Fix Commit

Please refer to "grafana/grafana@c798c0e".

Why?

It's not safe to use "filepath.Join" for user input.

What is "Rel"?

func Rel(basepath, targpath)

/* Join(basepath, Rel(basepath, targpath)) == targpath */

Returns a relative path that is equivalent to targpath when joined to basepath with an /.

Return error if targpath can't be made relative to basepath.

How to fix it?

Check if it's relative path before

Try it!

Get "/flag" using skill you learn.

Hint: Use "curl --path-as-is" to preserve "../" path.

Fix Commit

Looks familar?

We could use "%2e" or "%2E" to exploit it.

Try it!

The flag is located in "/flag" file.

Why?

Let's review previous security patch.

Fix Commit

Assert "%" will follow by two "[0-9a-f]" char.

Try it!

Use "%%32%65" to double encode.

How to use zip command

$ zip -r9 -q 'target.zip' './source.txt'

-q, --quiet
    Quiet mode; eliminate informational messages and
    comment prompts.  (Useful, for example, in shell
    scripts and background tasks).

-r, --recurse-paths
    Travel the directory structure recursively;
    for example: `zip -r archive.zip folder/`

-#  (-0, -1, -2, -3, -4, -5, -6, -7, -8, -9)
    The speed of compression.
    -0 means no compression.
    -1 indicates the fastest compression speed.
    -9 uses the optimal compression.

There are more options…

-v, --verbose
    Verbose mode or print diagnostic version info.

-T, --test
    Test the integrity of the new zip file.

-TT, --unzip-command
    Use custom command to test an archive
    when the -T option is used.

Fix Commit

Add ./ before filename.

How to run arbitrary code?

We could leverage zip -TT option.

$ zip -T -TT 'echo' file.zip

Try it!

Hint: File name could be "-v hello.zip".

Links

• 本次課程簡報、Lab 連結總整理：HackMD
• 此投影片：https://tg.pe/sdy
• 課程共筆：https://tg.pe/DGK

Log4j

JNDI Injection / CVE-2021-44228
CVSS Score: 10.0 (Critical)

Homework: http://sqlab.nycu.dev:44228/
Fix Commit: apache/logging-log4j2@c77b3cb