Bugs in URL parser logic can be exploited for RCE, bypass access control lists, and leak information

Inconsistent parsing between system components can be exploited for remote code execution (RCE) on a number of websites, a researcher has found.

The vulnerability lies in the “inconsistency” of parser logic, says Orange Tsai, a researcher with DEVCORE, who presented his findings at this year’s Black Hat conference.

Authentication is bypassed through flawed path parsing and normalization – the way websites communicate with their multiple elements in order to function properly.

“It’s hard to write a well-designed parser,” Tsai said, writing in a blog post.

“[Each] different entity has its own standard and implementation. In order to fix a bug without impacting business logic, it’s common to apply a work-around or filter instead of patching the bug directly. Therefore, if there is any inconsistency between the filter and the called method, the security mechanism can be easily bypassed!”

Multi-layered architectures can easily yield 0-day attacks due to the numerous features within its framework. Security issues arise when these features do not together implement a standardized protocol, Tsai said.

“While I was reading advisories, I noticed a feature called URL Path Parameter. Some researchers have already pointed out that this feature may lead to security issues, but it will still depend on the programming failure!” he added.

Tsai noted that those using a reverse proxy under Java would be under threat, and that proxy and backend servers should be checked in order to mitigate any risk.

Having first experimented with the parser logic attack surface in 2015, Tsai recently turned his attention to an Amazon domain intended for internal collaboration.

“It turns out that this attack surface can not only leak information but also bypass an access control list (such as my Uber OneLogin bypass case), and [can] lead to RCE in several bug bounty programs,” he said.

“Nuxeo uses a custom authentication filter NuxeoAuthenticationFilter. 

“From the filter, we know most pages require authentication, but there is a whitelist allowing a few entrances such as login.jsp. 

Unfortunately Nuexeo truncates paths containing semicolons.

He added: “Due to the truncation, we can forge a request that matches the whitelist in ACL but reach the unauthorized area in Servlet!”

Amazon responded to Tsai’s report and promptly released a patch.

As Tsai continues to build more ‘inconsistency’ case studies through bug bounty programs, security researchers will now likely be racing to automate these techniques and apply them at scale.

The Daily Swig has reached out to Orange Tsai for comment.