CVE-2017-12815 in Remote Support Portal JavaStart.jar Applet
Summary
by MITRE
Analysis of the Bomgar Remote Support Portal JavaStart.jar Applet 52790 and earlier revealed that it is vulnerable to a path traversal vulnerability. The archive can be downloaded from a given Bomgar Remote Support Portal deployment at https://domain/api/content/JavaStart.jar and is callable from an arbitrary website using <object> and/or <appletHTML> tags. Successful exploitation results in file creation/modification/deletion in the operating system and with privileges of the user that ran the Java applet.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/16/2020
The vulnerability identified as CVE-2017-12815 represents a critical path traversal flaw within the Bomgar Remote Support Portal JavaStart.jar applet version 52790 and earlier. This vulnerability exists within the remote support portal's Java applet implementation that can be accessed through the specific endpoint https://domain/api/content/JavaStart.jar. The Java applet is designed to be embedded within web pages using standard html object and applet tags, making it susceptible to exploitation through malicious web content. The vulnerability stems from insufficient input validation and improper handling of file paths within the applet's file system operations, allowing attackers to manipulate the path resolution mechanism to access or modify arbitrary files on the target system.
The technical exploitation of this vulnerability occurs when a victim visits a malicious webpage that embeds the vulnerable Java applet through object or applet HTML tags. The applet, when executed, can traverse the file system using relative path references that bypass normal access controls. This path traversal vulnerability allows for arbitrary file operations including creation, modification, and deletion of files on the target system. The severity of this vulnerability is amplified by the fact that the applet executes with the privileges of the user who launched the Java runtime environment, potentially enabling attackers to gain unauthorized access to sensitive system resources or execute malicious code with elevated privileges.
The operational impact of this vulnerability extends beyond simple file system manipulation, as it can enable attackers to establish persistent access to compromised systems and potentially escalate privileges further. The vulnerability affects organizations that rely on Bomgar Remote Support Portal deployments for remote technical support, creating a significant risk for enterprises where remote access is frequently used. Attackers can leverage this vulnerability to place malicious files on the target system, modify configuration files, or even install backdoors that persist across system reboots. The vulnerability also presents challenges for network defense due to its ability to be triggered through web-based attacks without requiring any special user interaction beyond visiting a malicious website.
Organizations should implement immediate mitigations including disabling Java applets in web browsers, updating to patched versions of Bomgar Remote Support Portal, and implementing network-level restrictions to prevent access to the vulnerable endpoint. The vulnerability aligns with CWE-22 Path Traversal and is categorized under the MITRE ATT&CK framework as part of the privilege escalation and persistence techniques. Security teams should also consider implementing web application firewalls to block access to the specific JavaStart.jar endpoint and conduct thorough vulnerability assessments to identify all instances of the vulnerable applet within their network infrastructure. Additionally, organizations should review their remote support procedures and implement alternative secure remote access solutions that do not rely on potentially vulnerable Java applets.