Our Brand New CVE — Authenticated Remote Code Execution (RCE) on Elvis Dam

We have identified during a pentesting an Authenticated Remote Code Execution (RCE) vulnerability in Elvis DAM version 6.98.1, build 429 that exploits the Apache Ant script functionality within the platform’s control panel. This flaw allows authenticated users to execute arbitrary commands, which could potentially result in a full system compromise. This vulnerability got us the CVE-2024–37779.

Vulnerability Details

The vulnerability resides in the plugins/active/…/ant.script.xml file, where an attacker can alter the file with a malicious payload. By abusing Apache Ant’s command execution functionality, an authenticated user can establish a connection to a Command and Control (C2) server controlled by the attacker’s auditing team.

Steps to reproduce the issue:

1.Authenticate to the Elvis DAM Management Console.

2.Navigate to Server configuration > Files, and search for “ant”. Open the ant.script.xml file.

3.Modify the code to execute any command of your choosing. For example, the following command returns the user running the process:

<?xml version=”1.0"?>
<project>
 <target name=”run”>
 <exec executable=”/bin/sh” outputproperty=”baroverride.out”>
 <arg value=”-c”/>
 <arg value=”id”/>
 </exec>
 <echo>baroverride.out: ${baroverride.out}</echo>
 </target>
</project>

4.Save the changes and proceed to the Plugins > Scheduled Plugins section. Select the plugin and click Execute Plugin to run it.

5.After execution, the results can be retrieved by downloading plugin logs from Support tools. The logs are packaged in a .zip file, with individual plugin execution logs saved in .txt files.

6.BOOM! We have the RCE:

Recommendations

We strongly advise the following actions to mitigate this vulnerability:

1. Apply Input Validation: Ensure that only trusted and expected input is allowed within the Apache Ant scripting functionality. All user input must be sanitized to prevent the execution of arbitrary commands.
2. Restrict Plugin Execution: Limit the ability to execute plugins only to authorized administrators, and ensure that these operations are logged and monitored.
3. Patch the Issue: The Elvis DAM team should release a patch that removes or restricts the unsafe command execution functionality within the affected Ant script.
4. Monitor Logs: Regularly audit and monitor plugin logs to detect any abnormal activity or unauthorized executions.
5. Update Access Control: Implement tighter role-based access controls (RBAC) within the management console to limit the exposure to trusted users only.

Timeline of Disclosure

• 21/04/2024: Initial discovery of the vulnerability.
• 12/06/2024: First contact with the Elvis DAM team via email at team@swivle.com.
• 17/06/2024: Second attempt to contact the Elvis DAM team.
• 25/06/2024: Third attempt to reach out to the Elvis DAM team.
• 18/07/2024: Fourth attempt to communicate the issue to the Swivle team.
• 10/09/2024: Fifth and final attempt to communicate the issue to the Swivle team and letting them know we’re going to publish the CVE. Also, no bounty received by them as mentioned at their website.
• 21/09/2024: No contact from them. Vulnerability Published.

Despite multiple attempts to notify the vendor, we have not received any response. In adherence to the OWASP Responsible Disclosure Guidelines, and given that the Elvis DAM team did not acknowledge or addressed the vulnerability, we are publishing the details publicly.

Researchers

• David Silva (https://www.linkedin.com/in/msc-david-s-6b79b241/)
• CyberX — The Ethical Hacking Services (https://www.linkedin.com/company/cyberx-portugal/)
• Fujitsu Portugal

Stay vigilant and ensure your systems are protected! Always count on REAL ethical hackers for your audit :D