BizTalk360 Remote Code Execution Vulnerability Due to Improper Access Control

A remote code execution vulnerability exists in BizTalk360 versions prior to 11.6.3963.2611. The issue arises from incorrect access controls, allowing any authenticated user to upload a malicious DLL file. This DLL can be loaded by the application, executing arbitrary code on the server. The vulnerability can be exploited by uploading a crafted DLL through the 'UploadFile' endpoint of the 'AnalyticsDataService' and then triggering its execution via the 'ValidateNotificationChannel' endpoint of the 'AlertService'.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where BizTalk360 is installed.

Reproduction

To reproduce this vulnerability, first upload a malicious DLL file using the 'UploadFile' endpoint of the 'AnalyticsDataService'. This can be done by sending a POST request to the '/biztalk360/Services.REST/AnalyticsDataService.svc/UploadFile' endpoint, including the DLL file in the request. After the DLL is uploaded, the 'ValidateNotificationChannel' endpoint of the 'AlertService' can be used to load the DLL. This is done by sending a POST request to '/biztalk360/Services.REST/AlertService.svc/ValidateNotificationChannel', with the name of the uploaded DLL included in the request. Once the DLL is loaded, the code in the DLL will be executed on the server.

Remediation

Users are advised to update to BizTalk360 version 11.6.3963.2611 or later.