Jedox 2022.4.2 - Remote Code Execution via Directory Traversal

vendor:

Jedox

by:

Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL

7.5

CVSS

HIGH

Directory Traversal

CWE

Product Name: Jedox

Affected Version From: Jedox 2022.4 (22.4.2) and older

Affected Version To: Jedox 2022.4 (22.4.2)

Patch Exists: YES

Related CWE: CVE-2022-47875

CPE: a:jedox:jedox

Metasploit:

Other Scripts:

Platforms Tested:

2023

Jedox 2022.4.2 – Remote Code Execution via Directory Traversal

A Directory Traversal vulnerability in /be/erpc.php allows remote authenticated users to execute arbitrary code. To exploit the vulnerability, the attacker must have the permissions to upload files. The attacker can first upload a file using one of the existing file upload mechanisms (e.g. Import in Designer). When uploading a file, the web application returns the file system path in the JSON body of the HTTP response (look for `fspath`). The attacker can then use the file system path to get RCE via Directory Traversal by sending a POST request to /be/erpc.php with the body containing the command to be executed.

Mitigation:

Ensure that the web application is configured to only allow authenticated users to upload files and that the file system path is not returned in the response body.

Source

Exploit-DB raw data:

# Exploit Title: Jedox 2022.4.2 - Remote Code Execution via Directory Traversal
# Date: 28/04/2023
# Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
# Vendor Homepage: https://jedox.com
# Version: Jedox 2022.4 (22.4.2) and older
# CVE : CVE-2022-47875


Introduction
=================
A Directory Traversal vulnerability in /be/erpc.php allows remote authenticated users to execute arbitrary code. To exploit the vulnerability, the attacker must have the permissions to upload files.


Write-Up
=================
See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.


Proof of Concept
=================
1) This vulnerability can be exploited by first uploading a file using one of the existing file upload mechanisms (e.g. Import in Designer). When uploading a file, the web application returns the file system path in the JSON body of the HTTP response (look for `fspath`).

2) Upload a PHP file and note the file system path (`fspath`)

3) Get RCE via Directory Traversal

	PATH: /be/erpc.php?c=../../../../../fspath/of/uploaded/file/rce.php
	METHOD: POST