Unpatched Remote Code Execution Flaw Exists in Swagger

Researchers at Rapid7 found a vulnerability in the Swagger Code Generator that could execute arbitrary code embedded in a Swagger document.

An unexpected behavior in a relatively new and popular open source API framework called Swagger could lead to code execution, researchers at Rapid7 said.

The company today disclosed some details on the vulnerability, and released a Metasploit exploit module and a proposed patch written by researcher Scott Davis who found the flaw.

Details were privately disclosed on April 19 to the Swagger API team and then on May 9 to CERT, Rapid7 said. To date, Rapid7 Security Research Manager Tod Beardsley told Threatpost, there has been no response from Swagger’s maintainers. Rapid7 said it shared its patch with CERT on June 16 and today made its public disclosure.

As of Jan. 1, the Swagger specification was donated to the Open API Initiative and became the foundation for the OpenAPI Specification.

The Swagger specification describes, produces and consumes RESTful web services APIs in human- and machine-readable formats. According to Rapid7, Swagger documents can be automatically consumed to generate client-server code, primarily for testing purposes prior to deployment.

“The Swagger definitions are flexible enough to describe most RESTful APIs and give developers a great starting point for their API client,” Rapid7 said in its report. “The problems is that several of these code generators do not take into account the possibility of a malicious Swagger definition document which results in a classic parameter injection, with a new twist on code generation.”

Beardsley said the vulnerability lies in the Swagger Code Generator, and specifically in that parsers for Swagger documents (written in JSON) don’t properly sanitize input. Therefore, an attacker can abuse a developer’s trust in Swagger to include executable code that will run once it’s in the development environment. He added that the flaw behaves similarly to the way attackers embedded malicious executable code inside an Office document.

“If I give you an Office doc, you’re not expecting it to run code, but I can do that,” Beardsley said. “With these Swagger vulnerabilities, I can poison [a Swagger document] and run code on the web server itself.”

Rapid7 said the vulnerability covers the Swagger Code Generator for NodeJS, PHP, Ruby and Java, plus other languages supported by the tool. The research report says that maliciously crafted Swagger documents can dynamically build API clients and servers that execute embedded code. The parsers and generators, Rapid7 said, do not properly sanitize parameters within a Swagger document as it generates code.

“On the client side, a vulnerability exists in trusting a malicious Swagger document to create any generated code base locally, most often in the form of a dynamically generated API client,” Rapid7 said. “On the server side, a vulnerability exists in a service that consumes Swagger to dynamically generate and serve API clients, server mocks and testing specs.”

Beardsley said that exploits would afford an attacker operating system access in the same context as the web server and could allow an attacker to steal private crypto keys, SSL certs, change application functionality or generate new pages, for example.

Rapid7 recommends that developers inspect Swagger documents for “language-specific escape sequences,” until a patch is available.

“Fixes need to be implemented by those creating code generation tools, in general this does not apply to the swagger documents themselves,” Rapid7 said. “Mitigations for all issues include properly escaping parameters before injecting, while taking into account the context the variable(s) are used in inline code creation, and what sanitization efforts are in place to ensure the context of trust for an API specification can maintain a level of code creation free for remote code execution in the known, easily avoidable cases.”

Suggested articles