OpenWGA Developer Studio 3.1.0 OpenDialog Arbitrary Code Execution
Title: OpenWGA Developer Studio 3.1.0 OpenDialog Arbitrary Code Execution
Advisory ID: ZSL-2016-5317
Type: Local
Impact: System Access, Privilege Escalation
Risk: (3/5)
Release Date: 13.04.2016
Microsoft Windows 7 Ultimate SP1 (EN)
Java/1.8.0.77-b03
[28.02.2016] Vendor contacted.
[12.04.2016] No response from the vendor.
[13.04.2016] Public security advisory released.
[2] https://packetstormsecurity.com/files/136682
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/112262
[14.04.2016] - Added reference [1] and [2]
[19.04.2016] - Added reference [3]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2016-5317
Type: Local
Impact: System Access, Privilege Escalation
Risk: (3/5)
Release Date: 13.04.2016
Summary
The OpenWGA Developer Studio packages an OpenWGA CMS server together with all necessary development and deployment tools to create, develop, deploy, share and maintain your OpenWGA CMS applications.Description
The application suffers from an arbitrary code execution vulnerability when using the File OpenDialog box enabling the attacker to execute any binary he or she chooses including elevation of privileges.Vendor
Innovation Gate GmbH - https://www.openwga.comAffected Version
3.1.0.r00147Tested On
Microsoft Windows 7 Professional SP1 (EN)Microsoft Windows 7 Ultimate SP1 (EN)
Java/1.8.0.77-b03
Vendor Status
[23.02.2016] Vulnerability discovered.[28.02.2016] Vendor contacted.
[12.04.2016] No response from the vendor.
[13.04.2016] Public security advisory released.
PoC
openwga_odce.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://cxsecurity.com/issue/WLB-2016040093[2] https://packetstormsecurity.com/files/136682
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/112262
Changelog
[13.04.2016] - Initial release[14.04.2016] - Added reference [1] and [2]
[19.04.2016] - Added reference [3]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
