Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

I. VULNERABILITY

Local File Inclusion - BSA Radar (Authenticated)

II. BACKGROUND

BSA Radar is a banking application provided by GLOBAL Radar which is implemented within corporate environments to perform SWIFT transactions, approve and review transactions, manage documents, manage users and roles and other features.

III. DESCRIPTION

The Administrator section of the Surveillance module in Global RADAR - BSA Radar 1.6.7234.X allows users to download transaction files. When downloading the files, a user is able to view local files on the web server by manipulating the FileName and FilePath parameters in the URL, or while using a proxy. This vulnerability could be used to view local sensitive files or configuration files on the backend server.

Vulnerable endpoint: /UC/downloadFile.ashx

The current user is required to have valid privileges to send requests to the target vulnerable endpoint.

IV. History

The vulnerability was originally disclosed to the vendor on November 4, 2019.
The CVE was originally submitted on June 19, 2020.
CVE assigned: CVE-2020-14946

V. PROOF OF CONCEPT

HTTP Request PoC:

VALID REQUEST:
GET /UC/downloadFile.ashx?ID=XXXX&FileName=SOMEFILE.TXT&UploadStyle=1&UploadStyle=1&UploadSource=6

LFI EXPLOIT REQUEST:
GET /UC/downloadFile.ashx?ID=XXXX&Filename=C:\Windows\debug\NetSetup.log&UploadStyle=1&UploadSource=6

The entire LFI path can be injected into the "Filename" parameter in order to enumerate existing files on the server. Other LFI files can be tested (such as the Windows hosts file) for further verification and disclosures.

VI. BUSINESS IMPACT

Disclosure of internal backend server files on the affected systems.

VII. SYSTEMS AFFECTED

BSA Radar - Version 1.6.7234.24750 and lower.

VIII. SOLUTION

Restrict application requests to deny efforts that are requesting files outside of the current application and file directory. This should prevent users from accessing arbitrary file names or file types within any other application or server directory. Whitelist input characters to prevent potential LFI or directory traversal attacks (such as ../, ..\ or directories).

IX. REFERENCES

Mitre CVE-2020-14946
Exploit-DB CVE_2020-14946 - Local File Inclusion

X. CREDITS

This vulnerability has been discovered and reported by William Summerhill.

XI. DISCLOSURE TIMELINE

The vulnerability was originally disclosed to the vendor on November 4, 2019 and acknowledged shortly after. The vulnerability was then patched and verified on April 26, 2020.