SSD Advisory – CloudByte ElastiStor OS Unauthenticated Remote Code Execution

Vulnerabilities Summary

The following advisory describes two vulnerabilities found in ElastiCenter,
ElastiStor’s management console, File Injection that leads to unauthenticated remote code execution.

ElastiCenter is the centralized management tool that you use to configure, monitor, manage, and deploy the services provided by CloudByte ElastiStor.
ElastiCenter lets you:

  • Use the Graphical User Interface to manage the storage environment
  • Generate statistical and configuration reports to help troubleshoot
  • Delegate administration tasks
  • Track events
  • Globally control various settings

CVE
CVE-2018-15675

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Affected systems
CloudByte ElastiStor OS 2.1.0.1269

Vendor Response
After several attempts to email CloudByte, we couldn’t get any response from the vendor.

Vulnerability Details
ElastiCenter is vulnerable to unrestricted File Upload vulnerability found in “License” section and also in the image handling servlet. The purpose of the “License” is for administrative users to update the elasticenter license. Image handling servlet is responsible for image upload. Both sections have an upload functionality which could be accessed by unauthenticated remote attackers. Both sections allow to upload any file in any arbitrary location on the elasticenter host OS.

By uploading a JSP file to the server, an attacker can execute it in the server context (in this case “root” user).

PoC
The first poc Injects JSP web-shell through the image handling servlet:

Example run of poc1.py:

The second poc Injects JSP web-shell through the “License” section:

On some latest linux versions ( debian/kali 2.0) you may run into ssl issues:

In order to overcome this issue, run your favorite http proxy ( We use burpsuite on kali 2.0 )
Leave the defaults for burpsuit ( Listening on 127.0.0.1:8080 ), and set the proxy via the environment variables.



*** This is a Security Bloggers Network syndicated blog from SecuriTeam Blogs authored by SSD / Ori Nimron. Read the original post at: https://blogs.securiteam.com/index.php/archives/3737