Advisory CVE-2021-41550 Leostream Connection Broker – Authenticated Remote Code Execution

by | Jan 26, 2022 | Research, Security Bug, Vulnerability

Software: Leostream Connection Broker
Affected Versions: 9.0.40.17
Vendor page: https://leostream.com/
CVE Reference: CVE-2021-41550
Published: 25/01/2022
Attack Vector: Remote, authenticated
Credits: Andrei Constantin Scutariu, Lenk Ratchakrit Seriamnuai, Andrea Malusardi

Summary

As the Leostream Connection Broker version: 9.0.40.17 allowed an attacker to upload any content through Third Party Content functionality, it was found that the application allowed the listed filenames below the ability to execute Perl programming language by default on the web application.

Mitigation

The Leostream has released a patch for this vulnerability, JUMPSEC recommend upgrading the affected versions as soon as possible. Leostream’s release notes and advisories can be found here.

Technical details

For achieving remote code execution, an attacker with administrator access to the application – or access as a custom role allowing TPC uploads – can upload Perl files to be executed server-side. The default web server configuration in use by the web application (which is accessible by downloading the archive at “Download Technical Support Package” link on the left menu bar from Leostream’s website) contained the httpd.conf, which shows that the following filenames can be executed:

  • all_back.pl
  • clients.pl
  • config.pl
  • database_error.pl
  • error_document.pl
  • fastlist.pl
  • index.pl
  • invite.pl
  • license.pl
  • logout.pl
  • pcoip_broker.pl
  • plan.pl
  • rest.pl
  • rpc.pl
  • sam.pl
  • saml.pl
  • search.pl
  • server.pl
  • status.pl
  • support.pl
  • syslog_server.pl
  • user.pl
  • view.pl
  • webquery.pl
  • Welcome.pl

The malicious file will be made available under the /tpc/ directory on the web server. The attacker can then trigger the malicious code execution by visiting the uploaded files.

Timeline

10/09/2021: Issue reported to the vendor
10/09/2021: Vendor acknowledged the issues
22/09/2021: CVE number assigned from MITRE
16/10/2021: The security patch was released by Leostream
25/01/2021: Advisory published by JUMPSEC

Disclaimer

The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.

GitHub Activity

 

Follow JUMPSECLabs

Disclaimer

The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.

You may also like…

Can Depix deobfuscate your data?

In this post, Caleb explores Depix and its potential to recover sensitive text from reports that were redacted by the original authors.

Share This