Saturday, June 15, 2024

Researchers Exploited Nexus Repository Using Directory Traversal Vulnerability

Hackers target and exploit GitHub repositories for a multitude of reasons and illicit purposes.

The widespread use of GitHub and the diverse range of codebases hosted on the platform make it an attractive target for threat actors seeking valuable information and attack vectors.

Cybersecurity researchers recently discovered that the Nexus repository can be exploited using the directory traversal vulnerability.

Technical Analysis

During a former source code review, the security analyst X1r0z reviewed a publicly available Nexus repository and found no important details in JAR packages for Java Archives. 

However, after CyberKunlun’s recent vulnerability disclosure, the researcher revisited the same repository and developed a proof-of-concept exploit using the Jazzer Java fuzzing framework. 

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Building on previous entries in this regard, the author has decided to share some insights on using Java fuzzing to discover vulnerabilities based on that experience and continuous work on fuzzing.

To find out how this is done, it’s been described at length how the researcher got the nexus source code, established a debugging environment, and detected the vulnerability spot in WebResourceServiceImpl by comparing versions of codes.

For example, dynamic analysis revealed that whenever Nexus deals with public resource requests such as robots.txt it defaults to Jetty’s WebAppContext#getResource method.

This then calls Jetty’s PathResource class which normalizes paths through URIUtil.canonicalPath but fails to sanitize them before path traversal, consequently leading to a vulnerability.

However, you should note that if the path does not start with “/” or canonical paths lead to null, an exception will be thrown. These are key factors necessary for successful attacks.

The researcher will likely use these ideas when trying fuzzing to create a PoC.

Final PoC (Source - X1r0z)
Final PoC (Source – X1r0z)

To evaluate the exploitability, the author extracted relevant Jetty path normalization logic into a test harness for the Jazzer fuzzing framework.

Jazzer is integrated with libFuzzer and instruments Java bytecode to track coverage, perform data flow analysis, and detect unsafe functions.

The testing environment narrowed the fuzzing possibilities by constructing PathResource instances from the corrupted inputs.

Jazzer was then run on this harness with Jetty dependencies, and it was discovered that using the exposed path directly would clean up request processing earlier.

This entails fully URL-encoding the path before sending the request so that these filters can be bypassed, leading to the vulnerable WebResourceServiceImpl module.

This combination of manual analysis and automated fuzzing facilitated the development of an effective proof-of-concept exploit.

Although the fuzzing process reduces the complexity of the test harness to some extent, it may result in false positives and consequently demand multiple fuzzing runs for validation; regardless, Java fuzzing techniques such as Jazzer are still advantageous for vulnerability research. 

Fuzz testing that weaves these two approaches allows researchers to discover subtle vulnerabilities and develop robust exploits across various Java code bases typical of enterprise environments.

This can be achieved by merging both methodologies used by participants to study vulnerabilities in software applications to detect more intricate faults, thereby enabling security experts and analysts to develop better solutions.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles