cbcvebase.
CVE-2019-6714
published 2019-03-21

CVE-2019-6714: An issue was discovered in BlogEngine.NET through 3.3.6.0. A path traversal and Local File Inclusion vulnerability in PostList.ascx.cs can cause…

PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
31.72%
98.1th percentile
An issue was discovered in BlogEngine.NET through 3.3.6.0. A path traversal and Local File Inclusion vulnerability in PostList.ascx.cs can cause unauthenticated users to load a PostView.ascx component from a potentially untrusted location on the local filesystem. This is especially dangerous if an authenticated user uploads a PostView.ascx file using the file manager utility, which is currently allowed. This results in remote code execution for an authenticated user.

Affected

3 ranges
VendorProductVersion rangeFixed in
blogengineblogengine.net<= 3.3.6.0
blogengineblogengine.net<= 3.3.7.0
dotnetblogengineblogengine.net<= 3.3.7.0

Detection & IOCsextracted from sources · hover to see the quote

path/?theme=../../App_Data/files
filenamePostView.ascx
url/Account/login.aspx?ReturnURL=/admin/
url/admin/app/editor/editpost.cshtml
port4445
  • Detect exploitation attempts via the unchecked 'theme' parameter used for path traversal; monitor HTTP GET requests containing '../../App_Data/files' in the theme query parameter.
  • Alert on upload of a file named 'PostView.ascx' via the BlogEngine.NET file manager, as this is the malicious payload used to achieve RCE.
  • Monitor for brute-force login attempts against /Account/login.aspx with repeated POST requests and 'Login failed' responses, indicative of credential stuffing or hydra-style attacks.
  • Detect outbound TCP connections from the web server process (w3wp.exe or aspnet) to attacker-controlled IPs on non-standard ports (e.g. 4445), as spawned by the PostView.ascx reverse shell payload.
  • Alert on cmd.exe being spawned as a child process of a .NET web application worker process, which is the execution mechanism used by the exploit's reverse shell component.
  • Monitor writes to C:\Program Files (x86)\SystemScheduler\ by non-administrative users; the exploit chain replaces Message.exe in this directory for privilege escalation.
  • Detect use of PowerShell Invoke-Expression (IEX) with WebClient.Downloadfile to download executables from remote hosts, used post-exploitation to stage meterpreter payloads.
  • ·The exploit requires two conditions: an authenticated user must first upload the malicious PostView.ascx via the file manager, and then the path traversal via the theme parameter triggers unauthenticated RCE. Detection must cover both the upload phase and the traversal trigger.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.