ASA-2021-01 | Ardent Security

Ardent Security Advisory

Ardent Security regularly identifies zero-day vulnerabilities and exploits in various products. We believe in responsible disclosure.

#####################################################################################

# Ardent Security Advisory

# Original Disclosure: https://www.ardent-security.com/advisory/ASA-2021-01/ASA-2021-01_CVE-2021-29393.txt

#####################################################################################

# Product: NorthStar Club Management 6.3

# Vendor: Northstar Technologies Inc

# URL: https://www.globalnorthstar.com/

# ASA ID: ASA-2021-01

# CVE ID: CVE-2021-29393

#CWE ID: CWE-78 – OS Command Injection

# Subject: Unauthenticated Remote Code Execution

# Severity: High

# Author: Alexandre LaRocque, CEO <[email protected]>

# Date: 2022-01-27

#####################################################################################

Description:

The NorthStar Club Management 6.3 web application has an undocumented Admin portal (/Admin/monitor/showNSTools.jsp) providing many administrative functionalities. The “cominput.jsp” page is vulnerable to an arbitrary system command injection. The “command” and “commandvalues” parameters can be modified by an attacker to execute any system command on the web application’s host. Furthermore, due to a systemic lack of proper authentication, it is possible to access this vulnerable page without credentials. Thus, remote code execution can be achieved without authentication on the host of the NorthStar web application. This vulnerability was identified by Ardent Security experts while performing penetration testing in Toronto, Canada.

Technical Description:

Due to the dominant market share of the product, no proof-of-concept code is provided.

Affected version(s):

Only NorthStar Club Management 6.3 was tested. Older versions could be vulnerable.

Workaround / Fix:

It is unknown if this vulnerability has been fixed by the vendor.

Vulnerability Severity:

CVSS v3.1 Metrics [2]:

– CVSS Base Score: 10 (High)

– CVSS Vector: AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Timeline:

2021-03-18: Vulnerability discovery

2021-03-27: Contacted vendor about the vulnerability

2021-03-27: Vendor was given a 90-days period

2021-06-27: Vendor was given an additional 90-days period

2021-09-27: Vendor was given an additional 90-days period

2022-01-27: Public disclosure

References:

[1] https://www.ardent-security.com/advisory/ASA-2021-01

[2] https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H&version=3.1