Remote-code execution flaw identified in OpenAPI framework

[Batu69]

Microsoft, PayPal and others affected

A REMOTE CODE execution flaw has been identified in the widely used OpenAPI framework, also known as the Swagger APIs, that will be easily exploited unless a patch is rushed out.

 

The disclosure was made this week when a module for the widely used Metasploit hacking tool was released, making it easier for criminals to exploit the flaw.

Metasploit is used by companies that build services using RESTful APIs, such as Microsoft, PayPal, Getty Images, Intuit and Apigee, to test the resilience of systems.

 

Swagger is an open source project that provides a standard, language-agnostic interface to RESTful APIs, which enables humans and computers to discover and understand the capabilities of a service without access to source code, documentation, or through network traffic inspection.

 

Scott Davis, application security researcher at Rapid7, explained in a blog post about the CVE-2016-5641 flaw that the disclosure "will address a class of vulnerabilities in a Swagger Code Generator in which injectable parameters in a Swagger JSON or YAML [a human-readable data serialisation language] file facilitate remote code execution. This vulnerability applies to NodeJS, PHP, Ruby, and Java and probably other languages as well."

 

Other code-generation tools may also be vulnerable to parameter injection and could be affected by this approach.

"By leveraging this vulnerability, an attacker can inject arbitrary execution code embedded with a client or server generated automatically to interact with the definition of service," Davis added.

 

"Within the Swagger ecosystem, there are fantastic code generators which are designed to automagically take a Swagger document and then generate stub client code for the described API.

 

"This is a powerful part of the solution that makes it easy for companies to provide developers the ability to quickly make use of their APIs. The Swagger definitions are flexible enough to describe most RESTful APIs and give developers a great starting point for their API client."

 

The flaw is caused by code generators that do not take into account the possibility of a malicious Swagger definition document which results in a classic parameter injection with a "new twist on code generation", according to Davis.

 

"Maliciously crafted Swagger documents can be used to dynamically create HTTP API clients and servers with embedded arbitrary code execution in the underlying operating system," he explained.

 

"This is achieved by the fact that some parsers/generators trust insufficiently sanitised parameters in a Swagger document to generate a client code base.

"On the client side, a vulnerability exists in trusting a malicious Swagger document to create any generated code base locally, most often in the form of a dynamically generated API client.

 

"On the server side, a vulnerability exists in a service that consumes Swagger to dynamically generate and serve API clients, server mocks and testing specs."

It is not yet known when a patch for the flaw will be released.

 

Article source