CVE-2019-6714
published 2019-03-21CVE-2019-6714: An issue was discovered in BlogEngine.NET through 3.3.6.0. A path traversal and Local File Inclusion vulnerability in PostList.ascx.cs can cause…
PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
31.72%
98.1th percentile
An issue was discovered in BlogEngine.NET through 3.3.6.0. A path traversal and Local File Inclusion vulnerability in PostList.ascx.cs can cause unauthenticated users to load a PostView.ascx component from a potentially untrusted location on the local filesystem. This is especially dangerous if an authenticated user uploads a PostView.ascx file using the file manager utility, which is currently allowed. This results in remote code execution for an authenticated user.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| blogengine | blogengine.net | <= 3.3.6.0 | — |
| blogengine | blogengine.net | <= 3.3.7.0 | — |
| dotnetblogengine | blogengine.net | <= 3.3.7.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts via the unchecked 'theme' parameter used for path traversal; monitor HTTP GET requests containing '../../App_Data/files' in the theme query parameter. ↗
- →Alert on upload of a file named 'PostView.ascx' via the BlogEngine.NET file manager, as this is the malicious payload used to achieve RCE. ↗
- →Monitor for brute-force login attempts against /Account/login.aspx with repeated POST requests and 'Login failed' responses, indicative of credential stuffing or hydra-style attacks. ↗
- →Detect outbound TCP connections from the web server process (w3wp.exe or aspnet) to attacker-controlled IPs on non-standard ports (e.g. 4445), as spawned by the PostView.ascx reverse shell payload. ↗
- →Alert on cmd.exe being spawned as a child process of a .NET web application worker process, which is the execution mechanism used by the exploit's reverse shell component. ↗
- →Monitor writes to C:\Program Files (x86)\SystemScheduler\ by non-administrative users; the exploit chain replaces Message.exe in this directory for privilege escalation. ↗
- →Detect use of PowerShell Invoke-Expression (IEX) with WebClient.Downloadfile to download executables from remote hosts, used post-exploitation to stage meterpreter payloads. ↗
- ·The exploit requires two conditions: an authenticated user must first upload the malicious PostView.ascx via the file manager, and then the path traversal via the theme parameter triggers unauthenticated RCE. Detection must cover both the upload phase and the traversal trigger. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hcx8-w26r-5c8f: BlogEngine
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2019-10720 [CRITICAL] GHSA-hcx8-w26r-5c8f: BlogEngine
BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution via the theme cookie to the File Manager. NOTE: this issue exists because of an incomplete fix for CVE-2019-6714.
GHSA
GHSA-57jj-m8j9-9924: BlogEngine
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2019-10719 [CRITICAL] CWE-22 GHSA-57jj-m8j9-9924: BlogEngine
BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution because file creation is mishandled, related to /api/upload and BlogEngine.NET/AppCode/Api/UploadController.cs. NOTE: this issue exists because of an incomplete fix for CVE-2019-6714.
GHSA
GHSA-hm39-3528-68f4: An issue was discovered in BlogEngine
ghsa_unreviewed·2022-05-14
CVE-2019-6714 [CRITICAL] CWE-22 GHSA-hm39-3528-68f4: An issue was discovered in BlogEngine
An issue was discovered in BlogEngine.NET through 3.3.6.0. A path traversal and Local File Inclusion vulnerability in PostList.ascx.cs can cause unauthenticated users to load a PostView.ascx component from a potentially untrusted location on the local filesystem. This is especially dangerous if an authenticated user uploads a PostView.ascx file using the file manager utility, which is currently allowed. This results in remote code execution for an authenticated user.
No detection rules found.
http://packetstormsecurity.com/files/151628/BlogEngine.NET-3.3.6-Directory-Traversal-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2019/Jun/26https://blogengine.io/https://github.com/rxtur/BlogEngine.NET/https://www.exploit-db.com/exploits/46353/http://packetstormsecurity.com/files/151628/BlogEngine.NET-3.3.6-Directory-Traversal-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2019/Jun/26https://blogengine.io/https://github.com/rxtur/BlogEngine.NET/https://www.exploit-db.com/exploits/46353/
2019-03-21
Published