[FD] Bomgar Remote Support Portal JavaStart Applet <= 52970 - Path Traversal

Hey, The Path Traversal vulnerability was found in the component of the Bomgar Remote Support Portal (RSP) [1]. The affected component is a JavaStart.jar applet that is hosted at https://TARGET/api/content/JavaStart.jar on the vulnerable RSP deployments. The JavaStart version 52970 and prior were confirmed to be vulnerable. Analysis of the applet revealed that App.class suffers from a Path Traversal vulnerability. The vulnerable class makes a call to a File() constructor and uses the value specified in the "url" parameter as an argument. The "url" parameter is specified in the HTML tag which passes arguments to applets embedded on web sites using an HTML tag, in this case JavaStart.jar applet. Successful exploitation results in the creation/modification/deletion of files with the privilege of the user who runs the Java applet. In order to exploit this vulnerability a victim would have to visit the attacker's controlled website and allow the Java applet to execute. It may be argued that the Path Traversal is not an issue in this case because the victim has to download and run unknown code. While this is usually correct, one needs to consider that anyone can embed the JavaStart.jar applet on their website, while the applet can be hosted on a legitimate/trustworthy location (i.e. for successful exploitation attacker needs to control the , not the contents of the archive or the domain it is hosted at). Additonaly, the applet will be digitally signed by a trustworthy organisation. Last but not least, the purpose of the applet itself makes it easy to convince/trick users. The final impact of the vulnerability heavily depends on additional factors, such as operating system, web browser and its settings, Java settings, user privileges running the applet etc. The vulnerability was successfully executed on Windows 7 running IE 11 with its default configuration. On Mac OS Sierra running Safari 10.1, the Java restrictions prevented traversing outside of the temp/sandbox directory. The PoC exploiting this vulnerability is included below:

Source: Gmail -> IFTTT-> Blogger