CVE-2022-40308漏洞分析及復現(xiàn)

CVE-2022-40308

Apache Archiva < 2.2.9

環(huán)

https://archive.apache.org/dist/archiva/2.2.8/binaries/apache-archiva-2.2.8-bin.zip

https://codeload.github.com/apache/archiva/zip/refs/tags/archiva-2.2.8

./bin/archiva console或.\bin\archiva.bat console

可以提前在conf/wrapper.conf添加如下配置,方便IDEA遠程調試

wrapper.java.additional.9=-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005

首次運行需要添加Admin用戶,注意需要勾選Validated復選框:

http://127.0.0.1:8080/#open-admin-create-box

現(xiàn)

前置條件是啟用匿名讀取或者使用擁有archiva-read-repository權限的用戶

前置條件是啟用匿名讀取或者使用擁有archiva-read-repository權限的用戶,在如下界面點擊下載然后抓包

修改URL為/repository/internal/..//../data/data-bases/users/log/log1.dat,這將會讀取Archiva根目錄下的data/databases/users/log/log1.dat文件,該文件會記錄系統(tǒng)用戶賬號及加密后的密碼

由web.xml

<servlet-mapping>? <servlet-name>RepositoryServlet</servlet-name>? <url-pattern>/repository/*</url-pattern></servlet-mapping>

入口在RepositoryServlet,而且POC/repositor-y/internal/..///../data/databases/users/log/log1.dat中的..///..必須是兩個及以上數(shù)量的/

如果URL為/repository/internal/../../data/data-bases/users/log/log1.dat,則Jetty會認為請求的是/data/databases/users/log/log1.dat而非/repo-sitory/*

org.apache.archiva.webdav.RepositoryServlet#service

protected void service( HttpServletRequest request, HttpServletResponse response )? ? throws ServletException, IOException{? ? WebdavRequest webdavRequest = new WebdavRequestImpl( request, getLocatorFactory() );? ? // DeltaV requires 'Cache-Control' header for all methods except 'VERSION-CONTROL' and 'REPORT'.? ? int methodCode = DavMethods.getMethodCode( request.getMethod() );? ? boolean noCache = DavMethods.isDeltaVMethod( webdavRequest ) && !( DavMethods.DAV_VERSION_CONTROL == methodCode? ? ? ? || DavMethods.DAV_REPORT == methodCode );? ? WebdavResponse webdavResponse = new WebdavResponseImpl( response, noCache );????DavResource?resource?=?null;? ? try? ? {? ? ? ? // make sure there is a authenticated user? ? ? ? if ( !getDavSessionProvider().attachSession( webdavRequest ) )? ? ? ? {? ? ? ? ? ? return;????????}? ? ? ? // check matching if=header for lock-token relevant operations? ? ? ? resource =????????????getResourceFactory().createResource(?webdavRequest.getRequestLocator(),?webdavRequest,?webdavResponse?);? ? ? ? if ( !isPreconditionValid( webdavRequest, resource ) )? ? ? ? {? ? ? ? ? ? webdavResponse.sendError( DavServletResponse.SC_PRECONDITION_FAILED );? ? ? ? ? ? return;? ? ? ? }? ? ? ? if ( !execute( webdavRequest, webdavResponse, methodCode, resource ) )? ? ? ? {? ? ? ? ? ? super.service( request, response );????????}? ? }...}

跟入getResourceFactory().createResource

org.apache.archiva.webdav.ArchivaDavResourceFactory#createResource(org.apache.jackrabbit.webdav.DavResourceLocator, org.apache.jackrabbit.webdav.DavServletRequest, org.apache.jackrabbit.webdav.DavServletResponse)

鑒權在processRepository(...)中,過了鑒權后發(fā)現(xiàn)其實問題也是由于未驗證文件名,這里將包含目錄穿越的路徑直接拼接到new File()參數(shù)中

這是當時給官方提交漏洞后,官方回復的修復方式,和目前最新版的代碼好像不太一樣

https://github.com/apache/archiva/commit/4a2d43be63634331668d71590034963e96a8886a#diff7828cc4ef12a5f453debc98ef5c3eaf85c6851b271ee298a75b4bd6ea001846cR605

當時的修復方式和CVE-2022-40309的修復差不多

https://lists.apache.org/thread/1odl4p85r96n27k577jk6ftrp19xfc27

https://lists.apache.org/thread/x01pnn0jjsw512cscxsbxzrjmz64n4cc

?著作權歸作者所有,轉載或內容合作請聯(lián)系作者
平臺聲明:文章內容(如有圖片或視頻亦包括在內)由作者上傳并發(fā)布,文章內容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務。

推薦閱讀更多精彩內容