CVE-2023-35150: Arbitrary Code Injection in XWiki.org XWiki
August 23, 2023 | Trend Micro Research TeamIn this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Simon Humbert and Lucas Miller of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the XWiki free wiki software platform. This bug was originally discovered by Michael Hamann with public Proof-of-Concept (PoC) code provided by Manuel Leduc. Successful exploitation of this vulnerability would allow an authenticated attacker to perform an arbitrary code injection on affected systems. The following is a portion of their write-up covering CVE-2023-35150, with a few minimal modifications.
A code injection vulnerability has been reported in the XWiki.Org XWiki. The vulnerability is due to improper input validation when rendering a link in the Invitation Application.
A remote, authenticated attacker can exploit this vulnerability by sending crafted requests to the target server. Successful exploitation could result in arbitrary code injection.
The Vulnerability
XWiki is a second-generation wiki, which provides wiki functionality as well as an application development platform. XWiki offers the features expected from a wiki (such as powerful access rights and user management) and the possibility to create new applications on top of the platform. The XWiki interface can be accessed over HTTP on port 8080 by default.
XWiki includes a robust scripting feature set. Scripting allows users to create basic to complex web applications at the XWiki page (or view) layer without the need for compiling code or deploying software components. In other words, users can use scripting syntax in addition to wiki markup inside the content of an XWiki page. XWiki supports a variety of scripting languages including Velocity, Groovy, and Python enabled by default. XWiki implements the JSR-223 scripting platform to support the evaluation of script code. XWiki implements a script macro that evaluates script code and has the following form:
Script code for the default enabled languages can be declared directly with the language name as follows:
XWiki includes an “Invitation Application”. The “Invitation Application” is used to configure a wiki to send email notifications to users to request registration with the server. The user can then access a provided link to register with the server.
A code injection vulnerability has been reported in XWiki. The vulnerability is due to insufficient validation of user data rendered by the “Invitation Application”. Requests to the “Invitation Application” typically consist of many request parameters, with the action parameter used to determine what actions to take for the request. If the action parameter is not present the server will display a link to the “Invitation Application” based on the contents of the request-URI. However, the request-URI is not sanitized before rendering the link. An attacker could include script code in the request-URI that will then be evaluated when the link is rendered. An example of a malicious requestURI is shown below:
Source Code Walkthrough
The following code snippet was taken from XWiki version 14.10.3. Comments added by Trend Micro have been highlighted.
From xwiki-platform-core/xwiki-platform-invitation/xwiki-platform-invitation-ui/src/main/resources/Invitation/InvitationGuestActions.xml:
Detection Guidance
To detect an attack exploiting this vulnerability, the detection device must monitor and parse traffic on the following ports:
-- HTTP, over port 8080/TCP
-- HTTPS, over port 8443/TCP
Note that traffic may be SSL encrypted and should be decrypted before applying the following guidance. The detection device must monitor for HTTP requests to XWiki endpoints with a request-URI that contains the string:
/xwiki/bin/view
If found, the detection device must look for a request parameter with the name sheet with a value of “Invitation.InvitationGuestActions” and a request parameter with the name xpage with a value of view. If found, the request-URI should be inspected for the characters {{ (or the URL encoded equivalent %7B%7B, case insensitive). If found, the traffic should be considered suspicious and an attack exploiting this vulnerability is likely underway.
Note that the string matching of the request-URI and parameter names should be performed in a case-insensitive manner.
Conclusion
This vulnerability has been addressed in XWiki versions 14.4.8, 14.10.4, and 15.0. In their announcement of the fix, the XWiki team also showed the steps to reproduce this bug, which essentially serves as a public PoC. No other mitigations are listed beyond upgrading to a fixed version, so it is recommended all XWiki users upgrade to a non-impacted version as soon as possible.
Special thanks to Simon Humbert and Lucas Miller of the Trend Micro Research Team for providing such a thorough analysis of this vulnerability. For an overview of Trend Micro Research services please visit http://go.trendmicro.com/tis/.
The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.