CVE 簡報 - SQLab Web Security

# CVE & Demo Author: Sean 韋詠祥 Slide: <https://tg.pe/sdy> ---- ## 講者介紹 - 陽交資工大三 Sean 韋詠祥 ---- ## 現任經歷 - 系計中 Net 組、Web 組助教 - SITCON 2022 議程組長 - 資訊之芽 Python 講師 - 行政院技服中心網路攻擊手 --- # Grafana Path Traversal / CVE-2021-43798 CVSS Score: 7.5 (High) ![](https://i.imgur.com/uIvmsm6.png) ---- ## Fix Commit Please refer to "`grafana/grafana@c798c0e`". ![](https://i.imgur.com/Fj9nrPC.png) ---- ## Why? It's not safe to use "`filepath.Join`" for user input. ![](https://i.imgur.com/Hh7WU42.png) ---- ## What is "`Rel`"? ```go func Rel(basepath, targpath) /* Join(basepath, Rel(basepath, targpath)) == targpath */ ``` Returns a relative path that is equivalent to `targpath` when joined to `basepath` with an `/`. Return error if `targpath` can't be made relative to `basepath`. ---- ## How to fix it? Check if it's relative path before ![](https://i.imgur.com/Fj9nrPC.png) ---- ## Try it! Get "`/flag`" using skill you learn. Hint: Use "`curl --path-as-is`" to preserve "`../`" path. --- # Apache 2.4.49 Path Traversal / CVE-2021-41773 CVSS Score: 7.5 (High) ![](https://i.imgur.com/Gsipgl7.png) ---- ## Fix Commit ![](https://i.imgur.com/3HgZkNi.png) ---- ## Looks familar? We could use "`%2e`" or "`%2E`" to exploit it. ![](https://i.imgur.com/w5Dk8Hc.png) ---- ## Try it! The flag is located in "`/flag`" file. --- # Apache 2.4.50 <small>(Hum?)</small> Path Traversal / CVE-2021-42013 CVSS Score: 9.8 (Critical) ![](https://i.imgur.com/R1OpDHX.png) ---- ## Why? Let's review previous security patch. ![](https://i.imgur.com/3HgZkNi.png) ---- ## Fix Commit Assert "`%`" will follow by two "`[0-9a-f]`" char. ![](https://i.imgur.com/aPYhoQm.png) ---- ## Try it! Use "`%%32%65`" to double encode. ![](https://i.imgur.com/w5Dk8Hc.png) --- ## elFinder (zip) Command Injection / CVE-2021-32682 CVSS Score: 9.8 (Critical) ---- ## How to use `zip` command ```shell $ zip -r9 -q 'target.zip' './source.txt' ``` ```text -q, --quiet Quiet mode; eliminate informational messages and comment prompts. (Useful, for example, in shell scripts and background tasks). ``` ```text -r, --recurse-paths Travel the directory structure recursively; for example: `zip -r archive.zip folder/` ``` ```text -# (-0, -1, -2, -3, -4, -5, -6, -7, -8, -9) The speed of compression. -0 means no compression. -1 indicates the fastest compression speed. -9 uses the optimal compression. ``` ---- ## There are more options... ```text -v, --verbose Verbose mode or print diagnostic version info. ``` ```text -T, --test Test the integrity of the new zip file. ``` ```text -TT, --unzip-command Use custom command to test an archive when the -T option is used. ``` ---- ## Fix Commit Add `./` before filename. ![](https://i.imgur.com/vCoid7K.png) ---- ## How to run arbitrary code? We could leverage `zip -TT` option. ```shell $ zip -T -TT 'echo' file.zip ``` ---- ## Try it! Hint: File name could be "`-v hello.zip`". --- # Thanks Any questions? ---- ## Links - 本次課程簡報、Lab 連結總整理：[HackMD](https://hackmd.io/@rwOHXl9KR8ug8MyhAVl6Wg/HkwrivUH5) - 此投影片：<https://tg.pe/sdy> - 課程共筆：<https://tg.pe/DGK> ---- ## Log4j JNDI Injection / CVE-2021-44228 CVSS Score: 10.0 (Critical) Homework: <http://sqlab.nycu.dev:44228/> Fix Commit: [apache/logging-log4j2@c77b3cb](https://github.com/apache/logging-log4j2/commit/c77b3cb)