Pierluigi Paganini June 24, 2016

This disclosure of an unpatched Remote Code Exec flaw in the Swagger API framework compromises NodeJS, Ruby, PHP, and Java.

Swagger is a representation of RESTful API that allows developers to get interactive documentation, client SDK generation and discoverability.

The Swagger generators are privileged tools for organisations to offer developers easy access to their APIs.

Currently, the Swagger APIs helps companies like Apigee, Getty Images, Intuit, LivingSocial, McKesson, Microsoft, Morningstar, and PayPal in building services with RESTful APIs.

Now an unpatched remote code execution vulnerability (CVE-2016-5641) in the Swagger API framework, affecting both client and server components, has been publicly disclosed.

The security vulnerability exists in code generators within the OpenAPI Specification, the REST programming tool.

“The Open API Initiative (OAI) was created by a consortium of forward-looking industry experts who recognize the immense value of standardizing on how REST APIs are described.” states the official description.

The remote code execution vulnerability is easy to exploit due to the availability of a Metasploit module released by the security researcher Scott Davis. Davis explained that injectable parameters in Swagger JSON or YAML files allow attackers to remotely execute code across NodeJS, PHP, Ruby, and Java. Davis highlighted that other code generation tools may be vulnerable to parameter injection attacks.

“This disclosure will address a class of vulnerabilities in a Swagger Code Generator in which injectable parameters in a Swagger JSON or YAML file facilitate remote code execution. This vulnerability applies to NodeJS, PHP, Ruby, and Java and probably other languages as well.” Davis wrote in a blog post published on the Rapid7 community. “Other code generation tools may also be vulnerable to parameter injection and could be affected by this approach. By leveraging this vulnerability, an attacker can inject arbitrary execution code embedded with a client or server generated automatically to interact with the definition of service.  This is considered an abuse of trust in definition of service, and could be an interesting space for further research.” 

Davis explained that attackers can exploit specially crafted Swagger documents to dynamically create HTTP API clients and servers with embedded arbitrary code execution in the underlying operating system. The attack relies on the lack of proper sanitization of the parameters within a Swagger document.

“This is achieved by the fact that some parsers/generators trust insufficiently sanitized parameters within a Swagger document to generate a client code base.

• On the client side, a vulnerability exists in trusting a malicious Swagger document to create any generated code base locally, most often in the form of a dynamically generated API client.
• On the server side, a vulnerability exists in a service that consumes Swagger to dynamically generate and serve API clients, server mocks and testing specs.”

The bad news is that the flaw is still unpatched despite is was publicly disclosed, last month the US-CERT issued a specific alert and experts from Rapid 7 already devised a fix.

Rapid7 first attempted to contact the maintainers of the Swagger project in April, exactly one week ago, on June 16, it provided to the US-CERT a patch. The Metasploit module was released on the date of public disclosure, June 23.

Waiting for the release of the patch by the maintainers, users need to carefully inspect Swagger documents for language-specific escape sequences.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – remote code execution flaw, hacking)