Source :- https://tutorialboy24.blogspot.com/2022/03/the-story-of-3-bugs-that-lead-to.html
A detailed post on how I chained 3 vulnerabilities (A path traversal, An SSRF in an external piece of software, and a post-authentication RCE) into a full pre-auth RCE in Pascoms Cloud phone system.
Introduction
Pascom Cloud Phone System (CPS) provides integrated communication solutions for businesses and individuals. You can read more about it here
After downloading their free trial which can be installed in Virtualbox, I discovered 3 vulnerabilities that chained together lead to an unauthenticated attacker gaining root on these devices. Below I'll describe all three bugs and how I was able to chain them into a full exploit .
These bugs have been patched in 7.20.x versions. If your CPS instance is hosted on the cloud (Provided by PasCom) then the second bug does not exist so it breaks the chain. But it's still affected by the RCE, Although by the time this blog is published it will be patched automatically for cloud users.
We advise all users hosting their own installs of CPS to update to the latest version ASAP.
Pascom CPS System Structure
Before we get into the vulnerabilities we should look at how the pascom CPS is structured. The system runs a Linux-based OS but the products are deployed interestingly. Instead of running the services in the same environment (OS), CPS has multiple LXC containers providing a variety of services.
There are 4 containers and they provide different services like a database and web UI services. Since our RCE will run within one of these containers we cannot gain access to the host OS. But since everything interesting is contained within these containers this does not limit the severity of the bugs. But I still felt like this is interesting enough to mention. Now, On with the bugs.
Path traveseral in Nginx to Tomcat reverse proxy requests (CVE-2021-45968)
The web UI exposes a java endpoint using Nginx reverse proxy. Using a known path traversal issue (see