Vulnerability Summary: CVE-2018-5430
TIBCO’s JasperReports (<=6.2.4, 6.3.0, 6.3.2-3, 6.4.0, 6.4.2, CE/ActiveMatrix BPM and Jaspersoft AWS with Multi-Tenancy/Reporting and Analytics for AWS <=6.4.2) is vulnerable to an authenticated file read and inclusion vulnerability by means of directory traversal. It is possible for an attacker, regardless of user permissions, to access or include files from within the filesystem hosting the application.
CVSS v3 Base Score: 7.7 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
Introduction: JasperResports Background and Security
In dealing with the day to day engagements, Rhino Security Labs’ consultants are introduced a variety of applications deployed in complex enterprise environments. Our team is often tasked with auditing these production installations for various vulnerabilities. In a recent penetration test we encountered a client’s JasperReports Server – a data aggregation and reporting tool.
Here’s the description of JasperReports from the TIBCO website:
“Reporting and Analytics Server: JasperReports Server is a stand-alone and embeddable reporting server. It provides reporting and analytics that can be embedded into a web or mobile application as well as operate as a central information hub for the enterprise by delivering mission critical information on a real-time or scheduled basis to the browser, mobile device, or email inbox in a variety of file formats. JasperReports Server is optimized to share, secure, and centrally manage your Jaspersoft reports and analytic views.”
The process in auditing publicly accessible application is to review the reported CVE and security disclosure history, looking for any areas of interest or current vulnerabilities that an adversary could leverage.
Fortunately, this installation was using the latest version of the software. This provided our researchers with the opportunity to download the Community Edition (CE) and begin our work there. JasperReports is written in Java, and part of our app auditing process is dynamic analysis. This approach opens up the potential for our researchers to identify deep-seated vulnerabilities and capitalize on those findings.
One such issue that came up was an information disclosure by means of directory traversal, file read access and the potential for JSP file inclusions. Three separate attack paths using one vector in this case. Technical details are disclosed in this article.
While investigating JasperReports’ handling of paths in query parameters, out team discovered it would be possible for an attacker to read files from the filesystem hosting the application. Albeit limited to within the WEB-INF directory structure, we determined that we could read sensitive configuration files, which can be abused for additional exploitation.
Exploring the core vulnerability itself, we did a deep dive into where the issue was located and potential abuse scenarios:
Bypassing JasperReports Access Controls
The following example allowed us to include an administrator JSP from a low privileged user (joeuser):
/jasperserver/flow.html?_flowId=sampleFlow&page=../../../jsp/modules/administer/adminImport
Which took us from:
getAttribute() @ HttpServletRequestParameterMap.java:57 > string[] = wrapper.getParameterValues("page")
To:
getResource() @ DirResourceSet.java:101 > file = new File(/home/rhino/jasperreports...mcat/webapps/jasperserver,"/WEB-INF/jsp/modules/administer/adminImport.jsp")
Due to a lack of input validation we found ourselves with the capability to traverse paths to a destination of our choice. Below you will find more Proof of Concepts (PoCs) of the the attack in question:
Accessing Administrator Export Functions
/jasperserver-pro/___________?{param}=..
Accessing AWS Configuration Functions
/jasperserver-pro/flow.html?_flowId=sampleFlow&page=../../../jsp/modules/administer/awsConfiguration
The above issue allowed us to load privileged portions of the application geared towards the Administrator, thus bypassing access controls.
Local File Read
The following command allowed us to read configuration files on the server, taking advantage of an unsanitized ‘page’ perimeter and reading configuration files. An attacker would use these credentials to further pivot across application and services. Although the above screenshot provides a randomly generated password for the occasion, we decided to blur it out of habit.
/jasperserver-pro/flow.html?_flowId=sampleFlow&page=../../../js.jdbc.properties;
Local File Inclusion (JSP)
And in the event of a post-intrusion scenario, an attacker would need to upload an arbitrary JSP file, masqueraded as a regular file (sans .jsp) to the victims filesystem and execute something like the following via a local file inclusion:
/jasperserver-pro/flow.html?_flowId=sampleFlow&page=../../../jsp/modules/administer/file;
NOTE: Since the application appends ‘.jsp’ to the ‘page’ paramater value, normally you would end up with ../../../jsp/modules/administer/file.jsp. However, if we want to read configuration files we need to trick Java to read our desired file, and ignore the ‘.jsp’ addition. NULL bytes (%00) do not work, however we were able to bypass the problem by adding a semicolon to our desired file.
Conclusion
With the issue at hand being patched, we felt it would be great to discuss the discovery process as well as the technical details and disclosure process for the aforementioned issue.
We were delighted to see TIBCO’s proactive response to the vulnerability disclosure and process. It is important for organizations with large applications like JasperReports to investigate, coordinate and disclose security issues as they come in.
At Rhino Security Labs, we put an emphasis on security research as part of our day to day process. As new vulnerabilities are discovered, we make use of our vulnerability disclosure policy, ensuring that not only are helping to secure our clients but giving back to the community with each finding.
Affected Versions
- TIBCO JasperReports Server versions 6.2.4 and below
- TIBCO JasperReports Server versions 6.3.0, 6.3.2, and 6.3.3
- TIBCO JasperReports Server versions 6.4.0 and 6.4.2
- TIBCO JasperReports Server Community Edition versions 6.4.2 and below
- TIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.2 and below
- TIBCO Jaspersoft for AWS with Multi-Tenancy versions 6.4.2 and below
- TIBCO Jaspersoft Reporting and Analytics for AWS versions 6.4.2 and below
Disclosure Timeline
12/20/2017: Rhino Security Labs requests security contact
12/20/2017: TIBCO security contact responds; Company holidays in effect
12/22/2017: Rhino Security Labs discloses vulnerability to TIBCO
12/23/2017: TIBCO Acknowledges of vulnerability report
1/12/2018: Rhino Security Labs requests an update
1/12/2018: TIBCO provides confirmation and requests further details
1/13/2018: Rhino Security Labs sends additional detail
1/31/2018: TIBCO provides timeline update
2/12/2018: TIBCO provides timeline update
2/12/2018: Rhino Security Labs acknowledges communication
3/13/2018: TIBCO provides timeline update
4/17/2018: TIBCO releases information to the public
4/17/2018: Rhino Security Labs provides acknowledgement and discloses vulnerability