Advisory

Insufficient path validation in XenMobile unzip API call allows attackers to write to arbitrary files and remotely execute code

Overview

A low-privileged authenticated attacker can unzip files uploaded to XenMobile's Tomcat server, in order to perform remote code execution.

Proof of concept

XenMobile provides an API to unzip files by posting to:

    /controlpoint/rest/application/mobile/process?fileName=file.zip

This, in combination with the unauthenticated file upload vulnerabilities described in dxw-2018-3564, allowed us to upload and unzip arbitrary files, leading to arbitrary code execution on the server.

    POST /controlpoint/rest/application/mobile/process?fileName=file.zip HTTP/1.1
    Host:xenmobile.example.com
    Referer: https://xenmobile.example.com/index_uc.html
    X-Requested-With: XMLHttpRequest
    Cookie: JSESSIONID=validsession

XenMobile does not check to see if the zip file contains relative paths. This meant the tester could write files to arbitrary locations on the server by crafting zip files containing relative paths. In this case, the zip file crafted by the tester was encoded to contain a file with the path:

    /../../sw/tomcat/inst1/webapps/ROOT/zdm/img/test9.jsp
    test9.jsp contained code written by the attacker to allow us to run arbitrary commands on the server.

When XenMobile unzips this file, it creats test9.jsp within the web root of the Tomcat server, making it available to be executed via the web. The tester was then able to call it via HTTP from an external location, running arbitrary commands and viewing their output.

Mitigation/further actions

  1. Change the directory permissions on Tomcat, making it unable to write files within the web root
  2. Where recommendation #1 would break application functionality, adjust the Tomcat configuration such that Tomcat will not execute scripts in any directory it can write to
  3. Consider additional monitoring on servers to detect and report the execution of unexpected processes
  4. Remove public access to this service by moving it inside your network and configuring mobile devices to access it via a VPN or proxy that requires authentication
  5. Install an update rectifying this issue as soon as one is available

Advisory timeline

  1. 2018-03-28 – Reported to Citrix and acknowledged immediately
  2. 2018-05-21 – Issue reported fixed

CVSS

Base score 9.9
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High

Metadata

  • Severity
    Critical (base score 9.9)
  • Discovered by
    Glyn Wintle
  • Severity
    High
  • Advisory ID
    dxw-2018-3569
  • CVE
    CVE-2018-10650
  • Component/package
    XenMobile
  • Version
    10.8.0 and older
  • Published
    2018-03-26

© 2022 Tradecraft Ltd. Tradecraft Ltd is a company registered in England & Wales, no. 10984430. Registered address 86-90 Paul Street, London, EC2A 4NE.

Privacy policy / Events code of conduct / Responsible disclosure