lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <817f2c34-6de7-143a-7a96-508d5865f4b4@shinynightmares.com>
Date: Thu, 3 Nov 2016 12:56:02 +1300
From: aj <aj@...nynightmares.com>
To: fulldisclosure@...lists.org
Subject: [FD] Sparkjava Framework - Arbitrary File Read Vulnerability

Hey folks,


Spark (sparkjava.com) is a mildly hyped Java micro web framework that
also provides functionality to serve static files. Unfortunately,
there's no protection against directory traversal attacks and I haven't
been able to contact anyone related to the project (after trying 4
people over 2 weeks). As this bug is not that awesome, and fairly
trivial to find, please help yourself to some semi-shitty 0-day. 

If configured, Spark provides two ways to serve static files, either
from the classpath via  Spark.staticFileLocation() or the filesystem via
Spark.externalStaticFileLocation().


-----------------------------------

Classpath Vuln

-----------------------------------

Exploit the classpath based vulnerability with something like:

curl "http://<host>/..\..\spark\Spark.class"

The number of ..\ you need in the path depends on where in the classpath
the static file location is configured to be. If you don't have the
right amount then you don't get anything, but this is trivially brute
forced. The classpath often has juicy things like configuration files
and keystores, or you could look for non-framework class files and
decompile them.


-----------------------------------

Filesystem Vuln

-----------------------------------

Try something like:

curl
"http://<host>/..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\etc\passwd"


I'm sure you can figure out what to do from here.



This is tested on Spark 2.5 and git master, it should work on earlier
versions.

If you need a workaround, don't use Spark to serve static files and move
them to another web server.


Cheers,
aj

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ