This module uses a relative path traversal vulnerability that leads to an authentication bypass in Fortinet FortiWeb to create a new user with administrative privileges (prof_admin) in the target system. First, the module will check if the target is vulnerable to the authentication bypass by checking the path traversal against a specific endpoint with an empty payload. If the target is vulnerable, the vulnerability will be used again to create a new user with administrative privileges (prof_admin) in the target system using the provided credentials. If no credentials are provided, the module will generate a random one. The new user credentials will be added as an identity in Impact.
This module uses a relative path traversal vulnerability that leads to an authentication bypass in Fortinet FortiWeb to create a new user with administrative privileges (prof_admin) in the target system. First, the module will check if the target is vulnerable to the authentication bypass by checking the path traversal against a specific endpoint with an empty payload. If the target is vulnerable, the vulnerability will be used again to create a new user with administrative privileges (prof_admin) in the target system using the provided credentials. If no credentials are provided, the module will generate a random one. The new user credentials will be added as an identity in Impact.
This module chains 2 vulnerabilities to deploy an agent in the target system that will run with NT AUTHORITY\\SYSTEM user privileges. The first vulnerability is an authentication bypass present in the doLogin function of the com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl class. The second vulnerability is an authenticated path traversal file upload present in the doPost method of the com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet class. This module will use the first vulnerability to authenticate against the target application using a POST HTTP request to the /management/wizardLogin endpoint, providing a random username and no password parameter. Then, it will use the second vulnerability to upload a JSP file to the Program Files/Arcserve/Unified Data Protection/Management/TOMCAT/webapps/management directory. Finally, it will deploy an agent using a GET HTTP request to the uploaded JSP file inside the /management endpoint.
This module chains 2 vulnerabilities to deploy an agent in the target system that will run with NT AUTHORITY\\SYSTEM user privileges. The first vulnerability is an authentication bypass present in the doLogin function of the com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl class. The second vulnerability is an authenticated path traversal file upload present in the doPost method of the com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet class. This module will use the first vulnerability to authenticate against the target application using a POST HTTP request to the /management/wizardLogin endpoint, providing a random username and no password parameter. Then, it will use the second vulnerability to upload a JSP file to the Program Files/Arcserve/Unified Data Protection/Management/TOMCAT/webapps/management directory. Finally, it will deploy an agent using a GET HTTP request to the uploaded JSP file inside the /management endpoint.
This module chains 2 vulnerabilities to deploy an agent in Progress Telerik Report Server that will run with root user privileges. The first vulnerability is an authentication bypass vulnerability present in Telerik.ReportServer.Web.Controllers.StartupController.Register class. The second vulnerability a .NET deserialization vulnerability in Telerik.Reporting.XmlSerialization.XmlSerializer class. This module will use first vulnerability to create a random user with "System Administrator" role against the "/Startup/Register" endpoint and then login into the application. Then, a report with our payload will be uploaded via the "/api/reportserver/report" endpoint. Finally, the second vulnerability will be used to deploy an agent using the "/api/reports/clients" and "/api/reports/clients/clientID/parameters" endpoints. The deployed agent will run with the privileges of the "w3wp" process (TelerikReportServer instance - NT AUTHORITY\\SYSTEM).
This module chains 2 vulnerabilities to deploy an agent in Progress Telerik Report Server that will run with root user privileges. The first vulnerability is an authentication bypass vulnerability present in Telerik.ReportServer.Web.Controllers.StartupController.Register class. The second vulnerability a .NET deserialization vulnerability in Telerik.Reporting.XmlSerialization.XmlSerializer class. This module will use first vulnerability to create a random user with "System Administrator" role against the "/Startup/Register" endpoint and then login into the application. Then, a report with our payload will be uploaded via the "/api/reportserver/report" endpoint. Finally, the second vulnerability will be used to deploy an agent using the "/api/reports/clients" and "/api/reports/clients/clientID/parameters" endpoints. The deployed agent will run with the privileges of the "w3wp" process (TelerikReportServer instance - NT AUTHORITY\\SYSTEM).
This module exploits an OS Command Injection to deploy an agent in Jetbrains TeamCity. The vulnerability is in the handleRequestInternal method of the BaseController class which allows bypass of authentication in HTTP requests with a path that return a 404 response and that contain an HTTP parameter named jsp. The path must end with the ".jsp" string and cannot contain the "admin/" string.
This module exploits an OS Command Injection to deploy an agent in Jetbrains TeamCity. The vulnerability is in the handleRequestInternal method of the BaseController class which allows bypass of authentication in HTTP requests with a path that return a 404 response and that contain an HTTP parameter named jsp. The path must end with the ".jsp" string and cannot contain the "admin/" string.
Subscribe to Authentication Weakness