Write-up for a Path Traversal on Gravitee.io
This article will present an uncommon vulnerability discovered by the Michelin CERT team on Gravitee.io.
The team was able to chain a low-level vulnerability with path traversal to have access to the server file system from an unauthenticated endpoint.
Gravitee.io
Gravitee.io is an open source API management solution developed in Java helping organizations to control finely who, when and how users access your APIs. You can visit their website here : https://gravitee.io/.
The source code is available on Github. We invite you to contribute to this project.
SendEmail Service
The part of the code that will interest us for this article is the email service. This implementation class is the only entry point for sending email from the application.
Usually email sending feature is commonly vulnerable to Server-Side Template Injection (One of the famous recent example is the RCE in Jira CVE-2019–1158, an excellent article is available here or less critical HTML injection vulnerability (HackerOne report)
When an email is written in HTML, images can be included by using HTTP/HTTPS or using CID (or Content-ID) Embedded Images.
The second option has been used in Gravitee to include resource image such as company logo, etc…
Let’s see how the CID image has been included in this class.
Go deeper into the code
The email service used the following method to add the resource image from an HTML content.
As we can see, the HTML parser Jsoup was used to collect all `<img>` tags inside the HTML mail and get the value of `src` attribute.
The service will check if the image to be embedded is an url or if it is a local resource, this is done by the second part of the lambda expression checking if the src starts with `http` or not.
Based on it, the service will change the `href` attribute to `cid:xxx` (link to CID resource).
The last loop of the method enclosed the binary data of the resource inside the mail with a new instance of `FileSystemResource`. The String `res` was taken as-is from the parsed `<img>` tag.
The following HTML code passed in this method will enclose the classic `/etc/passwd` file.
<img src=’../../../../../../../etc/passwd’ />
By the way, the main point to validate the flaw is where and how we can insert this payload.
A special thanks to the HTML injection!!
Before this finding, the team found out that inputs reflected in emails were not protected against `HTML injection` vulnerability.
In order to increase the severity of the vulnerability, we had to find a non-authenticated endpoint that will send emails. The register user feature present on the main page was a good candidate for it. Last Name and First Name parameters were injectable and were reflected in the account validation email sent to the user.
The following request was used to extract arbitrary file from the server.
Now, we just need to wait for the gift mail.
Let’s open the attachment and … Surprise!! `/etc/passwd` appeared.
Responsible Disclosure and fixes.
This vulnerability (Score CVSSv3 : 8.6) has been discovered during an internal pentest of the Gravitee solution.
The first step was to contact the Gravitee development team, they had an outstanding reactivity and proposed and deployed a fix less than a week.
we would like to thank Gravitee.io for letting us publish this article.