CVE-2019-3759 - Improper Control of Generation of Code ('Code Injection')

Severity

81%

Complexity

27%

Confidentiality

86%

The RSA Identity Governance and Lifecycle software and RSA Via Lifecycle and Governance products prior to 7.1.0 P08 contain a code injection vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to run custom Groovy scripts to gain limited access to view or modify information on the Workflow system.

The RSA Identity Governance and Lifecycle software and RSA Via Lifecycle and Governance products prior to 7.1.0 P08 contain a code injection vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to run custom Groovy scripts to gain limited access to view or modify information on the Workflow system.

CVSS 3.1 Base Score 8.1. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

CVSS 2.0 Base Score 5.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:N).

Demo Examples

Improper Control of Generation of Code ('Code Injection')

CWE-94

This example attempts to write user messages to a message file and allow users to view them.


               
}
echo "Message Saved!<p>\n";
include($MessageFile);

While the programmer intends for the MessageFile to only include data, an attacker can provide a message such as:


               
message=%3C?php%20system(%22/bin/ls%20-l%22);?%3E

which will decode to the following:


               
<?php system("/bin/ls -l");?>

The programmer thought they were just including the contents of a regular data file, but PHP parsed it and executed the code. Now, this code is executed any time people view messages.

Notice that XSS (CWE-79) is also possible in this situation.

Improper Control of Generation of Code ('Code Injection')

CWE-94

edit-config.pl: This CGI script is used to modify settings in a configuration file.


               
}
# code to add a field/key to a file goes here
# code to set key to a particular file goes here
# code to delete key from a particular file goes here
eval($code);# this is super-efficient code, especially if you have to invoke# any one of dozens of different functions!
handleConfigAction($configfile, param('action'));
print "No action specified!\n";

The script intends to take the 'action' parameter and invoke one of a variety of functions based on the value of that parameter - config_file_add_key(), config_file_set_key(), or config_file_delete_key(). It could set up a conditional to invoke each function separately, but eval() is a powerful way of doing the same thing in fewer lines of code, especially when a large number of functions or variables are involved. Unfortunately, in this case, the attacker can provide other values in the action parameter, such as: add_key(",","); system("/bin/ls"); This would produce the following string in handleConfigAction(): config_file_add_key(",","); system("/bin/ls"); Any arbitrary Perl code could be added after the attacker has "closed off" the construction of the original function call, in order to prevent parsing errors from causing the malicious eval() to fail before the attacker's payload is activated. This particular manipulation would fail after the system() call, because the "_key(\$fname, \$key, \$val)" portion of the string would cause an error, but this is irrelevant to the attack because the payload has already been activated.

Overview

Type

Dell RSA

First reported 5 years ago

2019-09-11 20:15:00

Last updated 5 years ago

2019-10-09 23:49:00

Affected Software

Dell RSA Identity Governance and Lifecycle 7.0.1

7.0.1

Dell RSA Identity Governance and Lifecycle 7.0.1 Patch 1

7.0.1

Dell RSA Identity Governance and Lifecycle 7.0.1 Patch 2 Hotfix 2

7.0.1

Dell RSA Identity Governance and Lifecycle 7.0.1 Patch5 Hotfix 2

7.0.1

Dell RSA Identity Governance and Lifecycle 7.0.2

7.0.2

Dell RSA Identity Governance and Lifecycle 7.0.2 Patch 1

7.0.2

Dell RSA Identity Governance and Lifecycle 7.0.2 Patch 10

7.0.2

Dell RSA Identity Governance and Lifecycle 7.0.2 Patch 11

7.0.2

Dell RSA Identity Governance and Lifecycle 7.0.2 Patch 12

7.0.2

Dell RSA Identity Governance and Lifecycle 7.0.2 Patch 13

7.0.2

Dell RSA Identity Governance and Lifecycle 7.0.2 Patch 14

7.0.2

Dell RSA Identity Governance and Lifecycle 7.0.2 Patch 2

7.0.2

Dell RSA Identity Governance and Lifecycle 7.0.2 Patch 3

7.0.2

Dell RSA Identity Governance and Lifecycle 7.0.2 Patch 4

7.0.2

Dell RSA Identity Governance and Lifecycle 7.0.2 Patch 5

7.0.2

Dell RSA Identity Governance and Lifecycle 7.0.2 Patch 6

7.0.2

Dell RSA Identity Governance and Lifecycle 7.0.2 Patch 7

7.0.2

Dell RSA Identity Governance and Lifecycle 7.0.2 Patch 8

7.0.2

Dell RSA Identity Governance and Lifecycle 7.0.2 Patch 9

7.0.2

Dell RSA Identity Governance and Lifecycle 7.1.0

7.1.0

Dell RSA Identity Governance and Lifecycle 7.1.0 Patch 01

7.1.0

Dell RSA Identity Governance and Lifecycle 7.1.0 Patch 02

7.1.0

Dell RSA Identity Governance and Lifecycle 7.1.0 Patch 03

7.1.0

Dell RSA Identity Governance and Lifecycle 7.1.0 Patch 04

7.1.0

Dell RSA Identity Governance and Lifecycle 7.1.0 Patch 05

7.1.0

Dell RSA Identity Governance and Lifecycle 7.1.0 Patch 06

7.1.0

Dell RSA Identity Governance and Lifecycle 7.1.0 Patch 07

7.1.0

Dell RSA Identity Governance and Lifecycle 7.1.1

7.1.1

Dell RSA Identity Governance and Lifecycle 7.1.1 Patch 1

7.1.1

Dell RSA Via Lifecycle and Governance 7.0.0

7.0.0

Dell RSA Via Lifecycle and Governance 7.0.0 Patch 1

7.0.0

Dell RSA Via Lifecycle and Governance 7.0.0 Patch 2

7.0.0

Dell RSA Via Lifecycle and Governance 7.0.0 Patch 3

7.0.0

Dell RSA Via Lifecycle and Governance 7.0.0 Patch 4

7.0.0

Dell RSA Via Lifecycle and Governance 7.0.0 Patch 5

7.0.0

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.