AcmeFoo / AcmeWebSite

New website
0 stars 0 forks source link

CONTRAST: Path Traversal from URI on "/ibm/api/adminCenter/v1/icons/com.ibm.websphere.appserver.adminCenter.tool.serverConfig-1.0" page #47

Open zencid42 opened 4 years ago

zencid42 commented 4 years ago

Vulnerability ID: MQAQ-4VRD-WBAU-F1MP

Application Name: ibm/api

Vulnerability Link: https://apptwo.contrastsecurity.com/Contrast/static/ng/index.html#/6119fcd6-5a74-48e8-aff8-092520138ef3/applications/a21666ce-2a17-4eaa-a8e9-c988edb68d26/vulns/MQAQ-4VRD-WBAU-F1MP

What Happened?

We tracked the following data from URI:

GET /ibm/api/adminCenter/v1/icons/com.ibm.websphere.appserver.adminCenter.tool.serverConfig-1.0

...which was accessed within the following code:

com.ibm.ws.ui.internal.rest.v1.IconRestHandler#processIconHeader(), line 172

...and ended up being used as part of the path in the following file being opened:

com.ibm.websphere.appserver.adminCenter.tool.serverConfig-1.0

What's the risk?

The application takes data from the user's request and uses it to access the file system. Because there is untrusted data being used as part of the file path, it may be possible for an attacker to read sensitive data or write, update, or delete arbitrary files on the container's file system. The ability to write arbitrary files to the file system is also called Unrestricted or Arbitrary File Uploads.

Recommendation

The application opens up a java.io.File or file I/O stream based on user input. Although it's not directly clear how that file is being used, this functionality could be an avenue for path traversal abuse. Here's an example of a typical path traversal vulnerability: String statement = request.getParameter("statement"); if(!statement.endsWith(".xml")) { // Validate (weakly) this file is an xml file logger.error("Bad filename sent"); return; } // Read the specified file File file = new File(STATEMENT_DIR, statement); FileInputStream fis = new FileInputStream(file); byte[] fileBytes = new byte[file.length()]; fis.read(fileBytes); response.getOutputStream().write(fileBytes);

Often, there is no filename validation at all. Either way, an attacker could abuse this functionality to view the /etc/passwd file on a UNIX system by passing the following value for the "statement" parameter: http://yoursite.com/app/pathTraversal?statement=../../../../../../../../etc/passwd%00.xml The NULL byte (%00) is just another char to Java, so the malicious value passes the "endsWith()" check. However, when the value is passed to the operating system's native API, the NULL byte will represent an end-of-string character, and open the attacker's intended file. Note that Null byte injection in Java was fixed in Java 7 Update 45. So, make sure you are using at least this version of Java, in addition to validating the user's input to this File accessor code. To prevent attacks like this, any of the following steps could help:

First Event


Stack:
  com.ibm.ws.webcontainer.srt.SRTServletRequest.getPathInfo(SRTServletRequest.java:1994)
  com.ibm.ws.rest.handler.helper.ServletRESTRequestImpl.getPath(ServletRESTRequestImpl.java:112)
  com.ibm.ws.ui.internal.rest.v1.IconRestHandler.getChild(IconRestHandler.java:85)
  com.ibm.ws.ui.internal.rest.CommonRESTHandler.doGET(CommonRESTHandler.java:394)
  com.ibm.ws.ui.internal.rest.v1.IconRestHandler.delegateMethod(IconRestHandler.java:449)
  com.ibm.ws.ui.internal.rest.CommonRESTHandler.handleRequest(CommonRESTHandler.java:767)
  com.ibm.ws.ui.internal.rest.AdminCenterRouter.handleRequest(AdminCenterRouter.java:249)
  com.ibm.ws.rest.handler.internal.service.RESTHandlerContainerImpl.handleRequest(RESTHandlerContainerImpl.java:453)
  com.ibm.ws.rest.handler.internal.servlet.RESTProxyServlet.handleWithDelegate(RESTProxyServlet.java:119)
  com.ibm.ws.rest.handler.internal.servlet.RESTProxyServlet.service(RESTProxyServlet.java:64)
  javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
  com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1255)
  com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:743)
  com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:440)
  com.ibm.ws.webcontainer.filter.WebAppFilterChain.invokeTarget(WebAppFilterChain.java:182)
  com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:93)
  com.ibm.ws.app.manager.wab.internal.OsgiDirectoryProtectionFilter.doFilter(OsgiDirectoryProtectionFilter.java:90)
  com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:201)
  com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
  com.ibm.ws.security.jaspi.JaspiServletFilter.doFilter(JaspiServletFilter.java:56)
  com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:201)
  com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
  com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:996)
  com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1134)
  com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:4968)
  com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.handleRequest(DynamicVirtualHost.java:314)
  com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:992)
  com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:279)
  com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:1047)
  com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.wrapHandlerAndExecute(HttpDispatcherLink.java:417)
  com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.ready(HttpDispatcherLink.java:376)
  com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:532)
  com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleNewRequest(HttpInboundLink.java:466)
  com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.processRequest(HttpInboundLink.java:331)
  com.ibm.ws.http.channel.internal.inbound.HttpICLReadCallback.complete(HttpICLReadCallback.java:70)
  com.ibm.ws.channel.ssl.internal.SSLReadServiceContext$SSLReadCompletedCallback.complete(SSLReadServiceContext.java:1803)
  com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:501)
  com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:571)
  com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:926)
  com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1015)
  com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:239)
  java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
  java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
  java.lang.Thread.run(Thread.java:748)

Last Event


Stack:
  java.io.File.<init>(File.java:331)
  com.ibm.ws.ui.internal.rest.v1.IconRestHandler.processIconHeader(IconRestHandler.java:172)
  com.ibm.ws.ui.internal.rest.v1.IconRestHandler.getFeatureToolIconInfo(IconRestHandler.java:214)
  com.ibm.ws.ui.internal.rest.v1.IconRestHandler.getIcon(IconRestHandler.java:252)
  com.ibm.ws.ui.internal.rest.v1.IconRestHandler.getChild(IconRestHandler.java:106)
  com.ibm.ws.ui.internal.rest.CommonRESTHandler.doGET(CommonRESTHandler.java:394)
  com.ibm.ws.ui.internal.rest.v1.IconRestHandler.delegateMethod(IconRestHandler.java:449)
  com.ibm.ws.ui.internal.rest.CommonRESTHandler.handleRequest(CommonRESTHandler.java:767)
  com.ibm.ws.ui.internal.rest.AdminCenterRouter.handleRequest(AdminCenterRouter.java:249)
  com.ibm.ws.rest.handler.internal.service.RESTHandlerContainerImpl.handleRequest(RESTHandlerContainerImpl.java:453)
  com.ibm.ws.rest.handler.internal.servlet.RESTProxyServlet.handleWithDelegate(RESTProxyServlet.java:119)
  com.ibm.ws.rest.handler.internal.servlet.RESTProxyServlet.service(RESTProxyServlet.java:64)
  javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
  com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1255)
  com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:743)
  com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:440)
  com.ibm.ws.webcontainer.filter.WebAppFilterChain.invokeTarget(WebAppFilterChain.java:182)
  com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:93)
  com.ibm.ws.app.manager.wab.internal.OsgiDirectoryProtectionFilter.doFilter(OsgiDirectoryProtectionFilter.java:90)
  com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:201)
  com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
  com.ibm.ws.security.jaspi.JaspiServletFilter.doFilter(JaspiServletFilter.java:56)
  com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:201)
  com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
  com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:996)
  com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1134)
  com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:4968)
  com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.handleRequest(DynamicVirtualHost.java:314)
  com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:992)
  com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:279)
  com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:1047)
  com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.wrapHandlerAndExecute(HttpDispatcherLink.java:417)
  com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.ready(HttpDispatcherLink.java:376)
  com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:532)
  com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleNewRequest(HttpInboundLink.java:466)
  com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.processRequest(HttpInboundLink.java:331)
  com.ibm.ws.http.channel.internal.inbound.HttpICLReadCallback.complete(HttpICLReadCallback.java:70)
  com.ibm.ws.channel.ssl.internal.SSLReadServiceContext$SSLReadCompletedCallback.complete(SSLReadServiceContext.java:1803)
  com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:501)
  com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:571)
  com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:926)
  com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1015)
  com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:239)
  java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
  java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
  java.lang.Thread.run(Thread.java:748)

HTTP Request

GET https://localhost:9443/ibm/api/adminCenter/v1/icons/com.ibm.websphere.appserver.adminCenter.tool.serverConfig-1.0 HTTP/1.1 Cookie: JSESSIONID.d3681dff=node018u9q5bs6vx5h1j2tmcwhhe20h0.node0; cookieconsent_status=dismiss; io=h0H-wga95jDfLW0zAAAF; eShop=4ce18892-ee98-4a5d-a4a6-96a5060f1b61; .AspNetCore.Antiforgery.9TtSrW0hzOs=CfDJ8KyOTQjaGgJLsGcUdjJ0ZuEni5j-YYiexNjMYOQZXhZXKtfUlCzB60A4RTDUFct1K3-_cD8-nSeY8k0f0Vzts1gPvJCzsw8jY73NJkLNs2mwIYZD6j37AKAZdBstSWHncH_UmoYrG-Ub4EaGy3v1wWg; ADMINCONSOLESESSION=9mTYpT8JYTFLh3LNhH2yG9h6syRPYZL7c2NNqKvXcfFLFdSMf2x1!1847020960; .AspNetCore.Identity.Application=CfDJ8KyOTQjaGgJLsGcUdjJ0ZuFLy5y3uZg9air4A7zGhV7WF5q5El09tWg3b_IelL0504yqvSqcFAmmfiUxUSHxyqujiA0wUVXl95aXVWNhUohrgVoTJltPdL8A0ZUjTT-L1FblLu-qxW7zUX6LLO5h8WU3LU41Oi3MH3Y_EM7HUHbwCyhZUemHOb8vXpulIAo-HszrOTkQsbBbXf3KQAJyuRW0YDJKdyGj-AWjlF5zTkbIA91SRWgv0tE7BLitfmtmZEY0YCNt_rrcxTHFLhg7NK-d0XV6mBYYdKaPkbeRu9i_26vPgIp8CkZAa3KDnVqRLvnqYjOOt8yesRUOPbiIiy8rZJtjlAp11VcfOzh4dGwyJiOGeaShQMDlbrXqILBhuq_3CxPOWK3rS72uBiMvhJmZ2hVIni7Q_R5ymNxW3hjcz5VHsiwWWhyBBZxdpb22s_rFzhHaF_K-QVTWwp7O1pMzSufVZWMmysUNQ5EfS4pw9JLjbtmoHPq1oTKlTSFElXCLZ60o6jI... Accept: image/webp,image/apng,image/,/*;q=0.8 Connection: keep-alive User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36 Referer: https://localhost:9443/adminCenter/ Sec-Fetch-Dest: image Sec-Fetch-Site: same-origin Host: localhost:9443 DNT: 1 Accept-Encoding: gzip, deflate, br Sec-Fetch-Mode: no-cors Accept-Language: en-US,en;q=0.9