As part of my personal “Hacking Open Source Software for Fun and Non-Profit” project, I decided to take a look at Apache Jetspeed 2 (version 2.3.0). Jetspeed, in the authors’ own words, is:

“…an Open Portal Platform and Enterprise Information Portal, written entirely in open source under the Apache license in Java and XML and based on open standards. All access to the portal is managed through a robust portal security policy. Within a Jetspeed portal, individual portlets can be aggregated to create a page. Each portlet is an independent application with Jetspeed acting as the central hub making information from multiple sources available in an easy to use manner.”

While I don’t really know how many people that use Jetspeed, the official home page lists a number of companies and organizations, and a quick web search turned up plenty more. There will very likely also be a number of installations on internal networks, so it looks like it has quite a few users.

During my audit I came across several fairly serious issues, and this is a brief write-up of two of them which chained together will lead to Pre Auth Remote Code Execution. I was originally not planning to post anything about this for a while, but since Apache has published their fairly detailed advisory already, I figured the cat’s out of the bag anyway (publication has also been cleared with the maintainers). Version 2.3.1 will be out later this month, so keep an eye out for it if you are running an installation of Jetspeed 2.

Unsecured User Manager REST API [part of CVE-2016-0710]

Affected versions

Jetspeed 2.3.0 and unknown earlier versions.

I came across this issue when verifying if a SQL injection that I found in the User Manager (CVE-2016-0710) was possible to exploit by an unauthenticated attacker. Although the issue has not been assigned its own CVE, the following paragraph in the description of CVE-2016-0710 hints quite clearly at its existence:



“There is also an authorization flaw at play here since the above URLs can be reached without being authenticated in Jetspeed.”

This issue is likely the most critical one of the ones I found, as it will allow for total compromise of all the information contained within the portal by an unauthenticated attacker. The issue lies in that authentication is not enforced when calling the User Manager service of the Jetspeed REST API. As a result, an unauthenticated attacker could add, edit, or delete users from the portal. This includes granting administrative access and resetting passwords of existing users.



Examples



Create a user

POST /jetspeed/services/usermanager/users/?_type=json HTTP/1.1

Host: 192.168.2.5:8080

[…]

Content-Length: 130

Connection: close name=foobar&password=password&password_confirm=password&user_name_given=foo&user_name_family=bar&user_email=foo%40bar.net&newrule=

This request will return an HTTP 500 Internal Server Error message, but the user will still be created.

Add the admin role to the ‘foobar’ user

POST /jetspeed/services/usermanager/users/foobar/?_type=json HTTP/1.1

Host: 192.168.2.5:8080

[…]

Content-Length: 123

Connection: close name=&password=&password_confirm=&user_name_given=&user_name_family=&user_email=&user_enabled=&roles=admin&rule=

This request simply returns “true” and the role is added.

ZIP file path traversal [CVE-2016-0709]

Affected versions

Jetspeed 2.2.0 to 2.2.2

Jetspeed 2.3.0

The unsupported Jetspeed 2.1.x versions may be also affected

This is a classic file upload/path traversal vulnerability. The vulnerability lies in that when regular files are uploaded via the Import/Export function in the Portal Site Manager, the file names are checked so that they don’t contain path character sequences such as “../” as this would allow path traversal. This check is not performed for files within ZIP archives, which means that it is possible to upload a ZIP archive containing a JSP file with a specially crafted file name (in this case, “../../webapps/x.jsp”). This file will when unzipped by the system be written to the webroot directory and will when visited be executed by the Java application server.

The following extract from the code demonstrates the missing file name check.

While the Portal Site Manager is not accessible without administrative privileges, it is, as previously mentioned, possible to add an admin user without being authenticated. Because of this, chaining these issues together will effectively result in Pre Auth (as the attacker is not authenticated or a Jetspeed user when the attack starts) Remote Code Execution as demonstrated in the video below.

(The exploit above will not be released as there’s enough point-n-click crap out there already. This post should be enough for anyone with minimal skills to reproduce it anyway. Sorry.)



Final words



While these findings may not be very advanced or novel, getting them fixed will in my opinion do a lot for the security of Jetspeed 2 and its users. As I wrote in this post, Open Source and Free Software often needs auditing badly, and both the auditor and the auditee has a lot to gain from it.

Coming up

The next post will likely feature some findings of similar impact from my audit of Apache OpenMeetings, which I reported earlier this week.