CVE-2019-10719
published 2019-06-21CVE-2019-10719: BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution because file creation is mishandled, related to /api/upload and…
PriorityP263high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
7.60%
93.8th percentile
BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution because file creation is mishandled, related to /api/upload and BlogEngine.NET/AppCode/Api/UploadController.cs. NOTE: this issue exists because of an incomplete fix for CVE-2019-6714.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dotnetblogengine | blogengine.net | <= 3.3.7.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /api/upload containing 'dirPath' parameter with path traversal sequences (%2f..%2f or ../), especially targeting /Custom/Themes/ directory ↗
- →Detect upload of a file named 'PostView.ascx' to /api/upload endpoint, which is the malicious web shell payload used for RCE ↗
- →Detect HTTP requests containing a 'theme' cookie value with directory traversal sequences (e.g., ../../App_Data/files/) — authentication is not required to trigger RCE via this vector ↗
- →Detect GET requests to /?theme=<directory_name> which trigger execution of the uploaded PostView.ascx shell from the Custom/Themes directory ↗
- →Monitor for outbound TCP connections from the BlogEngine.NET web process (w3wp.exe) spawning cmd.exe, indicative of the reverse shell payload executing ↗
- ·CVE-2019-10719 is an incomplete fix for CVE-2019-6714; both vulnerabilities share the same /api/upload endpoint and PostView.ascx payload. Detections for CVE-2019-6714 may not fully cover this variant. ↗
- ·The exploit script routes traffic through a local proxy at 127.0.0.1:8080, which may cause network-level detections to miss the attack if only inspecting direct connections. ↗
- ·The theme-cookie RCE trigger (CVE-2019-10720 variant in DOC 3) requires no authentication, meaning the upload and trigger steps can be decoupled — an attacker may upload via an authenticated session and trigger via an unauthenticated request. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
BlogEngine.NET 3.3.6/3.3.7 - 'dirPath' Directory Traversal / Remote Code Execution
exploitdb·2019-06-19
BlogEngine.NET 3.3.6/3.3.7 - 'dirPath' Directory Traversal / Remote Code Execution
BlogEngine.NET 3.3.6/3.3.7 - 'dirPath' Directory Traversal / Remote Code Execution
---
# Exploit Title: Directory Traversal + RCE on BlogEngine.NET
# Date: 17 Jun 2019
# Exploit Author: Aaron Bishop
# Vendor Homepage: https://blogengine.io/
# Version: v3.3.7
# Tested on: 3.3.7, 3.3.6
# CVE : 2019-10719
#1. Description
#==============
#BlogEngine.NET is vulnerable to an Directory Traversal on `/api/upload` which allows a RCE through the `theme` parameter.
#2. Proof of Concept
#=============
#Using an account that has permissions to Edit Posts, upload a malicious file called `PostView.ascx`; exploit the directory traversal to upload the shell into the **/Custom/Themes** #directory:
#~~~
#POST /api/upload?action=filemgr&dirPath=%2f..%2f..%2fCustom%2fThemes%2fRCE_Test HTTP/1.1
#Host: $R
Exploit-DB
BlogEngine.NET 3.3.6/3.3.7 - 'theme Cookie' Directory Traversal / Remote Code Execution
exploitdb·2019-06-19
BlogEngine.NET 3.3.6/3.3.7 - 'theme Cookie' Directory Traversal / Remote Code Execution
BlogEngine.NET 3.3.6/3.3.7 - 'theme Cookie' Directory Traversal / Remote Code Execution
---
# Exploit Title: Directory Traversal + RCE on BlogEngine.NET
# Date: 17 Jun 2019
# Exploit Author: Aaron Bishop
# Vendor Homepage: https://blogengine.io/
# Version: v3.3.7
# Tested on: 3.3.7, 3.3.6
# CVE : 2019-10720
#1. Description
#==============
#BlogEngine.NET is vulnerable to a Directory Traversal through the **theme** cookie which triggers a RCE.
#2. Proof of Concept
#=============
#Using an account that has permissions to Edit Posts, upload a malicious file called `PostView.ascx`:
#~~~
#POST /api/upload?action=filemgr HTTP/1.1
#Host: $RHOST
#User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
#Accept: text/plain
#Accept-Language: en-US,en;q=0.5
#Accept-Enco
No writeups or analysis indexed.
http://packetstormsecurity.com/files/153347/BlogEngine.NET-3.3.6-3.3.7-dirPath-Directory-Traversal-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2019/Jun/26https://www.securitymetrics.com/blog/BlogEngineNET-Directory-Traversal-Remote-Code-Execution-CVE-2019-10719-CVE-2019-10720http://packetstormsecurity.com/files/153347/BlogEngine.NET-3.3.6-3.3.7-dirPath-Directory-Traversal-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2019/Jun/26https://www.securitymetrics.com/blog/BlogEngineNET-Directory-Traversal-Remote-Code-Execution-CVE-2019-10719-CVE-2019-10720
2019-06-21
Published