ResolveURLServlet pre-auth arbitrary file download vulnerability

2013-04-16T03:39:09
ID ATLASSIAN:BAM-13100
Type atlassian
Reporter daniel16
Modified 2019-08-19T02:03:43

Description

The {{ResolveURLServlet}} Servlet is vulnerable to an arbitrary file download attack. As the Servlet doesn’t implement its own authorization checks, this can be exploited anonymously.

By taking an attacker controlled {{url}} parameter and using this in a call to {{URLConnection.openConnection()}}, an attacker can supply the path of an arbitrary file location (e.g. file:///etc/passwd) to be served in the response. In testing, this vulnerability was used to retrieve private keys and login credentials of EC2 instances, ssh keys, configuration files, and most other data related to the on-demand service stack. The file system access appears to be restricted to that of the JVM process.

File: components\bamboo-web\src\main\java\com\atlassian\bamboo\agent\Classserver\ResolveURLServlet.java

{code:title=ResolveURLServlet.java|borderStyle=solid} public class ResolveURLServlet extends AgentServerServlet { private static final Logger log = Logger.getLogger(ResolveURLServlet.class);

@Override protected void calculateResult(final HttpServletRequest httpServletRequest, final HttpServletResponse httpServletResponse) throws IOException, ClassNotFoundException { String url = httpServletRequest.getParameter("url"); log.debug("Resolving URL:" + url); final URLConnection urlConnection = new URL(URLDecoder.decode(url, "UTF-8")).openConnection(); final InputStream inputStream = urlConnection.getInputStream(); try { final byte[] content = IOUtils.toByteArray(inputStream); copyToResponse(httpServletResponse, content.length, APPLICATION_OCTET_STREAM, new ByteArrayInputStream(content)); } finally { inputStream.close(); } } } {code}

The following screenshot demonstrates this vulnerability being exploited to download the /etc/passwd file from an on-demand instance. !ResolveURL.PNG!