Hacking a Bank by Finding a 0day in DotCMS
- Introduction
- What is dotCMS?
- Code Analysis
- Making a PoC
- Hacking a Bank
- Vendor Response
- Remediation Advice
- Conclusion
The advisory for this issue can be found here.
The CVE for this issue is CVE-2022-26352. The advisory from dotCMS can be found here.
This security research was performed by Hussein Daher and Shubham Shah.
Introduction
Hacking a bank is one of those things that you have to cross off your bucket list as a credible hacker. To the outside world, banks are supposed to have impenetrable security, or at least that’s how they usually market themselves. Closer to reality and more in line with the can-do attitude of hackers, banks are just as vulnerable as other organisations and industries.
A few months ago, a friend of mine Hussein came to me with an interesting piece of software that a large bank was using called dotCMS. This bank was running a bug bounty program. He knew that whitebox source code auditing was my jam and asked if I could take a closer look with the aim of compromising this bank.
Through source code analysis, it was possible to find an arbitrary file upload vulnerability, which allowed us to write to any directory on the local system. While we were unable to find a web accessible directory to upload a web shell in the limited time we had, we were able to replace the contents of arbitrary JavaScript files already existing on the system.
This blog post walks through the discovery process of this vulnerability and exploitation process on this large bank.
What is dotCMS?
dotCMS is an open source content management system written in Java for managing content and content driven sites and applications.
dotCMS provides a community edition of their content management system that is free to download and use. They also provide an Enterprise edition, which is a SaaS-based product, that you can purchase on an annual or monthly subscription.
Code Analysis
dotCMS is a Java application which makes use of <span class="code_single-line">javax.ws.rs in</span> order to declare API routes in the application. As it uses <span class="code_single-line">javax.ws.rs</span>, it is possible to get a good understanding of some of the attack surface by searching for <span class="code_single-line">@Path(</span> in the code base - this is similar to Spring applications.
There is a lot of attack surface in dotCMS, however we are going to focus on the APIs that were declared using <span class="code_single-line">javax.ws.rs</span>. Within half a day of source code auditing, we came across the file <span class="code_single-line">com/dotcms/rest/ContentResource.java</span> which contained a lot of code related to “content” operations inside dotCMS (locking, searching, uploading content).
We noticed that a lot of these API endpoints didn’t require any sort of authentication to access by default, and started digging into the logic of multipart file uploads.
There is a lot of code in this file, so let’s walk through it step by step until we reach our sink.
The source of the vulnerability can be found below:
The <span class="code_single-line">multipartPOST</span> and <span class="code_single-line">multipartPUT</span> functions were both entry points for this vulnerability. The base path of the API was <span class="code_single-line">/api/</span>, and declared at the top of this class (<span class="code_single-line">@Path("/content")</span>), we can see that this API is accessible via <span class="code_single-line">/api/content</span>.
Within the <span class="code_single-line">multipartPOST</span> and <span class="code_single-line">multipartPUT</span> functions, we can see that they will accept requests to arbitrary paths as long as the HTTP method matches either <span class="code_single-line">POST</span> or <span class="code_single-line">PUT</span>. These functions consume HTTP requests in the format of <span class="code_single-line">multipart/form-data</span>.
So far, we have not seen any authentication mechanisms declared in this class, so we can continue following the logic of these functions, which can be found in the <span class="code_single-line">multipartPUTandPOST</span> function.
This function is quite large, however I will walk through the logic of it step by step after you read the code:
One of the first things that’s worth noting in the above code block is this line: <span class="code_single-line">.requiredAnonAccess(AnonymousAccess.WRITE)</span>. Digging into this, it seems like this functionality is only accessible if <span class="code_single-line">CONTENT_APIS_ALLOW_ANONYMOUS=WRITE</span> is set in the dotCMS configuration. Fortunately, this seems to be set in default configurations.
Next, walking through the code, we can understand that this function is responsible for delegating to specific functions depending on the content-type of the multipart file upload. We can see that this code ends up at the following sinks:
- <span class="code_single-line">processJSON</span>
- <span class="code_single-line">processXML</span>
- <span class="code_single-line">processForm</span>
- <span class="code_single-line">processMap</span>
- <span class="code_single-line">processFile</span>
Naturally as you’re auditing this function, it makes sense to audit each of these individual sinks for dangerous functionality. Our immediate thoughts were to look at the <span class="code_single-line">processXML</span> function for XXE and the <span class="code_single-line">processFile</span> function for arbitrary file upload vulnerabilities.
Unfortunately, <span class="code_single-line">processXML</span> was not vulnerable to XXE, likely due to a previous security fix the dotCMS team had applied. However, looking at <span class="code_single-line">processFile</span> code below, we were able to identify an arbitrary file upload vulnerability:
We can see that this function constructs a <span class="code_single-line">tempFile</span> using the following logic:
<span class="code_single-line">File tempFile = new File(String.valueOf(tmpFolder.getAbsolutePath()) + File.separator + filename);</span>
Looking further up in this function, we can see that filename is derived from user input (our multipart request):
<span class="code_single-line">String filename = part.getContentDisposition().getFileName();</span>
We finally end up at our sink, at the following line:
<span class="code_single-line">FileUtils.copyInputStreamToFile(input, tempFile);</span>
Using this information that we’ve extrapolated from the source code, we can now construct a PoC which will allow us to upload arbitrary files on the system using directory traversal.
There are no checks being made on the filename or the contents, allowing us to upload arbitrary files to the system to achieve command execution.
Making a PoC
In order to successfully exploit this issue, we must meet all of the conditions that will allow us to go from the source to the sink. We were able to craft the following HTTP request which would allow you to upload a JSP shell to a web accessible directory using this vulnerability:
This will lead to a webshell at the following location:
https://re.local:8443/html/js/dojo/a.jsp?cmd=whoami
Hacking a Bank
Now, we don’t want to lose track for why we audited this software in the first place. We were trying to hack a bank using this software.
Unfortunately, unlike a local development environment, production environments can be quite complex and the software can be deployed in a number of ways that deviate from a perfect local environment. It was not as straight forward to prove impact.
The first step we took was to understand what signified a successful upload, as a way to enumerate writeable directories on the system. Usually on most linux systems, the /tmp/ directory is writeable, so we attempted to upload to this directory:
This returned a response size of 0 and a 500 HTTP error response code. This was the indicator that signified that the upload was successful. Knowing this, we enumerated more directories on the local system.
We also fingerprinted the scenario in which the directory did not exist. In these cases, the response would look like the following:
Lastly, we fingerprinted the scenario in which the directory definitely did exist, but we did not have permissions to write to that folder:
Now, you may be wondering how we were able to determine the tomcat webroot on a server which we had no idea how the directory structure looked like. We ended up using <span class="code_single-line">/proc/self/cwd/../webapps/ROOT/html/</span> as a way to reach the webroot.
Even though we thought we had struck gold with this neat trick, it turned out that the bank had hardened their environment and no directory or file inside the <span class="code_single-line">ROOT/html</span> directory was able to be written to.
Theoretically, the ability to write arbitrary files on the system can lead to RCE in many ways (replacing JAR files, replacing system files, adding system config via files), and we mentioned this to the team in our report, however we still wanted a way to prove impact through our arbitrary file upload without causing any major disruption.
We discovered a gadget to replace JavaScript files, which were writeable using our arbitrary file upload. The first step of this chain was to obtain the E-Tag value of the JavaScript file by directly visiting it:
In order to replace this JavaScript file on the local system, we reconstructed the local path it would be at through the following specification:
So, in our case this was:
Sending our PoC with this filename allowed us to write to arbitrary JavaScript files being served by the application.
Given more time, we were confident that we could have achieved command execution due to the nature of this bug. However, since this vulnerability affected over 100 assets belonging to this bank, we reported the vulnerability.
Vendor Response
The timeline for disclosure can be found below:
- Feb 21st, 2022: Disclosure of RCE to DotCMS
- Mar 2nd, 2022: Initial response from DotCMS asking us about who will be filing the CVE
- Mar 2nd, 2022: We responded asking DotCMS to file the CVE
- Mar 31st, 2022: We asked if a CVE has been filed and for updates on the vulnerability
- Mar 31st, 2022: Response from DotCMS providing details on fixes that have been deployed and progress
- Apr 26th, 2022: We let DotCMS team know that we will be publishing the vulnerability as per our co-ordinated disclosure process
Remediation Advice
The remediation details provided from dotCMS’s advisory are satisfactory and will ensure that this vulnerabilty cannot be exploited.
The advisory from DotCMS can be found here.
Conclusion
When we take a look at an attack surface of any orgnisation, within any industry, of any size, there are always going to be blind-spots and weaknesses that once identified can lead to critical severity vulnerabilities.
A common theme we have explored in our blog at Assetnote is the blind trust on vendor software, which is often deployed onto critically placed infrastructure belonging to organisations. This is one of the many weaknesses you can identify when looking at an attack surface.
This blog post also represents the stark differences between exploiting a local dev environment compared to a production environment which may have undergone some hardening. Nonetheless, these are all key considerations when building a reliable exploit, and we believe that given more time it should be possible to use the arbitrary file upload to achieve command execution in some way even if the web accessible directories are not writeable to.
As always, customers of our Attack Surface Management platform were the first to know when this vulnerability affected them. We continue to perform original security research in an effort to inform our customers about zero-day vulnerabilities.
More Like This
Ready to get started?
Get on a call with our team and learn how Assetnote can change the way you secure your attack surface. We'll set you up with a trial instance so you can see the impact for yourself.