lab.mogwaisecurity.de because sharing is caring...

PowerFolder Remote Code Execution Vulnerability

Title PowerFolder Remote Code Execution Vulnerability
Id MSA-2016-01
Product PowerFolder Server
Affected versions 10.4.321 (Linux/Windows) (Other version might be also affected)
Impact high
Remote yes
Product link https://www.powerfolder.com
Reported 02/03/2016
By Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)

Vendor's Description of the Software:

PowerFolder is the leading on-premise solution for file synchronization and collaboration in your organization. PowerFolder Business Suite and PowerFolder Enterprise Suite both offer a fully integrated and secure solution for backup, synchronization and collaboration.

Support for federated RADIUS, LDAP and RESTful API‘s allow PowerFolder to blend in perfectly into your environment while all data is stored on your own IT infrastructure, ensuring that your data remains 100% under your control.

Business recommendation:

Apply patches that are provided by the vendor. Restrict access to the PowerFolder port, as the vulnerability might be exploited with other gadgets.

CVSS2 Ratings

CVSS Base Score 9.3
Impact Subscore 10
Exploitability Subscore 8.6
CVSS v2 Vector (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Vulnerability description

The PowerFolder server and client are written in Java. Data exchange is mainly done via serialized objects that are send over a dedicated port (TCP port 1337). This service allows deserialization of untrusted data, which can be exploited to execute arbitrary code.[1][2]

The tested PowerFolder version contains a modified version of the Java library "ApacheCommons". In this version, the PowerFolder developers removed certain dangerous classes like org.apache.commons.collections.functors.InvokerTransformer however, exploitation is still possible using another gadget chain [3].

Proof of concept:

A simple PoC can be found here https://github.com/h0ng10/powerfolder-exploit-poc

Disclosure timeline:

10/02/2016 Bug discovered during pentest preparation
02/03/2016 Initial contact via vendor support form
02/03/2016 Response from vendor, asking for additional details
02/03/2016 Sending description, including a very simple PoC
07/03/2016 Response from PowerFolder developers, they are unable to reproduce the issue
07/03/2016 Response from Mogwai Security, will develop a improved PoC exploit
12/03/2016 Providing an improved exploit PoC that does not only work in LAN networks
21/03/2016 Requesting an update from the developers
21/03/2016 Phone call with PowerFolder developers
21/03/2016 Additional response from PowerFolder, they plan to release a security update at the end of the month
01/04/2016 Release of PowerFolder 10 SP5, including vulnerability acknowledgement [4]

References:

[1] https://frohoff.github.io/appseccali-marshalling-pickles/
[2] https://www.youtube.com/watch?v=VviY3O-euVQ
[3] https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections3.java
[4] https://wiki.powerfolder.com/display/PFC/PowerFolder+Client+10+SP5

Advisory URL: https://www.mogwaisecurity.de/#lab

Mogwai, IT-Sicherheitsberatung Muench
Gutenbergstrasse 2 89231 Neu-Ulm (Germany)

info@mogwaisecurity.de