable to an authenticated WebFOCUS code injection attack that resulted in arbitrary command execution on the underlying OS of the host system with the same privileges as those of the web server running the BI portal. To exploit this vulnerability, successful login with a valid user account is required, which has the necessary privileges to access the WebFOCUS Business Intelligence Portal dashboard. Code injection is achieved on the following URL: /ibi_apps/WFServlet
The injection happens on one of the dynamic URL parameters used on this specific URL, a parameter that is directly used within a WebFOCUS language query, which is used by the application to generate dynamic reports. By successfully injecting WebFOCUS code on this URL parameter while properly completing the expected syntax, an attacker can leverage the β! β statement of WebFOCUS which allows for system commands to be executed via the reporting module code. Successfully exploiting this vulnerability results in arbitrary command execution on the underlying Operating System, which in turn can result in full system compromise depending on the level of access the web server is running with.
Mitigation
Restrict access to known, trusted users and hosts.
Timeline
2016-10-31 - Vendor Disclosure
2016-12-20 - Final attempt to contact vendor after no response
2017-07-19 - Public Release
2019-07-09 - Vendor contaced Talos to let us know this behavior was fixed in version 8201 and above
Related
9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
39.8%