Bugtraq: MSA-2016-01: PowerFolder Remote Code Execution Vulnerability

Mogwai Security Advisory MSA-2016-01

----------------------------------------------------------------------

Title: PowerFolder Remote Code Execution Vulnerability

Product: PowerFolder Server

Affected versions: 10.4.321 (Linux/Windows) (Other version might be also

affected)

Impact: high

Remote: yes

Product link: http://ift.tt/1TALx9d

Reported: 02/03/2016

by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)

Vendor's Description of the Software:

----------------------------------------------------------------------

PowerFolder is the leading on-premise solution for file synchronization

and collaboration in your organization. PowerFolder Business Suite and

PowerFolder Enterprise Suite both offer a fully integrated and secure

solution for backup, synchronization and collaboration.

Support for federated RADIUS, LDAP and RESTful APIs allow PowerFolder

to blend in perfectly into your environment while all data is stored

on your own IT infrastructure, ensuring that your data remains 100%

under your control.

Business recommendation:

-----------------------------------------------------------------------

Apply patches that are provided by the vendor. Restrict access to the

PowerFolder port, as the vulnerability might be exploited with other gadgets.

CVSS2 Ratings

-----------------------------------------------------------------------

CVSS Base Score: 9.3

Impact Subscore: 10

Exploitability Subscore: 8.6

CVSS v2 Vector (AV:N/AC:M/Au:N/C:C/I:C/A:C)

-----------------------------------------------------------------------

Vulnerability description:

----------------------------------------------------------------------

The PowerFolder server and client are written in Java. Data exchange is mainly

done via serialized objects that are send over a dedicated port (TCP port 1337).

This service allows deserialization of untrusted data, which can be exploited to

execute arbitrary code.[1][2]

The tested PowerFolder version contains a modified version of the Java

library "ApacheCommons". In this version, the PowerFolder developers removed

certain dangerous classes like

org.apache.commons.collections.functors.InvokerTransformer

however, exploitation is still possible using another gadget chain [3].

Proof of concept:

----------------------------------------------------------------------

A simple PoC can be found here http://ift.tt/1OTD5TD

Disclosure timeline:

----------------------------------------------------------------------

10/02/2016: Bug discovered during pentest preparation

02/03/2016: Initial contact via vendor support form

02/03/2016: Response from vendor, asking for additional details

02/03/2016: Sending description, including a very simple PoC

07/03/2016: Response from PowerFolder developers, they are unable to reproduce

the issue

07/03/2016: Response from Mogwai Security, will develop a improved PoC exploit

12/03/2016: Providing an improved exploit PoC that does not only work in LAN

networks

21/03/2016: Requesting an update from the developers

21/03/2016: Phone call with PowerFolder developers

21/03/2016: Additional response from PowerFolder, they plan to release a

security update at the end of the month

01/04/2016: Release of PowerFolder 10 SP5, including vulnerability

acknowledgement [4]

References:

----------------------------------------------------------------------

[1] http://ift.tt/1NtSZgu

[2] https://www.youtube.com/watch?v=VviY3O-euVQ

[3]

http://ift.tt/1qGDptx

/payloads/CommonsCollections3.java

[4] http://ift.tt/1TwqORA

Advisory URL:

----------------------------------------------------------------------

http://ift.tt/1OTCVeQ

----------------------------------------------------------------------

Mogwai, IT-Sicherheitsberatung Muench

Gutenbergstrasse 2

89231 Neu-Ulm (Germany)

info (at) mogwaisecurity (dot) de [email concealed]

[ reply ]

from SecurityFocus Vulnerabilities http://ift.tt/1Wf0uBg