How I came across this CVE

To recap, my team was doing a pentest for a customer where we couldn't find anything interesting. This client seemed important to one of my team members, whom I like very much, and we really wanted to report on something a bit sexy. However, the application had already been tested a lot, so it was hard to find something cool.

To make matters worse, the technology behind the application was Eclipse's Remote Application Plateform.

https://eclipse.dev/rap/

To put it simply, it's a framework that essentially uses mouse coordinates to work.

On Wednesday (the mission ended on Friday) we had absolutely nothing, so I promised him I'd be the queen of whores if I didn't get RCE by Friday.

On Friday we had a shell on the machines running the Windows application.

To sum up, here are the key points that enabled me to achieve my goal

• Not wanting to be the queen of the whores
• Reverse the application (it was java, just a little obfuscated, so nothing complicated)
• Find a 0 day on the framework used
• Exploit it and find a way to execute code 😈

Let's deep dive in this attack.

Disclaimer

Of course, I won't name the company we were initially attacking, nor will I detail any attack made against it. All you need to know is that we had access to its “application” and were able to reverse it.

Exploit CVE-2023-4760

I had spotted a file upload feature and decided that I would go ahead and concentrate solely on it.

Indeed, you could upload almost any type of file and I wanted to take advantage of this freedom for RCE.

After spending a day unobfuscating and analyzing file upload features, I decided to go into the functions used by the RAP framework.

I noticed that the name of our file was not modified, but that its path was deleted to keep only the file name.

Here's the code responsible for this behavior:

private static String stripFileName( String name ) {
    String result = name;
    int lastSlash = result.lastIndexOf( '/' );
    if( lastSlash != -1 ) {
      result = result.substring( lastSlash + 1 );
    } else {
      int lastBackslash = result.lastIndexOf( '\\' );
      if( lastBackslash != -1 ) {
        result = result.substring( lastBackslash + 1 );
      }
    }
    return result;
  }

If someone tries to go back up the tree under linux, then everything after the last “/” will be used as the filename. In the same way, under Windows, the last “\” will be retrieved and the rest will be considered as the file name.

To sum up, here's what it does.

../../../../../../etc/passwd => passwd
../../../var/www/html/reverse.php => reverse.php
..\..\..\..\C:\Windows\System32\drivers\etc\hosts => hosts

The problem here is that we're in an IF ELSE. So if one case is encountered, the second will not be processed. This way, you can go up the Windows tree and upload any file anywhere.

In our case, we were able to create a reverse shell by generating a war with msfvenom and the following path :

../..\..\..\webapps\reverse-shell.war