CVE-2021-42777: Exploiting Stimulsoft Reports 2013.1.160. Compilation Mode to Execute Arbitrary C# Code

CVE-2021-42777 is a significant vulnerability found in Stimulsoft Reports 2013.1.160. (also known as Stimulsoft), a reporting tool used by developers to build various reporting applications. This vulnerability allows an attacker to execute arbitrary C# code on any machine that renders a report, including the application server or a user's local machine. In this long-read post, we will discuss the details of this security flaw, demonstrate a code snippet, and provide links to the original references.

Exploit Details

Stimulsoft Reports 2013.1.160. is prone to a critical vulnerability when it operates in Compilation Mode. In this specific mode, an attacker can exploit the reporting engine to inject and execute malicious C# code on the target machine. This vulnerability, identified as CVE-2021-42777, allows for a considerable degree of unauthorized access to various types of systems using the affected software in Compilation Mode.

Code Snippet

The core of the vulnerability lies in the way Stimulsoft Reports processes and compiles report expressions. The malicious code can be embedded in a report expression as a C# expression. Here's an example of how an attacker might craft a report expression to start a new process like the calculator:

{C#: System.Diagnostics.Process.Start("calc.exe");}

Once the report containing this malicious expression is opened in the compilation mode, it would trigger the execution of the calculator application (calc.exe) on the target machine.

Original References

More information about this vulnerability is available from the original references published by the CVE database, as well as two separate advisories from different security experts:

- CVE Record: CVE-2021-42777
- Advisory 1: Stimulsoft Reports – Remote Code Execution (RCE)

These references delve deeper into the technical details behind the vulnerability and walk you through its history, disclosure process, and remediation steps.

Mitigation Strategies

The following are some of the recommended steps for mitigating the CVE-2021-42777 vulnerability in the affected software.

1. Update Stimulsoft Reports to a newer version that addresses the vulnerability. By staying up-to-date with the latest security patches, you can minimize the risk of exploiting this security flaw.

2. Disable the Compilation Mode if it is not required by your application since this is only applicable when using this specific mode. By disabling this mode, you can avoid the risk of attackers hijacking your application through report expressions.

3. Limit user access to the reporting engine and restrict the use of untrusted third-party reports. By following the principle of least privilege, you can limit the potential for unauthorized access to sensitive data or system resources.

Conclusion

CVE-2021-42777 is a serious vulnerability that affects users of Stimulsoft Reports 2013.1.160. in Compilation Mode. By understanding the potential risks and taking appropriate mitigation actions, you can ensure that your application is less vulnerable to exploitation. As always, staying up-to-date with security patches and following best security practices can go a long way in securing your application from known vulnerabilities and potential threats.

Timeline

Published on: 10/29/2022 17:15:00 UTC
Last modified on: 11/01/2022 18:41:00 UTC