Researchers Exploited Nexus Repository Using Directory Traversal Vulnerability

Hackers target and exploit GitHub repositories for a multitude of reasons and illicit purposes.

The widespread use of GitHub and the diverse range of codebases hosted on the platform make it an attractive target for threat actors seeking valuable information and attack vectors.

Cybersecurity researchers recently discovered that the Nexus repository can be exploited using the directory traversal vulnerability.

Technical Analysis

During a former source code review, the security analyst X1r0z reviewed a publicly available Nexus repository and found no important details in JAR packages for Java Archives. 

However, after CyberKunlun’s recent vulnerability disclosure, the researcher revisited the same repository and developed a proof-of-concept exploit using the Jazzer Java fuzzing framework. 

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Building on previous entries in this regard, the author has decided to share some insights on using Java fuzzing to discover vulnerabilities based on that experience and continuous work on fuzzing.

To find out how this is done, it’s been described at length how the researcher got the nexus source code, established a debugging environment, and detected the vulnerability spot in WebResourceServiceImpl by comparing versions of codes.

For example, dynamic analysis revealed that whenever Nexus deals with public resource requests such as robots.txt it defaults to Jetty’s WebAppContext#getResource method.

This then calls Jetty’s PathResource class which normalizes paths through URIUtil.canonicalPath but fails to sanitize them before path traversal, consequently leading to a vulnerability.

However, you should note that if the path does not start with “/” or canonical paths lead to null, an exception will be thrown. These are key factors necessary for successful attacks.

The researcher will likely use these ideas when trying fuzzing to create a PoC.

To evaluate the exploitability, the author extracted relevant Jetty path normalization logic into a test harness for the Jazzer fuzzing framework.

Jazzer is integrated with libFuzzer and instruments Java bytecode to track coverage, perform data flow analysis, and detect unsafe functions.

The testing environment narrowed the fuzzing possibilities by constructing PathResource instances from the corrupted inputs.

Jazzer was then run on this harness with Jetty dependencies, and it was discovered that using the exposed path directly would clean up request processing earlier.

This entails fully URL-encoding the path before sending the request so that these filters can be bypassed, leading to the vulnerable WebResourceServiceImpl module.

This combination of manual analysis and automated fuzzing facilitated the development of an effective proof-of-concept exploit.

Although the fuzzing process reduces the complexity of the test harness to some extent, it may result in false positives and consequently demand multiple fuzzing runs for validation; regardless, Java fuzzing techniques such as Jazzer are still advantageous for vulnerability research. 

Fuzz testing that weaves these two approaches allows researchers to discover subtle vulnerabilities and develop robust exploits across various Java code bases typical of enterprise environments.

This can be achieved by merging both methodologies used by participants to study vulnerabilities in software applications to detect more intricate faults, thereby enabling security experts and analysts to develop better solutions.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers