Introduction
During security tests, a critical vulnerability was discovered in the tested application. This issue allows an attacker to execute any code on the server by uploading a malicious JSP file. The problem arises from a lack of proper validation of uploaded files, which can be exploited by attackers.
Exploiting improper file validation
An attacker can upload a malicious JSP file to the server due to weak file validation. This ZIP file contains a web page structure that is converted into a JSP file. The attacker places harmful code in the file, such as in index.html. After the ZIP file is uploaded and extracted, the attacker can access the path to the JSP file and execute any system commands on the server using the permissions of the application user (e.g., Tomcat).
Proof of concept
The attack requires logging into an administrator account, which lowers the risk level to high. Below are examples of information obtained by executing system commands on the server:
- “pwd”: /home/tomcat-[REDACTED]
- “id”: uid=1003(tomcat-[REDACTED]) gid=1003(tomcat-[REDACTED]) groups=1003(tomcat-[REDACTED])
Importantly, the tests showed that no antivirus software was running on the server to detect the malicious code in the uploaded files.
How the attack works
- Creating a malicious file - the attacker crafts an index.html with harmful JSP code that allows executing system commands.
- Preparing the ZIP file - the attacker places the index.html file in a specific folder structure and compresses it into a ZIP file:
Uploading the file to the server - after logging into the administrator account, the attacker:
a) Navigates to: Administration → Web Templates → New Template. b) Fills out the form and select the prepared malicious ZIP file as the template. c) Submits the template and opening its preview.
Executing system commands - once the file is uploaded and previewed, the attacker tests the vulnerability by running commands such as uname -a, gaining detailed system information.
Recommendations
To defend the application from such attacks, it is crucial to implement several protective measures.
Firstly, the use of an allowlist for uploaded files is highly recommended. By restricting the types of files that can be uploaded, such as permitting only specific extensions and verifying MIME types, the risk of undetected malicious files can be minimized. Additionally, checking file headers and limiting file size can add further layers of security.
Secondly, every file uploaded to the server should undergo rigorous validation and scanning. This ensures that harmful code embedded within files can be detected and neutralized. It is essential to apply these checks to all areas of the application that facilitate file uploads, leaving no potential entry points unprotected.
Finally, adding extra layers of protection can significantly enhance security. Installing antivirus software on the server provides a frontline defense against malicious files. Moreover, restricting user permissions related to file handling and keeping a close watch on administrative activities through detailed monitoring can prevent unauthorized actions and quickly identify suspicious behavior.
