DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2024-99999: AssetOrchestrator Pro: From Log File to Full Pwnage via Path Traversal

#security #cve #cybersecurity

AssetOrchestrator Pro: From Log File to Full Pwnage via Path Traversal

Vulnerability ID: CVE-2024-99999
CVSS Score: 9.8
Published: 2023-12-21

A critical path traversal vulnerability exists in the log file download functionality of AssetOrchestrator Pro, an enterprise-grade asset management platform. The vulnerability, located in the /api/downloadLogs endpoint, fails to properly sanitize user-supplied filenames. This allows a low-privileged authenticated attacker to traverse the filesystem and read arbitrary files. By chaining this file read capability with the application's plugin upload mechanism, an attacker can achieve unauthenticated remote code execution, leading to a complete compromise of the underlying server.

TL;DR

A path traversal vulnerability in AssetOrchestrator Pro's log download feature allows any authenticated user to read arbitrary files from the server, including sensitive configuration files. This information leak can be leveraged to discover the path to the web application's plugin directory, enabling an attacker to upload a malicious webshell and gain full remote code execution.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE ID: CWE-22
  • CWE Name: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • CVSS v3.1 Score: 9.8 (Critical)
  • Exploit Status: Active Exploitation
  • CISA KEV: Yes

Affected Systems

  • AssetOrchestrator Pro
  • AssetOrchestrator Pro: < 3.1.4 (Fixed in: 3.1.4)

Code Analysis

Commit: 8a4f2b9

CRITICAL: Fix path traversal in LogDownloadController

Addresses CVE-2024-99999. The previous implementation was vulnerable to directory traversal attacks by not sanitizing the 'filename' parameter. This commit refactors the file handling logic to use java.nio.Path for resolving paths and explicitly checks that the final resolved path is within the designated log directory before serving the file. This prevents attackers from accessing arbitrary files on the filesystem.

--- a/src/main/java/com/orchestrate/LogDownloadController.java
+++ b/src/main/java/com/orchestrate/LogDownloadController.java
@@ -5,17 +5,24 @@
 import javax.servlet.http.HttpServletResponse;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestParam;
+import java.nio.file.Path;
+import java.nio.file.Paths;

 @RestController
 public class LogDownloadController {

     @GetMapping("/api/downloadLogs")
-    public void downloadLogFile(@RequestParam String filename, HttpServletResponse response) {
-        String logDirectory = "/var/logs/asset-orchestrator/";
-        File file = new File(logDirectory + filename);
-
-        if (file.exists() && !file.isDirectory()) {
-            // Stream the file back to the user.
-        }
+    public void downloadLogFile(@RequestParam String filename, HttpServletResponse response) throws IOException {
+        Path logDirectory = Paths.get("/var/logs/asset-orchestrator/").toAbsolutePath();
+        Path requestedFile = logDirectory.resolve(filename).toAbsolutePath();
+
+        if (!requestedFile.startsWith(logDirectory)) {
+            response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid filename");
+            return;
+        }
+
+        File file = requestedFile.toFile();
+        if (file.exists() && !file.isDirectory()) {
+            // ... (code to stream file) ...
+        } 
     }
 }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: A proof-of-concept script that demonstrates the path traversal and provides a framework for chaining it with the plugin upload for RCE.
  • Metasploit Framework: An exploit module for Metasploit that automates the entire attack chain from authentication to gaining a Meterpreter shell.

Mitigation Strategies

  • Upgrade to the latest patched version of AssetOrchestrator Pro (3.1.4 or later) immediately.
  • If immediate patching is not possible, deploy a Web Application Firewall (WAF) with strict rules to block path traversal patterns (e.g., ../, %2e%2e%2f) in the filename parameter of the /api/downloadLogs endpoint.
  • Restrict network access to the AssetOrchestrator Pro management interface to only trusted administrators and networks.
  • Regularly review application logs for any suspicious requests targeting the /api/downloadLogs endpoint, looking for patterns indicative of traversal attempts.

Remediation Steps:

  1. 1. Immediately take a backup of your AssetOrchestrator Pro configuration and data.
  2. 2. Download the official patch or upgrade package for version 3.1.4 from the vendor's website.
  3. 3. Follow the vendor's documented upgrade procedure to install the new version.
  4. 4. After the upgrade, verify that the application is running correctly.
  5. 5. Review server files, particularly in web-accessible directories like /opt/asset-orchestrator/www/plugins/, for any unknown or suspicious files (e.g., .jsp, .php webshells) that may have been placed there prior to patching.
  6. 6. Rotate all credentials and secrets stored on the server, including database passwords, API keys, and administrator passwords, as they may have been compromised.

References

Read the full report for CVE-2024-99999 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)