VisualWare MyConnection Server 11.x Remote Code Execution

2021.02.28
Credit: Ryan Wincey
Risk: High
Local: No
Remote: Yes
CWE: CWE-434


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Document Title: =============== VisualWare MyConnection Server 11.x Remote Code Execution Vulnerability References (Source): ==================== https://www.securifera.com/advisories/cve-2021-27198/ https://myconnectionserver.visualware.com/download.html Release Date: ============= 2020-02-25 Product & Service Introduction: =============================== MCS tests, measures & reports the performance and health of any network connection, LAN or WAN. MCS is an access everywhere web based enterprise solution. Vulnerability Information: ============================== Class: CWE-434: Unrestricted Upload of File with Dangerous Type Impact: Remote Code Execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2021-27198 Vulnerability Description: ============================== An unauthenticated remote code execution vulnerability was discovered in Visualware MyConnection Server 11.0 through 11.0b build 5382. The web endpoint at "https://example.com/myspeed/sf" provides an unauthenticated user the ability to upload an arbitrary file to an arbitrary location via a specially crafted POST request. This application is written in Java and is thus cross-platform. The Windows installation executes the web server as SYSTEM which means that exploitation provides Administrator privileges on the target system. Vulnerability Disclosure Timeline: ================================== 2021-01-11: Contacted VisualWare About Issue via Website Contact Form 2021-02-03: Emailed Multiple VisualWare POCs Requesting Disclosure Assistance 2021-02-11: Requested CVE from MITRE for vulnerability 2021-02-12: Messaged Lead VisualWare Developer on LinkedIn After Seeing They Had Looked At My Profile. I assume because of my attempts to contact them 2021-02-18: Notified VisualWare About Issue Again via Website Contact Form And Notified Them I Would be Disclosing if they did not respond 2021-02-25: Publicly releasing vulnerability because company refuses to respond to any attempts to coordinate disclsoure Affected Product(s): ==================== VisualWare MyConnection Server 11.0 through 11.0b build 5382 Severity Level: =============== High Proof of Concept (PoC): ======================= A proof of concept will not be provided at this time. Solution - Fix & Patch: ======================= None Security Risk: ============== The security risk of this remote code execution vulnerability is estimated as high. (CVSS 10.0) Credits & Authors: ================== Securifera, Inc - b0yd (@rwincey) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Securifera disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Securifera is not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Securifera or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, or hack into any systems. Domains: www.securifera.com Contact: contact [at] securifera [dot] com Social: twitter.com/securifera Copyright C 2021 | Securifera, Inc


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top