lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <023801d70b78$cc9a3c00$65ceb400$@securifera.com>
Date: Thu, 25 Feb 2021 08:19:06 -0500
From: "Ryan Wincey" <contact@...urifera.com>
To: <fulldisclosure@...lists.org>
Subject: [FD] VisualWare MyConnection Server 11.x Remote Code Execution
	Vulnerability

Document Title:

===============

VisualWare MyConnection Server 11.x Remote Code Execution Vulnerability

 

 

References (Source):

====================

https://www.securifera.com/advisories/cve-2021-27198/

https://myconnectionserver.visualware.com/download.html

 

Release Date:

=============

2020-02-25

 

Product & Service Introduction:

===============================

MCS tests, measures & reports the performance and health of any network
connection, LAN or WAN. MCS is an access everywhere web based enterprise
solution.

 

 

Vulnerability Information:

==============================

Class: CWE-434: Unrestricted Upload of File with Dangerous Type

Impact: Remote Code Execution

Remotely Exploitable: Yes

Locally Exploitable: Yes

CVE Name: CVE-2021-27198

 

Vulnerability Description:

==============================

An unauthenticated remote code execution vulnerability was discovered in
Visualware MyConnection Server 11.0 through 11.0b build 5382. The web
endpoint at "https://example.com/myspeed/sf" provides an unauthenticated
user the ability to upload an arbitrary file to an arbitrary location via a
specially crafted POST request. This application is written in Java and is
thus cross-platform. The Windows installation executes the web server as
SYSTEM which means that exploitation provides Administrator privileges on
the target system.

 

Vulnerability Disclosure Timeline:

==================================

2021-01-11: Contacted VisualWare About Issue via Website Contact Form

2021-02-03: Emailed Multiple VisualWare POCs Requesting Disclosure
Assistance

2021-02-11: Requested CVE from MITRE for vulnerability

2021-02-12: Messaged Lead VisualWare Developer on LinkedIn After Seeing They
Had Looked At My Profile. I assume because of my attempts to contact them

2021-02-18: Notified VisualWare About Issue Again via Website Contact Form
And Notified Them I Would be Disclosing if they did not respond

2021-02-25: Publicly releasing vulnerability because company refuses to
respond to any attempts to coordinate disclsoure

 

 

Affected Product(s):

====================

VisualWare MyConnection Server 11.0 through 11.0b build 5382

 

Severity Level:

===============

High

 

Proof of Concept (PoC):

=======================

A proof of concept will not be provided at this time.

 

Solution - Fix & Patch:

=======================

None

 

Security Risk:

==============

The security risk of this remote code execution vulnerability is estimated
as high. (CVSS 10.0)

 

Credits & Authors:

==================

Securifera, Inc - b0yd (@rwincey)

 

Disclaimer & Information:

=========================

The information provided in this advisory is provided as it is without any
warranty. Securifera disclaims all 

warranties, either expressed or implied, 

including the warranties of merchantability and capability for a particular
purpose. Securifera is not liable in any 

case of damage, 

including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Securifera 

or its suppliers have been advised 

of the possibility of such damages. Some states do not allow the exclusion
or limitation of liability for consequential 

or incidental damages so the foregoing 

limitation may not apply. We do not approve or encourage anybody to break
any licenses, policies, or hack into any 

systems.

 

Domains: www.securifera.com

Contact: contact [at] securifera [dot] com

Social: twitter.com/securifera

 

Copyright C 2021 | Securifera, Inc


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ