Post

Advisory CVE-2021-41550 Leostream Connection Broker – Authenticated Remote Code Execution

Advisory CVE-2021-41550 Leostream Connection Broker – Authenticated Remote Code Execution
Advisory CVE-2021-41550 Leostream Connection Broker – Authenticated Remote Code Execution
Posted By lrckt
1 min read

Software: Leostream Connection Broker Affected Versions: 9.0.40.17 Vendor page: https://leostream.com/ CVE Reference: CVE-2021-41550 Published: 25/01/2022 Attack Vector: Remote, authenticated Credits: Andrei Constantin Scutariu, Lenk Ratchakrit Seriamnuai, Andrea Malusardi

Summary

As the Leostream Connection Broker version: 9.0.40.17 allowed an attacker to upload any content through Third Party Content functionality, it was found that the application allowed the listed filenames below the ability to execute Perl programming language by default on the web application.

Mitigation

The Leostream has released a patch for this vulnerability, JUMPSEC recommend upgrading the affected versions as soon as possible. Leostream’s release notes and advisories can be found here.

Technical details

For achieving remote code execution, an attacker with administrator access to the application – or access as a custom role allowing TPC uploads – can upload Perl files to be executed server-side. The default web server configuration in use by the web application (which is accessible by downloading the archive at “Download Technical Support Package” link on the left menu bar from Leostream’s website) contained the httpd.conf, which shows that the following filenames can be executed:

  • all_back.pl
  • clients.pl
  • config.pl
  • database_error.pl
  • error_document.pl
  • fastlist.pl
  • index.pl
  • invite.pl
  • license.pl
  • logout.pl
  • pcoip_broker.pl
  • plan.pl
  • rest.pl
  • rpc.pl
  • sam.pl
  • saml.pl
  • search.pl
  • server.pl
  • status.pl
  • support.pl
  • syslog_server.pl
  • user.pl
  • view.pl
  • webquery.pl
  • Welcome.pl

The malicious file will be made available under the /tpc/ directory on the web server. The attacker can then trigger the malicious code execution by visiting the uploaded files.

Timeline

10/09/2021: Issue reported to the vendor 10/09/2021: Vendor acknowledged the issues 22/09/2021: CVE number assigned from MITRE 16/10/2021: The security patch was released by Leostream 25/01/2021: Advisory published by JUMPSEC

Research, Security Bug, Vulnerability
CVE-2021-41550 leostream rce remote code execution
This post is licensed under CC BY 4.0 by the author.