Multiple Vulnerabilities in Passcom Leading to Unauthenticated RCE

We discussed this vulnerability during Episode 127 on 14 March 2022

A nice chain leading to unauthenticated RCE, a path traversal leading to server-side request forgery, used to hit the application’s API from localhost and leak administrative credentials, then an unescaped argument in a privileged-off task for command injection.

Path Traversal - A fairly well-known attack against Tomcat servers where ..;/ will be normalized as ../ but reserve-proxies like nginx will usually not see it as a traversal and pass it along. This can be used to hit endpoints that Tomcat is serving but that are not reachable through the reverse proxy.

Server-Side Request Forgery - This was a previously known and reported issue in a third-party component. Normally the /getFavicon endpoint wouldn’t be reachable but the path traversal could be used to make requests to it. It does as the name indicates, takes a host parameter and attempts to fetch its /favicon.ico. As host is entirely attacker controlled and without sensitization, it can be used to craft and url.

Sensitive Information in Configuration - Requests to the REST API for the application from localhost do not require authentication, so the prior SSRF could be used to make a request to the /services/sysinfo/activeconfig endpoint which contains a password for a privileged API user.

Command Injection - Finally with a privileged API user, the scheduled task functionality could be reached. One of the tasks, task050380 takes two parameters a tar file and a target directory, and extracts the tar file. There is an optional parameter $deleteOutDir which will first delete files inside the output directory.

$this->execute('rm -rf ' . realpath($targetdir) . '/*');

In this case as the path escaped in this rm call additional commands can be injected using shell expansions like $(id) though it does need to be a directory name that can be created.