Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
c88d4ea
commit 3808bf2
Showing
9 changed files
with
65 additions
and
1 deletion.
There are no files selected for viewing
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| # CVE-2019-9757: LabKey Server XXE | ||
|
|
||
| ## Information | ||
| **Description:** An XXE vulnerability exists in LabKey Server due to an outdated Java library. This allows arbitrary files to be read from the server. | ||
| **Versions Affected:** LabKey Server 19.1.0 | ||
| **Researcher:** David Yesland (https://twitter.com/daveysec) | ||
| **Disclosure Link:** https://rhinosecuritylabs.com/application-security/labkey-server-vulnerabilities-to-rce | ||
| **NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2019-9757 | ||
|
|
||
| ## Proof-of-Concept Exploit | ||
| ### Description | ||
| The application parses SVG/XML data to render as an image if an external entity is used in the XML it is possible to render the contents of files into the image. | ||
|
|
||
| ### Usage/Exploitation | ||
| Within LabKey Server, export a report graph as a PNG and send the contents of CVE-2019-9757.svg with the POST request. | ||
|
|
||
| ### Screenshot | ||
|  |
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| # CVE-2019-9758: LabKey Server Stored XSS | ||
|
|
||
| ## Information | ||
| **Description:** This allows Cross-Site Scripting to execute against an admin of LabKey Server which can lead to RCE. | ||
| **Versions Affected:** LabKey Server 19.1.0 | ||
| **Researcher:** David Yesland (https://twitter.com/daveysec) | ||
| **Disclosure Link:** https://rhinosecuritylabs.com/application-security/labkey-server-vulnerabilities-to-rce | ||
| **NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2019-9758 | ||
|
|
||
| ## Proof-of-Concept Exploit | ||
| ### Description | ||
| The username is not sanitized in some portions of the application within the admin portal. This allows XSS payloads to be executed on an admin of the application which can also lead to XSS by abusing intended functionality of the application. | ||
|
|
||
| ### Usage/Exploitation | ||
| Set the username of a user to `<svg onload=alert(document.cookie)>` then attempt to clone the permissions of that user as an admin. | ||
|
|
||
| ### Screenshot | ||
|  |
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| <img src='http://localhost:8080/labkey/reports-viewScriptReport.view?reportType=ReportService.rReport&script=system("ls")'> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| # CVE-2019-9926: LabKey Server CSRF | ||
|
|
||
| ## Information | ||
| **Description:** This allows a CSRF attack to be performed against an admin of LabKey Server to an endpoint which can run R script and leads to RCE. | ||
| **Versions Affected:** LabKey Server 19.1.0 | ||
| **Researcher:** David Yesland (https://twitter.com/daveysec) | ||
| **Disclosure Link:** https://rhinosecuritylabs.com/application-security/labkey-server-vulnerabilities-to-rce | ||
| **NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2019-9926 | ||
|
|
||
| ## Proof-of-Concept Exploit | ||
| ### Description | ||
| The application has functionality to process data using user defined scripts. This endpoint was found to be vulnerable to CSRF by changing a POST request to a GET. This allows an arbitrary script to be defined and executed if an authenticated admin visits the crafted URL. | ||
|
|
||
| ### Usage/Exploitation | ||
| As an authenticated admin visit `http://localhost:8080/labkey/reports-viewScriptReport.view?reportType=ReportService.rreport&script=system("ls")`. | ||
|
|
||
| ### Screenshot | ||
|  |
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters