An authentication bypass vulnerability exists in edge-app-base-webui.
The doLogin() method fetches the correct UUID, so the login would succeed.
An unauthenticated remote attacker can exploit this vulnerability by sending a POST HTTP message without the password parameter to endpoint /management/wizardLogin.
Once authenticated, the attacker can perform UDP Console tasks that require authentication.
This vulnerability is chained by the following vulnerability to perform unauthenticated path traversal file upload. The PoC for this vulnerability is incorporated into the PoC of the following vulnerability.
CVE-2024-0800 - Authenticated Path Traversal File Upload. A path traversal vulnerability exists in edge-app-base-webui.
An authenticated remote attacker can exploit this to upload arbitrary files to any directory on the file system where the UDP Console is installed.
Python3 arcserve udp console wizardLogin auth bypass.
Uploading local file /tmp/malicious file to WindowsSystem32existing exe to be replaced.
When logging in to the Arcserve UDP Console with the validateUserByUser API call, the login username is processed by code in ASNative.
Text:000000018000921C add r14, 2.text:0000000180009220 cmp r15, rbp.
Text:0000000180009238 lea rcx, [rdi+2] ; Size.text:000000018000923C call cs: imp malloc.
Text:0000000180009242 lea r8, [rdi+2] ; Size.text:0000000180009246 xor edx, edx ; Val.text:0000000180009248 mov rcx, rax ; void *.text:000000018000924B mov r13, rax.
Text:000000018000925F copy domain part in domainusername.
Text:000000018000925F call cs:wcsncpy s. If the fully qualified username starts with or /, the value 0 is passed as the second parameter to wcsncpy s().
This will trigger the invalid parameter handler, which by default will terminate the process.
This Cyber News was published on www.tenable.com. Publication date: Wed, 13 Mar 2024 19:30:13 +0000