Headline
GHSA-3gh6-v5v9-6v9j: Jetty vulnerable to errant command quoting in CgiServlet
If a user sends a request to a org.eclipse.jetty.servlets.CGI
Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. For example, if a request references a binary called file” name “here, the escaping algorithm will generate the command line string “file” name “here”, which will invoke the binary named file, not the one that the user requested.
if (execCmd.length() > 0 && execCmd.charAt(0) != '"' && execCmd.contains(" "))
execCmd = "\"" + execCmd + "\"";
Exploit Scenario
The cgi-bin directory contains a binary named exec and a subdirectory named exec” commands, which contains a file called bin1. The user sends to the CGI servlet a request for the filename exec” commands/bin1. This request will pass the file existence check on lines 194 through 205. The servlet will add quotation marks around this filename, resulting in the command line string “exec” commands/bin1”. When this string is passed to Runtime.exec, instead of executing the bin1 binary, the server will execute the exec binary with the argument commands/file1”. In addition to being incorrect, this behavior may bypass alias checks, and it may cause other unintended behaviors if a command prefix is configured.
If the useFullPath configuration setting is off, the command need not pass the existence check. The attack would not rely on a binary and subdirectory having similar names, and the attack will succeed on a much wider variety of directory structures.
Impact
Users of the org.eclipse.jetty.servlets.CGI
Servlet with a very specific command structure may have the wrong command executed.
Patches
No patch.
In Jetty 9.x, 10.x, and 11.x the org.eclipse.jetty.servlets.CGI
has been deprecated.
In Jetty 12 (all environments) the org.eclipse.jetty.servlets.CGI
has been entirely removed.
Workarounds
The org.eclipse.jetty.servlets.CGI
Servlet should not be used. Fast CGI support is available instead.
References
- https://github.com/eclipse/jetty.project/pull/9516
- https://github.com/eclipse/jetty.project/pull/9889
- https://github.com/eclipse/jetty.project/pull/9888
If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. For example, if a request references a binary called file” name “here, the escaping algorithm will generate the command line string “file” name “here”, which will invoke the binary named file, not the one that the user requested.
if (execCmd.length() > 0 && execCmd.charAt(0) != ‘"’ && execCmd.contains(" ")) execCmd = “\"” + execCmd + "\"";
Exploit Scenario
The cgi-bin directory contains a binary named exec and a subdirectory named exec” commands, which contains a file called bin1. The user sends to the CGI servlet a request for the filename exec” commands/bin1. This request will pass the file existence check on lines 194 through 205. The servlet will add quotation marks around this filename, resulting in the command line string “exec” commands/bin1”. When this string is passed to Runtime.exec, instead of executing the bin1 binary, the server will execute the exec
binary with the argument commands/file1”. In addition to being incorrect, this behavior may bypass alias checks, and it may cause other unintended behaviors if a command prefix is configured.
If the useFullPath configuration setting is off, the command need not pass the existence check. The attack would not rely on a binary and subdirectory having similar names, and the attack will succeed on a much wider variety of directory structures.
Impact
Users of the org.eclipse.jetty.servlets.CGI Servlet with a very specific command structure may have the wrong command executed.
Patches
No patch.
In Jetty 9.x, 10.x, and 11.x the org.eclipse.jetty.servlets.CGI has been deprecated.
In Jetty 12 (all environments) the org.eclipse.jetty.servlets.CGI has been entirely removed.
Workarounds
The org.eclipse.jetty.servlets.CGI Servlet should not be used. Fast CGI support is available instead.
References
- eclipse/jetty.project#9516
- eclipse/jetty.project#9889
- eclipse/jetty.project#9888
References
- GHSA-3gh6-v5v9-6v9j
- eclipse/jetty.project#9516
- eclipse/jetty.project#9888
- eclipse/jetty.project#9889
Related news
Red Hat Security Advisory 2024-3989-03 - Migration Toolkit for Applications 6.2.3 release. Issues addressed include denial of service, memory leak, and password leak vulnerabilities.
Red Hat Security Advisory 2024-3919-03 - Migration Toolkit for Runtimes 1.2.6 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include denial of service and spoofing vulnerabilities.
Red Hat Security Advisory 2024-3354-03 - Red Hat Fuse 7.13.0 release is now available. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Issues addressed include HTTP request smuggling, bypass, denial of service, deserialization, and traversal vulnerabilities.
Red Hat Security Advisory 2024-2010-03 - An update is now available for Red Hat Satellite 6.15. The release contains a new version of Satellite and important security fixes for various components. Issues addressed include HTTP request smuggling, crlf injection, denial of service, file disclosure, and traversal vulnerabilities.
Red Hat Security Advisory 2024-0797-03 - Updated Satellite 6.14 packages that fixes Important security bugs and several regular bugs are now available for Red Hat Satellite. Issues addressed include HTTP request smuggling, buffer overflow, denial of service, and memory leak vulnerabilities.
Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
Debian Linux Security Advisory 5507-1 - Multiple security vulnerabilities were found in Jetty, a Java based web server and servlet engine.
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.