BizTalk360 Directory Traversal Vulnerability Leading to Arbitrary File Write

A directory traversal vulnerability has been identified in BizTalk360 versions prior to 11.6.3963.2611. This vulnerability arises from improper handling of user input in an upload feature, allowing authenticated attackers to write files outside the intended directory. Additionally, the vulnerability can be exploited to coerce the application into accessing remote files, potentially leading to further exploitation.

Impact

Exploitation of this vulnerability allows for arbitrary file writing on the server, with the possibility of overwriting critical files. Furthermore, it can be used to upload malicious DLLs that are executed by the application, resulting in remote code execution.

Reproduction

The vulnerability can be reproduced by uploading a file through the 'UploadFile' endpoint of the 'AnalyticsDataService' without proper validation of the file path. The 'Path.Combine' method is used to construct the file destination, which can be manipulated to traverse directories or access absolute paths. Once a file is uploaded, it can be loaded and executed via the 'ValidateNotificationChannel' endpoint of the 'AlertService'.

Remediation

Users are advised to update to BizTalk360 version 11.6.3963.2611 or later.