A nice chain leading to unauthenticated RCE, a path traversal leading to server-side request forgery, used to hit the application’s API from localhost and leak administrative credentials, then an unescaped argument in a privileged-off task for command injection.
Path Traversal - A fairly well-known attack against Tomcat servers where
..;/ will be normalized as
../ but reserve-proxies like nginx will usually not see it as a traversal and pass it along. This can be used to hit endpoints that Tomcat is serving but that are not reachable through the reverse proxy.
Server-Side Request Forgery - This was a previously known and reported issue in a third-party component. Normally the
/getFavicon endpoint wouldn’t be reachable but the path traversal could be used to make requests to it. It does as the name indicates, takes a
host parameter and attempts to fetch its
host is entirely attacker controlled and without sensitization, it can be used to craft and url.
Sensitive Information in Configuration - Requests to the REST API for the application from localhost do not require authentication, so the prior SSRF could be used to make a request to the
/services/sysinfo/activeconfig endpoint which contains a password for a privileged API user.
Command Injection - Finally with a privileged API user, the scheduled task functionality could be reached. One of the tasks,
task050380 takes two parameters a tar file and a target directory, and extracts the tar file. There is an optional parameter
$deleteOutDir which will first delete files inside the output directory.
$this->execute('rm -rf ' . realpath($targetdir) . '/*');
In this case as the path escaped in this
rm call additional commands can be injected using shell expansions like
$(id) though it does need to be a directory name that can be created.