Software: Leostream Connection Broker
Affected Versions: 9.0.40.17
Vendor page: https://leostream.com/
CVE Reference: CVE-2021-41550
Published: 25/01/2022
Attack Vector: Remote, authenticated
Credits: Andrei Constantin Scutariu, Lenk Ratchakrit Seriamnuai, Andrea Malusardi
Summary
As the Leostream Connection Broker version: 9.0.40.17 allowed an attacker to upload any content through Third Party Content functionality, it was found that the application allowed the listed filenames below the ability to execute Perl programming language by default on the web application.
Mitigation
The Leostream has released a patch for this vulnerability, JUMPSEC recommend upgrading the affected versions as soon as possible. Leostream’s release notes and advisories can be found here.
Technical details
For achieving remote code execution, an attacker with administrator access to the application – or access as a custom role allowing TPC uploads – can upload Perl files to be executed server-side. The default web server configuration in use by the web application (which is accessible by downloading the archive at “Download Technical Support Package” link on the left menu bar from Leostream’s website) contained the httpd.conf, which shows that the following filenames can be executed:
- all_back.pl
- clients.pl
- config.pl
- database_error.pl
- error_document.pl
- fastlist.pl
- index.pl
- invite.pl
- license.pl
- logout.pl
- pcoip_broker.pl
- plan.pl
- rest.pl
- rpc.pl
- sam.pl
- saml.pl
- search.pl
- server.pl
- status.pl
- support.pl
- syslog_server.pl
- user.pl
- view.pl
- webquery.pl
- Welcome.pl
The malicious file will be made available under the /tpc/ directory on the web server. The attacker can then trigger the malicious code execution by visiting the uploaded files.
Timeline
10/09/2021: Issue reported to the vendor
10/09/2021: Vendor acknowledged the issues
22/09/2021: CVE number assigned from MITRE
16/10/2021: The security patch was released by Leostream
25/01/2021: Advisory published by JUMPSEC