Monday, December 16, 2024
HomeCVE/vulnerabilityResearchers Exploited Nexus Repository Using Directory Traversal Vulnerability

Researchers Exploited Nexus Repository Using Directory Traversal Vulnerability

Published on

SIEM as a Service

Hackers target and exploit GitHub repositories for a multitude of reasons and illicit purposes.

The widespread use of GitHub and the diverse range of codebases hosted on the platform make it an attractive target for threat actors seeking valuable information and attack vectors.

Cybersecurity researchers recently discovered that the Nexus repository can be exploited using the directory traversal vulnerability.

- Advertisement - SIEM as a Service

Technical Analysis

During a former source code review, the security analyst X1r0z reviewed a publicly available Nexus repository and found no important details in JAR packages for Java Archives. 

However, after CyberKunlun’s recent vulnerability disclosure, the researcher revisited the same repository and developed a proof-of-concept exploit using the Jazzer Java fuzzing framework. 

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Building on previous entries in this regard, the author has decided to share some insights on using Java fuzzing to discover vulnerabilities based on that experience and continuous work on fuzzing.

To find out how this is done, it’s been described at length how the researcher got the nexus source code, established a debugging environment, and detected the vulnerability spot in WebResourceServiceImpl by comparing versions of codes.

For example, dynamic analysis revealed that whenever Nexus deals with public resource requests such as robots.txt it defaults to Jetty’s WebAppContext#getResource method.

This then calls Jetty’s PathResource class which normalizes paths through URIUtil.canonicalPath but fails to sanitize them before path traversal, consequently leading to a vulnerability.

However, you should note that if the path does not start with “/” or canonical paths lead to null, an exception will be thrown. These are key factors necessary for successful attacks.

The researcher will likely use these ideas when trying fuzzing to create a PoC.

Final PoC (Source - X1r0z)
Final PoC (Source – X1r0z)

To evaluate the exploitability, the author extracted relevant Jetty path normalization logic into a test harness for the Jazzer fuzzing framework.

Jazzer is integrated with libFuzzer and instruments Java bytecode to track coverage, perform data flow analysis, and detect unsafe functions.

The testing environment narrowed the fuzzing possibilities by constructing PathResource instances from the corrupted inputs.

Jazzer was then run on this harness with Jetty dependencies, and it was discovered that using the exposed path directly would clean up request processing earlier.

This entails fully URL-encoding the path before sending the request so that these filters can be bypassed, leading to the vulnerable WebResourceServiceImpl module.

This combination of manual analysis and automated fuzzing facilitated the development of an effective proof-of-concept exploit.

Although the fuzzing process reduces the complexity of the test harness to some extent, it may result in false positives and consequently demand multiple fuzzing runs for validation; regardless, Java fuzzing techniques such as Jazzer are still advantageous for vulnerability research. 

Fuzz testing that weaves these two approaches allows researchers to discover subtle vulnerabilities and develop robust exploits across various Java code bases typical of enterprise environments.

This can be achieved by merging both methodologies used by participants to study vulnerabilities in software applications to detect more intricate faults, thereby enabling security experts and analysts to develop better solutions.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

The Rise of AI-Generated Professional Headshots

It’s clear that a person’s reputation is increasingly influenced by their online presence, which...

Hackers Abuse Google Ads To Attacking Graphic Design Professionals

Researchers identified a threat actor leveraging Google Search ads to target graphic design professionals,...

Hackers Using New IoT/OT Malware IOCONTROL To Control IP Cameras, Routers, PLCs, HMIs And Firewalls

Recent cyberattacks targeting critical infrastructure, including fuel management systems and water treatment facilities in...

Hackers Exploiting Apache Struts2 Vulnerability to Upload Malicious Payloads

Hackers have begun exploiting a newly discovered vulnerability in Apache Struts2, a widely used...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Hackers Abuse Google Ads To Attacking Graphic Design Professionals

Researchers identified a threat actor leveraging Google Search ads to target graphic design professionals,...

Hackers Using New IoT/OT Malware IOCONTROL To Control IP Cameras, Routers, PLCs, HMIs And Firewalls

Recent cyberattacks targeting critical infrastructure, including fuel management systems and water treatment facilities in...

Hackers Exploiting Apache Struts2 Vulnerability to Upload Malicious Payloads

Hackers have begun exploiting a newly discovered vulnerability in Apache Struts2, a widely used...