Rapid4 Local File Inclusion (0day)

=======================================
Vulnerability Information
=======================================

Exploit Title:: Local File Inclusion (“GetFile.aspx”)
Software: RapidFlows Enterprise Application Builder
Vulnerable Version: 4.5M.23 (.NET Framework 4.5 Version) and below
Fixed Version: 4.5M.24 (.NET Framework 4.5 Version)
Vendor Homepage: http://rapidflows.com/
Software Link: http://rapidflows.com/
CVE number: CVE-2019–11397
Found: January 14th 2019
Author: Manich Koomsusi, Pongtorn Angsuchotmetee
SnoopBees Lab
https://www.snoopbees.com

=======================================
Description
=======================================

Rapid4 is a Rapid Web Application Development (RAD) tool that lets customers easily build and host web-based applications. Using a drag and drop approach, anyone can easily setup data entry forms, business logic, workflows, report and charts, all over the web in your favourite browser

All business applications revolve more or less around the same things — a database, basic CRUDS functionality (Create, Read, Update, Delete and Search records) and the ability to visualize your data in reports and charts. An application might also come with bells and whistles, such as data validation, business logic, security and access rights.

Rapid4 lets you create applications faster because it takes away the tedious work of having to write code to do all of the above. The platform automatically handles a large portion of the requirements of a standard business application, requiring you to only define the forms and fields you need. In summary, using a drag and drop approach, you can easily setup data entry forms, business logic, workflows, report and charts, all over the web in your favourite browser.

=======================================
Vulnerability
=======================================

  1. Local File Inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others

=======================================
Proof of Concept
=======================================

1) Local File Inclusion

The vulnerability affected file “GetFile.aspx”. When users try to download a file from the server, the application platform will redirect the user to “GetFile.aspx” which has a parameter name “FileDesc”. The parameter “FileDesc” contains a random string and filename, Both are separated by %3b. After knowing where is the filename section, an attakers can easily replace the filename to a malicious payload which allows attackers to gain access to local files on the server such as “web.config” file

1.1 The parameter “FileDesc” contains a random string and filename, Both are separated by %3b.

1.2 Gain access to a local file (web.config)

=======================================
Timeline
=======================================

2019–01–14: Discovered the bug
2019–01–15: Reported to vendor
2019–02–14: Vulnerability fixed
2019–04–10: Request CVE
2019–04–22: Advisory published

=======================================
Discovered By
=======================================

Manich Koomsusi, Pongtorn Angsuchotmetee

=======================================
Reference
=======================================

https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion