Friday, November 15, 2024
HomeCVE/vulnerabilityResearchers Exploited Nexus Repository Using Directory Traversal Vulnerability

Researchers Exploited Nexus Repository Using Directory Traversal Vulnerability

Published on

Hackers target and exploit GitHub repositories for a multitude of reasons and illicit purposes.

The widespread use of GitHub and the diverse range of codebases hosted on the platform make it an attractive target for threat actors seeking valuable information and attack vectors.

Cybersecurity researchers recently discovered that the Nexus repository can be exploited using the directory traversal vulnerability.

- Advertisement - SIEM as a Service

Technical Analysis

During a former source code review, the security analyst X1r0z reviewed a publicly available Nexus repository and found no important details in JAR packages for Java Archives. 

However, after CyberKunlun’s recent vulnerability disclosure, the researcher revisited the same repository and developed a proof-of-concept exploit using the Jazzer Java fuzzing framework. 

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Building on previous entries in this regard, the author has decided to share some insights on using Java fuzzing to discover vulnerabilities based on that experience and continuous work on fuzzing.

To find out how this is done, it’s been described at length how the researcher got the nexus source code, established a debugging environment, and detected the vulnerability spot in WebResourceServiceImpl by comparing versions of codes.

For example, dynamic analysis revealed that whenever Nexus deals with public resource requests such as robots.txt it defaults to Jetty’s WebAppContext#getResource method.

This then calls Jetty’s PathResource class which normalizes paths through URIUtil.canonicalPath but fails to sanitize them before path traversal, consequently leading to a vulnerability.

However, you should note that if the path does not start with “/” or canonical paths lead to null, an exception will be thrown. These are key factors necessary for successful attacks.

The researcher will likely use these ideas when trying fuzzing to create a PoC.

Final PoC (Source - X1r0z)
Final PoC (Source – X1r0z)

To evaluate the exploitability, the author extracted relevant Jetty path normalization logic into a test harness for the Jazzer fuzzing framework.

Jazzer is integrated with libFuzzer and instruments Java bytecode to track coverage, perform data flow analysis, and detect unsafe functions.

The testing environment narrowed the fuzzing possibilities by constructing PathResource instances from the corrupted inputs.

Jazzer was then run on this harness with Jetty dependencies, and it was discovered that using the exposed path directly would clean up request processing earlier.

This entails fully URL-encoding the path before sending the request so that these filters can be bypassed, leading to the vulnerable WebResourceServiceImpl module.

This combination of manual analysis and automated fuzzing facilitated the development of an effective proof-of-concept exploit.

Although the fuzzing process reduces the complexity of the test harness to some extent, it may result in false positives and consequently demand multiple fuzzing runs for validation; regardless, Java fuzzing techniques such as Jazzer are still advantageous for vulnerability research. 

Fuzz testing that weaves these two approaches allows researchers to discover subtle vulnerabilities and develop robust exploits across various Java code bases typical of enterprise environments.

This can be achieved by merging both methodologies used by participants to study vulnerabilities in software applications to detect more intricate faults, thereby enabling security experts and analysts to develop better solutions.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...