Portal application Apache Jetspeed 2.3.0 and earlier versions: Remote Code Execution Vulnerability Analysis

Portal application Apache Jetspeed 2.3.0 and earlier versions: Remote Code Execution Vulnerability Analysis

 

 

As one of my personal projects on "security of open-source software for friendship detection", I am going to play with Apache Jetspeed 2 (v2.30 ).

Jetspeed:

"An open portal platform and an enterprise information portal are completely written open-source by open-source standards-based Java and XML with Apache license. All actions that pass through the portal are controlled by strict and secure management policies. In the Jetspeed portal, a single component can be aggregated through pages. Each component is an independent application, and Jetspeed acts as the central integrated distribution function, which unifies information from multiple sources and makes it easy to manage and access ."

Although I don't know how many people are using Jetspeed, its official homepage does list many companies and organizations, as well as options to quickly search for more cases. In addition, many such things may be installed on the Intranet, and all Jetspeed seems to have a considerable number of users.

However, some serious vulnerabilities were encountered during the audit of its code. Here we write down the write-up of two vulnerabilities, which will lead to "remote code execution for pre-Authentication ". I didn't plan to release related content during this period, but apache published related announcements. I guess the official website has almost revealed the details. Jetspeed v2.3.1 will be released later this month. If you are a user of Jetspeed v2, please pay attention to installing the latest version.

Apache Jetspeed user management rest api Unauthorized Access Vulnerability

Affected Versions: Jetspeed 2.3.0 and earlier unknown versions.

I found this problem when verifying a user-managed SQL injection (CVE-2016-0710) that allowed hackers to exploit the vulnerability without authorization. Although this vulnerability does not have CVE, it is clearly mentioned in the CVE-2016-0710 description.

"There is also an Identity Authentication Vulnerability. URL links in Jetspeed can be accessed without authorization ."

This problem may be one of the most serious problems I have found, because it allows unauthenticated hackers to obtain all the information in the portal. The user management service of Jetspeed rest api does not perform forced identity authentication. Therefore, unauthenticated hackers can add, edit, and delete users in the portal. At the same time, it can also grant user management permissions to reset the password of an existing user.

Example

Create a user:

 

POST/jetspeed/services/usermanager/users/?_type=json HTTP/1.1

Host: 192.168.2.5:8080

[…]

Content-Length: 130

Connection: close

name=foobar&password=password&password_confirm=password&user_name_given=foo&user_name_family=bar&user_email=foo%40bar.net&newrule=

 

This request will Return Error 500, but the user is created successfully.

Grant the admin permission to foobar:

 

POST/jetspeed/services/usermanager/users/foobar/?_type=json HTTP/1.1

Host: 192.168.2.5:8080

[…]

Content-Length: 123

Connection: close

name=&password=&password_confirm=&user_name_given=&user_name_family=&user_email=&user_enabled=&roles=admin&rule=

 

This request will simply return "true" and the permission has been added.

ZIP file path traversal [CVE-2016-0709]

Affected Versions: Jetspeed 2.2.0 to 2.2.2 and Jetspeed 2.3.0.

Jetspeed 2.1.x, which is no longer updated, may also be affected.

This is a typical file upload/path traversal vulnerability. When the portal management office uploads a common file through Import/Export, the system checks the file name. They do not contain path characters such as "../", so they do not cause path traversal. However, this check mechanism does not involve a ZIP package. We can upload a file containing the name ".. /.. /webapps/x. jsp "ZIP package, this file will be self-decompressed in the system, write to the web root directory, access the Java application server will execute the script.

The following code shows the week of checking the file name:

 

 

When Portal Site Manager is inaccessible without administrative permissions, as described earlier, hackers can exploit the vulnerability without being authenticated and add a management user. Based on these two vulnerabilities, hackers can implement pre-authenticated remote code execution. The Demo Video is as follows)

 

Remote Code Execution in Apache Jetspeed 2.2.0-2.3.0 from Andreas on Vimeo.

 

The exp in the video will not be released, to prevent chaos. As a matter of fact, this article has been published, and it is enough for those who have some technical skills to draw images.

Conclusion

These experimental results may not be particularly advanced or novel, but they are only intended to fix Jetspeed 2 and enhance its security. As I wrote in my article, open-source free software usually requires auditing, and auditors and auditee will benefit a lot from it.

Reading

Apache Jetspeed user management rest api Unauthorized Access Vulnerability

Apache Jetspeed Directory Traversal Vulnerability