VertiGIS FM Local File Inclusion Vulnerability Allowing Arbitrary File Read and Potential Remote Code Execution

A local file inclusion vulnerability has been identified in the VertiGIS FM application, specifically in version 10.5.00119. This vulnerability allows authenticated attackers to read arbitrary files from the server by manipulating the file path during the upload process. Once the file is uploaded, it can be downloaded, effectively retrieving the file from the attacker-controlled path. The application's ASP.NET architecture raises the risk of remote code execution if the 'web.config' file is accessed. Additionally, the application’s handling of UNC paths could facilitate NTLM-relaying attacks.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server. If the 'web.config' file is obtained, it could allow for remote code execution by exploiting deserialization vulnerabilities in ASP.NET applications. The vulnerability also opens the door to NTLM-relaying attacks, potentially compromising user credentials.

Reproduction

The vulnerability can be reproduced by uploading a file through the application's upload feature. During the upload, the file path can be manipulated to include arbitrary server files, such as 'C:\Windows\win.ini'. After uploading, the file can be downloaded through the application's interface, successfully retrieving the contents of the specified file instead of the originally uploaded one.

Remediation

Users are advised to update to VertiGIS FM version 10.11.363, where this vulnerability has been patched. As an additional security measure, review and restrict the permissions of the Application Pool User to limit access to only necessary files and directories.