HtmlImport Unauthenticated Remote Code Execution

High
Advisory IDL9-16-482PublishedAugust 19, 2021UpdatedAugust 19, 2021
Category Unrestricted Upload of File with Dangerous TypeVendorPrivaProductPriva Office DirectVersion9.0.0

Risk Summary

The Priva Office Direct software is used to interface with the Priva process computer in horticultural operations and smart greenhouses. Through this interface, greenhouse operators can monitor and modify set points of the process, commonly temperature, curtain, humidity, dosing, flow rates, etc.

The application contains an unauthenticated import function that can be abused to execute code on the underlying operating system. The Research team identified this vulnerability in the application bytecode and was able to exploit it using directory traversal and a null byte in the file path. This attack resulted in the injection of a Java Servlet Page (JSP) file that is run by the server. Through this avenue, any operating system command can be executed without authentication to the Priva system.

Technical Details

The Research team identified this issue within the “/office/user/HtmImport” URL. The query parameter “screenId” is used to indicate a file path. Typically, this path contains a local HTML file that is used as a UI rendering view. The body of this request is intended to contain the content of the HTML file. The Research team was able to manipulate the “screenId” parameter in this function using a directory traversal vulnerability and a null byte injection. In combination, these two exploits allow a JSP file to be placed within the web root of the tomcat application. JSP files are intended to contain Java code that is run by the web application server. A JSP file is not typically allowed within the HtmlImport function, but the use of a null byte (%00) at the end of the parameter value truncates this verification.

As a result, a value of “../../../../../../Program%20Files%20/Priva/Priva%20Office/WebServer/webapps/books/x.jsp%00” will place a JSP file named “x.jsp” within the default “books” webapp.

PUT Request

PUT Response

Placing this file within the web root enables a threat actor to access and execute the contents of the file over the network. The body of this request contains the Research team’s JSP payload. In this instance, a simple reverse shell was executed to demonstrate the capability.

GET to Trigger Payload

Callback Received