An exploitable command execution vulnerability exists in Information Builders WebFOCUS Business Intelligence Portal 8.1 . A specially crafted web parameter can cause a command injection. An authenticated attacker can send a crafted web request to trigger this vulnerability.
Information Builders WebFOCUS Business Intelligence Portal 8.1
8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
WebFOCUS Business Intelligence Portal 8.1 was found to be vulnerable to an authenticated WebFOCUS code injection attack that resulted in arbitrary command execution on the underlying OS of the host system with the same privileges as those of the web server running the BI portal. To exploit this vulnerability, successful login with a valid user account is required, which has the necessary privileges to access the WebFOCUS Business Intelligence Portal dashboard. Code injection is achieved on the following URL: /ibi_apps/WFServlet
The injection happens on one of the dynamic URL parameters used on this specific URL, a parameter that is directly used within a WebFOCUS language query, which is used by the application to generate dynamic reports. By successfully injecting WebFOCUS code on this URL parameter while properly completing the expected syntax, an attacker can leverage the "! " statement of WebFOCUS which allows for system commands to be executed via the reporting module code. Successfully exploiting this vulnerability results in arbitrary command execution on the underlying Operating System, which in turn can result in full system compromise depending on the level of access the web server is running with.
Restrict access to known, trusted users and hosts.
2016-10-31 - Vendor Disclosure
2016-12-20 - Final attempt to contact vendor after no response
2017-07-19 - Public Release
Discovered by Alfonso Alguacil and Georgios Papakyriakopoulos of Portcullis Computer Security Limited.