Open source project fixes bug after researchers point out technical mishap

Researchers were able to gain remote code execution (RCE) on Apache Axis servers after exploiting an expired domain previously owned by the open source project.

A team from Rhino Security Labs has demonstrated how it was able to gain access to the software company’s servers by taking advantage of an apparent oversight.

Apache Axis, a core engine for Web services, is currently on version Axis2 1.7.9.

The vulnerability is present in an older version, 1.4, which is still available and in use by some coders.

The demo service StockQuoteService.jws loads data from the domain www.xmltoday.com. After discovering that this domain had actually expired and was no longer owned by Apache Axis, Rhino Security Labs researchers quickly purchased it.

The team then set up a redirect from the domain to a localhost URL.

As Rhino Security Labs' blog post details: “Axis treats requests coming from localhost with administrative privileges, which allows you to launch a malicious service by making an HTTP GET request which appears to be coming from localhost through an SSRF vulnerability.”

After setting up the redirect to a specially crafted localhost URL and combining it with the SSRF to RCE trick, researchers could gain RCE on Axis servers. It was documented as CVE-2019-0227.

“In this case it was largely a matter of Dave [Yesland, who discovered the bug] reading over the source code and finding a demo application was vulnerable,” Benjamin Caudill, founder and CEO of Rhino Security Labs told The Daily Swig.

“Original research and finding 0days is never easy – at the core of it, we’re trying to find something that no one else has found (including the vendor themselves).

“That requires a lot of diligence and creativity to do consistently, and we treat every CVE as a milestone for the team.”

He added: “It was surprising to see the domain had been allowed to expire, but once that was discovered the rest of the pieces fell into place.”

The Daily Swig also reached out to the Apache Axis team, who said that they are still committed to patching outdated releases.

Robert Lazarski, vice president of Apache Axis, said: “After a coding discussion on the Axis private email list, we decided on a fix and notified the OP with security@apache.org CC’d. The fix itself was a one line Java code change and removing a file from the WAR file that the Axis 1.x project distributes.

“Although Axis 1.x was last released in 2006, we do not consider it EOL [End of Life]. Bug and security commits continue in SVN [subversion]. Legacy users are encouraged to build from source.”

Caudill added: “The Apache Axis team responded very quickly and have been great to work with, especially considering Axis 1.4 is an older version and not actively maintained.

“They still went ahead and worked on a patch for the issue, and have been very responsive in getting this fixed.”

Apache Axis has directed legacy users to build using the instructions here. The latest version, Axis2, can be downloaded here.