Moderate
CVE-2023-28128
CVE-2023-28128
Description
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution.
Add Assessment
Technical Analysis
This vulnerability is associated with the Central FileStore, which is the default location for files that are used to update the devices managed by the Ivanti Avalanche server. The ZDI advisory mentions that the vulnerability is located in the FileStoreConfig app. In the patched version of the FileStoreConfigBean.class, there is an array of exclusion patterns that have three new patterns added to the list:
These three patterns follow the short MS-DOS (8.3) style naming convention on Windows. Further down, the exclusion pattern list is used to validate the configuration path for the Central FileStore, barring any paths that contain any of the exclusion patterns.
public void validateFileStoreUncPath(FacesContext context, UIComponent component, Object value) throws ValidatorException { logger.trace("FileStoreConfigBean.validateFileStoreUncPath()"); String uncPath = value.toString(); if (!uncPath.isEmpty()) { String testPath = uncPath.replace("\\", "/"); String defaultPath = this.m_defaultunc.replace("\\", "/"); if (testPath.indexOf("..") != -1) { throw new ValidatorException(new FacesMessage(FacesMessage.SEVERITY_ERROR, BundleManager.getBundleString("inputError", "file_store_unc_path_parent"), (String)null)); } else if (testPath.indexOf("./") == -1 && testPath.indexOf("/.") == -1) { if (testPath.endsWith("/")) { throw new ValidatorException(new FacesMessage(FacesMessage.SEVERITY_ERROR, BundleManager.getBundleString("inputError", "file_store_unc_path_trailer"), (String)null)); } else { Iterator var7 = this.m_exclusionPatterns.iterator(); <----------- while(var7.hasNext()) { Pattern patt = (Pattern)var7.next(); Matcher matcher = patt.matcher(testPath); if (matcher.find()) { if (!testPath.equalsIgnoreCase(defaultPath)) { logger.error(String.format("Filestore path '%s' is forbidden", uncPath)); throw new ValidatorException(new FacesMessage(FacesMessage.SEVERITY_ERROR, BundleManager.getBundleString("inputError", "file_store_unc_path_forbidden"), (String)null)); } logger.debug(String.format("Filestore path '%s' is forbidden but tolerated because it is the default CFS path", uncPath)); } } boolean uncStart = uncPath.startsWith("\\"); boolean dosStart = uncPath.length() > 1 && uncPath.charAt(1) == ':' && Character.isLetter(uncPath.charAt(0)); if (!uncStart && !dosStart) { throw new ValidatorException(new FacesMessage(FacesMessage.SEVERITY_ERROR, BundleManager.getBundleString("inputError", "file_store_unc_path"), (String)null)); } else if (!this.isPathValid(uncPath)) { throw new ValidatorException(new FacesMessage(FacesMessage.SEVERITY_ERROR, BundleManager.getBundleString("inputError", "file_store_unc_path_syntax"), (String)null)); } } } else { throw new ValidatorException(new FacesMessage(FacesMessage.SEVERITY_ERROR, BundleManager.getBundleString("inputError", "file_store_unc_path_current"), (String)null)); } } }
Based on the patch, the vulnerability appears to be caused by the allowance of paths using the short MS-DOS style naming convention. The web root for Ivanti Avalanche is located in C:\Program Files\Wavelink\Avalanche\Web\webapps\AvalancheWeb. Because the webapps directory is in the exclusion list and is too short to have a short MS-DOS style name, an attacker can set the config path to C:\PROGRA~1\Wavelink\AVALAN~1\Web and expand / select the webapps and AvalancheWeb folders to upload a JSP file to the web root.
The application’s web.xml file includes a filter for the jsp extension, which prevents the uploaded payload from getting executed:
<filter> <filter-name>WebShellFilter</filter-name> <filter-class>com.wavelink.amc.web.servlet.WebShellFilter</filter-class> <init-param> <param-name>forbiddenextensions</param-name> <param-value>.jsp</param-value> </init-param> </filter>
Despite this, Ivanti Avalanche is built with JavaServer Faces or JSF. Leveraging this, an attacker can upload a JSP payload and request payload_name.jsf, which will result in the default FacesServlet serving the JSP payload and bypassing the forbiddenextensions filter. Successfully exploiting this vulnerability will result in RCE as NT AUTHORITY\SYSTEM.
I’d rate this as a moderately valuable vulnerability. It results in elevated privileges from an easily exploitable remote vulnerability; however, the attacker would need to start with admin credentials. Getting admin privileges may or may not be easily obtainable given that there are also some auth bypasses in the software: 1, 2. Since the vulnerable component is the file store for pushing updates to a variety of devices, I’d still say that a patch should be prioritized.
CVSS V3 Severity and Metrics
General Information
Vendors
- ivanti
Products
- avalanche
Metasploit Modules
References
