JasperReports - Authenticated File Read

EDB-ID: 44623
Author: Hector Monsegur
Published: 2018-05-03
CVE: CVE-2018-5430
Type: Webapps
Platform: Multiple
Aliases: N/A
Advisory/Source: Link
Tags: N/A
Vulnerable App: N/A

CVSS v3 Base Score: 7.7 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

- - -

## Bypassing JasperReports Access Controls
The following example allowed us to include an administrator JSP from a low privileged user (joeuser):


Which took us from:

getAttribute() @ HttpServletRequestParameterMap.java:57
> string[] = wrapper.getParameterValues("page")


getResource() @ DirResourceSet.java:101
> file = new File(/home/rhino/jasperreports...mcat/webapps/jasperserver,"/WEB-INF/jsp/modules/administer/adminImport.jsp")

Due to a lack of input validation we found ourselves with the capability to traverse paths to a destination of our choice. Below you will find more Proof of Concepts (PoCs) of the the attack in question:

## Accessing Administrator Export Functions


## Accessing AWS Configuration Functions

The above issue allowed us to load privileged portions of the application geared towards the Administrator, thus bypassing access controls.

## Local File Read

The following command allowed us to read configuration files on the server, taking advantage of an unsanitized ‘page’ perimeter and reading configuration files. An attacker would use these credentials to further pivot across application and services. Although the above screenshot provides a randomly generated password for the occasion, we decided to blur it out of habit.


## Local File Inclusion (JSP)

And in the event of a post-intrusion scenario, an attacker would need to upload an arbitrary JSP file, masqueraded as a regular file (sans .jsp) to the victims filesystem and execute something like the following via a local file inclusion:

NOTE: Since the application appends ‘.jsp’ to the ‘page’ paramater value, normally you would end up with ../../../jsp/modules/administer/file.jsp. However, if we want to read configuration files we need to trick Java to read our desired file, and ignore the ‘.jsp’ addition. NULL bytes (%00) do not work, however we were able to bypass the problem by adding a semicolon to our desired file.

Related Posts