This can be a single request or a series of requests. An attacker can upload any arbitrary file using the fileupload parameter. The remote file will be uploaded to web root and executed. The attacker can also upload a PHP file and execute it. This can be done by including the remote file in the content-disposition header with a directory traversal sequence, such as ../../../../repository/. The PHP file will be executed in the context of the server user. This execution can be escalated to remote code execution by adding command execution with the /command parameter. A remote PHP file can be uploaded with a directory traversal sequence in the content-disposition header. A command can then be uploaded with a directory traversal sequence in the content-disposition header with a ../../../../repository/. This will result in the command being executed in the context of the server user with escalated code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0
Vulnerability description
An attacker can upload any arbitrary file with the fileupload parameter in API Manager. The remote file will be uploaded to web root and executed. The attacker can also upload a PHP file and execute it by including the remote file in the content-disposition header with a directory traversal sequence, such as ../../../../repository/. The PHP file will be executed in the context of the server user. This execution can be escalated to remote code execution by adding command execution with the /command parameter. A remote PHP file can be uploaded with a directory traversal sequence in the content-disposition header. A command can then be uploaded with a directory traversal sequence in the content-disposition header with a ../../../../repository/. This will result in the command being executed in the context of the server user with escalated code execution.
Vendor response:
This vulnerability has been addressed and patched on WSO2 products on December 10, 2018, as announced by WSO2 Security on their blog: https://www.wso2securityblog.com/2018/12/10/wso2-security-announces-release-of-apimanger-4-0-0/
WSO2 Enterprise Integrator 6.6 and above are not affected by this vulnerability due to its design that does not use fileupload or any other HTTP request method that performs uploads.
Solution
A temporary fix is to rename the request parameter to anything other than fileupload. This will redirect the attacker to the file upload page and will result in them not being able to continue with the exploit.
A permanent fix is to correctly handle parameterized requests by validating the request for existence of a file uploaded, as well as validating that it has not been deleted
Credit to
:
WSO2 IDM-2022-29464
The vulnerability allows remote attackers to upload arbitrary files and execute arbitrary code on vulnerable installations of WSO2 API Manager 2.2.0, WSO2 Identity Server 5.4.0 through 5.10.0, WSO2 Identity Server Analytics 5.4.1 through 5.6.0, and WSO2 Enterprise Integrator 6.2 through 6.6 with administrator privileges via a non-validated request to /web/admin/. The vulnerability is caused by insufficient validation of the fileupload parameter in indexAction() in apiManagerApp/class/core/src/main/java/org/wso2/apimanagerapp/webapp/servlet/.
Timeline
Published on: 04/18/2022 22:15:00 UTC
Last modified on: 05/02/2022 18:15:00 UTC
References
- https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738
- http://www.openwall.com/lists/oss-security/2022/04/22/7
- https://github.com/hakivvi/CVE-2022-29464
- http://packetstormsecurity.com/files/166921/WSO-Arbitrary-File-Upload-Remote-Code-Execution.html
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29464