One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 3405025 |
| Date de publication | 2021-09-21 10:44:47 (vue: 2021-09-21 09:08:04) |
| Titre | RCE in Citrix ShareFile Storage Zones Controller (CVE-2021-22941) – A Walk-Through |
| Texte | Citrix ShareFile Storage Zones Controller uses a fork of the third party library NeatUpload. Versions before 5.11.20 are affected by a relative path traversal vulnerability (CTX328123/CVE-2021-22941) when processing upload requests. This can be exploited by unauthenticated users to gain Remote Code Execution. Come and join us on a walk-though of finding and exploiting this vulnerability. Background Part of our activities here at Code White is to monitor what vulnerabilities are published. These are then assessed to determine their criticality and exploitation potential. Depending on that, we inform our clients about affected systems and may also develop exploits for our offensive arsenal. In April, Citrix published an advisory that addresses three vulnerabilities in ShareFile Storage Zones Controller (from here on just "ShareFile"). In contrast to a previous patch in the same product, there were no lightweight patches available, which could have been analysed quickly. Instead, only full installation packages were available. So, we downloaded StorageCenter_5.11.18.msi to have a look at it. The Travelogue A first glance at the files contained in the .msi file revealed the third party library NeatUpload.dll. We knew that the latest version contains a Padding Oracle vulnerability, and since the NeatUpload.dll file had the same .NET file version number as ShareFile (i. e., 5.11.18), chances were that somebody had reported that very vulnerability to Citrix. After installation of version 5.11.18 of ShareFile, attaching to the w3wp.exe process with dnSpy and opening the NeatUpload.dll, we noticed that the handler class Brettle.Web.NeatUpload.UploadStateStoreHandler was missing. So, it must have either been removed by Citrix or they used an older version. Judging by the other classes in the library, the version used by ShareFile appeared to share similarities with NeatUpload 1.2 available on GitHub. So, not a quick win, afterall? As we did not find a previous version of ShareFile such as 5.11.17, that we could use to diff against 5.11.18, we decided to give it a try to look for something in 5.11.18. Finding A Path From Sink To Source Since NeatUpload is a file upload handling library, our first attempts were focused around analysing its file handling. Here FileStream was a good candidate to start with. By analysing where that class got instantiated, the first result already pointed directly to a method in NeatUpload, the Brettle.Web.NeatUpload.UploadContext.WritePersistFile() method. Here a file gets written with something that appears to be some kind of metrics of an upload request:  By following the call hierarchy, one eventually ends up in Brettle.Web.NeatUpload.UploadHttpModule.Init(HttpApplication), which is the initialization method for System.Web.IHttpModule: |
| Envoyé | Oui |
| Condensat | /configservice/home/error: /default /foo: 0–31 0x00–0x1f 14th 1host: 2021 22941 25th 4096 514–517 able about accessible according accountid active activities actual actually add added additional address addresses advisory affected after afterall again against allowed: along already also although analysed analysing appeared appears application april are around array arsenal ashx asmx asp aspx aspx: assemblies assessed assigning assignment assumed: asterisk attaching attempts attribute august available back background backpack backs bar based because becomes been before beginrequest behave being best binary block block: blocks bogus both bound boundary boundary= boundarycontent branch break breakpoints brettle buffer bulletin but byte bytes c#: call called can candidate certainly chain chances change characters check checkpoints citrix class classes clear clients code colon come compiled condition config config: configservice configured constructor contain contained contains content contents context contrast control controlled controller controllers conventions copyuntilboundary corresponding could created: critical criticality cshtml ctor ctx328123 ctx328123/cve cve cycle data data; daunting decided default denial depending depicted destination determine develop did diff different direct directly directories directory disposition disposition: dll dlls dnspy document does doesn donereading double downloaded driven dummies during each either end ends enough ensure error especially etc event events eventually example exceed exe executed execution exist existing expected expected: expects exploit exploitation exploited exploiting exploits false familiar far: field field: fieldnametranslator file filefieldnametopostbackid filename filename= files filestream fills filteringworkerrequest find finding first fix focused following foo fork form forms frameworks from full gain get gets github give glance good got greater had handler handlers handling hard has hasn have having header hello here hierarchy hint: hit how html http http/1 httpapplication id/uploadid id= id=foo ihttpmodule: implemented important include inetpub inform init initialization installation instantiated instead internal its join journey judging just keep kind knew know knowledge known larger latest length: less let library life lightweight like lines list little localhostcontent long look looking loop mark may means message method metrics mind minimalistic missing model/view/controller models module modules monitor more msi multi multipart multipart/form must mvc mvc: name name= named naming neatupload net never new next not note notice noticed now null number of: offensive older once one only opening oracle originates originating other out overwrite overwriting packages padding pages parameter parameter: parameters parseorthrow parsing part party passed patch patches path paths payload pipe point pointed points post postbackid postbackid: posted potential present: previous probably process processing product property prove published query question quick quickly quote raised range rawurl razor rce reached register relative released remote removed rendering reported request request: requests require requirements resolved restriction result resulting return returns revealed right root route running same security see segment send sending separate september service set share shared sharefile shell should show shows similarities simply since sink size some somebody something source start step stepping storage storagecenter string such summarize symbol symbolically syntax system systems taken takes text4 text5 text6 than them then these third this: though three through time timeline tmpbuffer track transition travelogue traversal tried true try twice two type: unauthenticated unix unlike upload uploadcontext uploadhttpmodule uploadid uploadstatestorehandler use used user users uses using valid validating value values verifying version versions vertical very view views vulnerabilities vulnerability w3wp walk web what when where whether which white wil |
| Tags | Vulnerability |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.