Portal Apache Jetspeed 2.3.0 and earlier versions: a remote code execution vulnerability analysis-vulnerability warning-the black bar safety net

2016-03-10T00:00:00
ID MYHACK58:62201672442
Type myhack58
Reporter 佚名
Modified 2016-03-10T00:00:00

Description

! As my personal“friendship detect open source software security”one of the projects I'm ready to play play the Apache Jetspeed 2, which v2. 3 0 one. Jetspeed this stuff, used those words, that is: “An open portal platform and enterprise information portal, completely based on open standards, Apache licensed under the Java and XML open-source written. All through the portal Act has a strict safety management policy control. In Jetspeed portal, individual components may by page aggregation. Each component is a separate application, and Jetspeed acts as the Central integration of distribution roles, the allow multiple sources of information together, easy to manage using access.” Although I don't know how many people in using Jetspeed, but it is the official page does list many companies and organizations, and can quickly search for more case options. And, like such a thing is possible, including network installs quite a lot, all of the Jetspeed seems to be have quite a lot of users. However in audit it's code for period, experiencing some serious vulnerabilities. Here write down is one of the two vulnerabilities of the write-up, they will lead to“pre-authentication remote code execution.” I do not intend at this time to publish related content, but the apache release of the relevant announcement, I reckoned the official almost the bottom of the child to penetration. Jetspeed v2. 3. 1 later this month will be published, so if you are Jetspeed v2 users, please pay attention to install the latest version. Apache Jetspeed user management REST API from unauthorized access vulnerability Affected versions: Jetspeed 2.3.0 and unknown earlier version. I verify the user management of aSQL injection (CVE-2 0 1 6-0 7 1 0)when found this issue, which allowed hackers to not go through the authorization to exploit. Although this vulnerability no CVE, but the CVE-2 0 1 6-0 7 1 0 Description It is clearly mentioned it there. “There is also an authentication vulnerability, those Jetspeed. URL links are not authorized to access.” This problem could be I found the most serious one of the problems, because it allows unauthenticated hackers to obtain the portal of all information. This vulnerability is derived from the Jetspeed REST API of the user management service is not compulsory authentication. So the non-certified hack can add, edit, delete a portal of the user. At the same time, it can also grant a user administrative permissions, to reset the existing user password. Example Create the user: POST/jetspeed/services/usermanager/users/? _type=json HTTP/1.1 Host: 192.168.2.5:8 0 8 0 [...] Content-Length: 1 3 0 Connection: close name=foobar&password=password&password_confirm=password&user_name_given=foo&user_name_family=bar&user_email=foo%40bar. net&newrule= This request will return 5 0 0 error, but the user does create success. The foobar grant admin permission: POST/jetspeed/services/usermanager/users/foobar/? _type=json HTTP/1.1 Host: 192.168.2.5:8 0 8 0 [...] Content-Length: 1 2 3 Connection: close name=&password=&password_confirm=&user_name_given=&user_name_family=&user_email=&user_enabled=&roles=admin&rule= This request will simply return“true”, the permission has been added. ZIP file path traversal[CVE-2 0 1 6-0 7 0 9] Affected versions: Jetspeed 2.2.0 to 2.2.2, the Jetspeed 2.3.0。 No longer update the Jetspeed 2.1. x, may be it is affected. This is a typical file upload/path traversal vulnerability in the portal management through Import/Export to upload a regular file, the system will check the file name. They do not contain path characters such as“../”or the like, so it will not result in path traversal. However, this checking mechanism and does not involve the ZIP package, all we can upload the one called“../../webapps/x. jsp”ZIP package, This file will be in the system in a self-extracting, write to the web root directory, to access the Java application server will execute the script. The following code shows the file name of the check of ill-conceived: the !

When the portal site management Portal Site Manager in the absence of management authority cannot be accessed, as previously described, hackers exploit the vulnerability may be not certified, plus an administrative user. So the combination of these two vulnerabilities, a hacker can implement a pre-authentication remote code execution, the demo video below: (required over the wall to watch) Remote Code Execution in Apache Jetspeed 2.2.0 – 2.3.0 from Andreas on Vimeo. Video of the exp I will not release, preventing the reach of the party violence of. In fact, this article is issued to, for those who are a little technical person, has been enough to do the same. Conclusion The results of these experiments may not be particularly advanced or novel, these are just in order to fix the Jetspeed 2 and enhance it security. As I stated in the article written, open-source freeware usually require the audit, the auditor and the audited party will from which benefit.

! As my personal“friendship detect open source software security”one of the projects I'm ready to play play the Apache Jetspeed 2, which v2. 3 0 one. Jetspeed this stuff, used those words, that is: “An open portal platform and enterprise information portal, completely based on open standards, Apache licensed under the Java and XML open-source written. All through the portal Act has a strict safety management policy control. In Jetspeed portal, individual components may by page aggregation. Each component is a separate application, and Jetspeed acts as the Central integration of distribution roles, the allow multiple sources of information together, easy to manage using access.” Although I don't know how many people in using Jetspeed, but it is the official page does list many companies and organizations, and can quickly search for more case options. And, like such a thing is possible, including network installs quite a lot, all of the Jetspeed seems to be have quite a lot of users. However in audit it's code for period, experiencing some serious vulnerabilities. Here write down is one of the two vulnerabilities of the write-up, they will lead to“pre-authentication remote code execution.” I do not intend at this time to publish related content, but the apache release of the relevant announcement, I reckoned the official almost the bottom of the child to penetration. Jetspeed v2. 3. 1 later this month will be published, so if you are Jetspeed v2 users, please pay attention to install the latest version.

[1] [2] next