Multiple Vulnerabilities in Passcom Leading to Unauthenticated RCE
A nice chain leading to unauthenticated RCE, a path traversal leading to server-side request forgery, used to hit the application’s API from localhost and leak administrative credentials, then an unescaped argument in a privileged-off task for command injection.
Path Traversal - A fairly well-known attack against Tomcat servers where ..;/
will be normalized as ../
but reserve-proxies like nginx will usually not see it as a traversal and pass it along. This can be used to hit endpoints that Tomcat is serving but that are not reachable through the reverse proxy.
Server-Side Request Forgery - This was a previously known and reported issue in a third-party component. Normally the /getFavicon
endpoint wouldn’t be reachable but the path traversal could be used to make requests to it. It does as the name indicates, takes a host
parameter and attempts to fetch its /favicon.ico
. As host
is entirely attacker controlled and without sensitization, it can be used to craft and url.
Sensitive Information in Configuration - Requests to the REST API for the application from localhost do not require authentication, so the prior SSRF could be used to make a request to the /services/sysinfo/activeconfig
endpoint which contains a password for a privileged API user.
Command Injection - Finally with a privileged API user, the scheduled task functionality could be reached. One of the tasks, task050380
takes two parameters a tar file and a target directory, and extracts the tar file. There is an optional parameter $deleteOutDir
which will first delete files inside the output directory.
$this->execute('rm -rf ' . realpath($targetdir) . '/*');
In this case as the path escaped in this rm
call additional commands can be injected using shell expansions like $(id)
though it does need to be a directory name that can be created.