GetResourceServlet pre-auth arbitrary file download vulnerability

Type atlassian
Reporter daniel16
Modified 2015-09-22T08:56:29


The {{GetResourceServlet}} Servlet is vulnerable to an arbitrary file download attack. As the Servlet doesn’t implement its own authorization checks, this can be exploited anonymously.

By taking an attacker controlled {{name}} parameter and using this in a call to {{URLConnection.openConnection()}}, an attacker can supply the path of an arbitrary file location (e.g. file:///etc/passwd) to be served in the response. In testing, this vulnerability was used to retrieve private keys and login credentials of EC2 instances, ssh keys, configuration files, and most other data related to the on-demand service stack. The file system access appears to be restricted to that of the JVM process.

File: components\bamboo-web\src\main\java\com\atlassian\bamboo\agent\Classserver\

{} public class GetResourceServlet extends AgentServerServlet { private static final Logger log = Logger.getLogger(GetResourceServlet.class);

@Override protected void calculateResult(final HttpServletRequest httpServletRequest, final HttpServletResponse httpServletResponse) throws IOException { AgentServerManager agentServerManager = getAgentServerManager(); if (agentServerManager != null) { String name = httpServletRequest.getParameter("name"); final URL resource = agentServerManager.getClassLoader().getResource(name); if (resource == null) { String currentUrl = httpServletRequest.getRequestURI(); if (log.isDebugEnabled()) { log.debug("Unable to find '" + name + "' from '" + currentUrl + "'. Returning status code 404."); } httpServletResponse.sendError(HttpServletResponse.SC_NOT_FOUND, "Unable to find '" + name + "' from '" + currentUrl + "'."); } else { URLConnection urlConnection = resource.openConnection(); int contentLength = urlConnection.getContentLength(); if (log.isDebugEnabled()) { log.debug("Fetching resource with name = " + name + ", " + " resource = " + resource + " " + contentLength); } copyToResponse(httpServletResponse, contentLength, APPLICATION_OCTET_STREAM, urlConnection.getInputStream()); } } else { log.debug("Application Context is not yet set up, agentServerManager is null"); httpServletResponse.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Application Context is not yet set up."); } } } {code}

The following screenshot demonstrates this vulnerability being exploited to download the /etc/passwd file from an on-demand instance. !GetResource.PNG!