It is possible to upload JSP files to Xen Mobile’s Tomcat server, leading to arbitrary code execution.
Current state: Fixed
Using the unauthenticated file upload vulnerabilities described in dxw-2018-3564 (see finding unauthenticated file upload), it is possible to upload a zip file crafted by the attacker. Xen Mobile provides an API to unzip files by posting to:
Combining this vulnerability with the unzip API allowed us to create arbitrary files, leading to arbitrary code execution on the server.
POST /controlpoint/rest/application/mobile/process?fileName=file.zip HTTP/1.1 Host:xenmobile.example.com Referer: https://xenmobile.example.com/index_uc.html X-Requested-With: XMLHttpRequest Cookie: JSESSIONID=validsession
Xen Mobile does not check to see if the zip file contains relative paths. This meant the tester could write files to arbitrary locations on the server by crafting zip files containing relative paths. In this case, the zip file crafted by the tester was encoded to contain a file with the path:
test9.jsp contained code written by the attacker to allow us to run arbitrary commands on the server.
When Xen Mobile unzips this file, it creats test9.jsp within the web root of the Tomcat server, making it available to be executed via the web. The tester was then able to call it via HTTP from an external location, running arbitrary commands and viewing their output.
2018-03-28 – Reported to Citrix and acknowledged immediately
2018-05-21 – Issue reported fixed