This is a description of vulnerabilities found in Rumpus version 8.2.14, which enable a malicious actor to get root access to the underlying system if the web user account management setting is enabled. No patch is available, disabling the remote user management will mitigate the most risk.
Rumpus is a file transfer application developed by Maxum. Available for Windows and Mac of which only the Mac version was examined.
By combining these vulnerabilities, it is possible to exploit the command injection vulnerability without authentication or with a low privileged user account.
Stored Cross-Site Scripting (CVE-2020-27576)
The following POST request shows the payload on the last line:
The response shows the folder is created:
The XSS occurs because the folder name is not sufficiently encoded. With double quotes it is possible to alter the HTLM element.
Web User Account Management
The following setting introduces the two other vulnerabilities. The applications network settings contain a remote admin setting called web user account management. This enables the vulnerable functionality of managing user accounts.
Cross-Site Request Forgery (CVE-2020-27574)
The following HTML form can be hosted by an attacker. Tricking a user account with administrative privileges to visit the page will lead to the creation of an attacker specified account, using an image. The form thereafter will set the account settings.
When the administrative user account visits the page, the form will automatically submit the attacker assigned values to the server.
The following code snippets show the requests and responses after an administrative user visits the page with the form above:
First creating a user using the image:
The form submission sets the user’s settings:
A possible mitigation is to protect it by using a POST method with CSRF tokens and an origin check. The edit account form already uses the POST method but no CSRF tokens or an origin check.
Command Injection (CVE-2020-27575)
The command injection is in the HomeFolder parameter in the edit account form. Sending the following POST request to the server from an administrative account will result in a root shell.
Attacker listener’s incoming connection:
The command injection occurs because input is not filtered, it is possible to alter the expected command by using a quote. By using backticks it is possible to insert arbitrary commands into this string whereafter it will be executed.
XSS to root
To demonstrate the impact of this combination of vulnerabilities the following proof of concept was made.
Combining the payload with the XSS is possible but tricky due to the length restriction and encoding. Note a valid username and place it in the payload.
Base64 encode it due to special characters being filtered. Don’t forget to URL encode special characters after it:
The POST request should look similar to this:
On a mouseover the command injection will be send to the server. When done by an administrator this will result in a root shell for the attacker.
CSRF to root
Another combination is to trick a user with access to user management to visit the following malicious page. Because a user account is needed to set the folder value to, a user is created beforehand named “rce”. No authentication is needed to perform this attack.
Resulting in a root shell for the attacker.
Oct 12th 2020
Got asked for serial number
Oct 14th 2020
Asked for confirmation
Oct 20th 2020
Reserved CVE numbers
Jan 28th 2021
CVE numbers assigned
Feb 7th 2021
Sent new report of latest version
“unclear if it is a real world vulnerability”
Mar 7th 2021
No patch is available, disabling the remote user management will mitigate the most risk.