CVE & Demo

Author: Sean 韋詠祥
Slide: https://tg.pe/sdy

講者介紹

陽交資工大三 Sean 韋詠祥

現任經歷

系計中 Net 組、Web 組助教
SITCON 2022 議程組長
資訊之芽 Python 講師
行政院技服中心網路攻擊手

Grafana

Path Traversal / CVE-2021-43798
CVSS Score: 7.5 (High)

Fix Commit

Please refer to "grafana/grafana@c798c0e".

Why?

It's not safe to use "filepath.Join" for user input.

What is "`Rel`"?

func Rel(basepath, targpath)

/* Join(basepath, Rel(basepath, targpath)) == targpath */

Returns a relative path that is equivalent to targpath when joined to basepath with an /.

Return error if targpath can't be made relative to basepath.

How to fix it?

Check if it's relative path before

Try it!

Get "/flag" using skill you learn.

Hint: Use "curl --path-as-is" to preserve "../" path.

Apache 2.4.49

Path Traversal / CVE-2021-41773
CVSS Score: 7.5 (High)

Fix Commit

Looks familar?

We could use "%2e" or "%2E" to exploit it.

Try it!

The flag is located in "/flag" file.

Apache 2.4.50 (Hum?)

Path Traversal / CVE-2021-42013
CVSS Score: 9.8 (Critical)

Why?

Let's review previous security patch.

Fix Commit

Assert "%" will follow by two "[0-9a-f]" char.

Try it!

Use "%%32%65" to double encode.

elFinder (zip)

Command Injection / CVE-2021-32682
CVSS Score: 9.8 (Critical)

How to use `zip` command

$ zip -r9 -q 'target.zip' './source.txt'

-q, --quiet
    Quiet mode; eliminate informational messages and
    comment prompts.  (Useful, for example, in shell
    scripts and background tasks).

-r, --recurse-paths
    Travel the directory structure recursively;
    for example: `zip -r archive.zip folder/`

-#  (-0, -1, -2, -3, -4, -5, -6, -7, -8, -9)
    The speed of compression.
    -0 means no compression.
    -1 indicates the fastest compression speed.
    -9 uses the optimal compression.

There are more options…

-v, --verbose
    Verbose mode or print diagnostic version info.

-T, --test
    Test the integrity of the new zip file.

-TT, --unzip-command
    Use custom command to test an archive
    when the -T option is used.

Fix Commit

Add ./ before filename.

How to run arbitrary code?

We could leverage zip -TT option.

$ zip -T -TT 'echo' file.zip

Try it!

Hint: File name could be "-v hello.zip".

Thanks

Any questions?

Log4j

JNDI Injection / CVE-2021-44228
CVSS Score: 10.0 (Critical)

Homework: http://sqlab.nycu.dev:44228/
Fix Commit: apache/logging-log4j2@c77b3cb

Syntax	Example	Reference
# Header	Header	基本排版
- Unordered List	Unordered List
1. Ordered List	Ordered List
- [ ] Todo List	Todo List
> Blockquote	Blockquote
Bold font	Bold font
Italics font	Italics font
~~Strikethrough~~	~~Strikethrough~~
19^th^	19^th
H~2~O	H₂O
++Inserted text++	Inserted text
==Marked text==	Marked text
[link text](https:// "title")	Link
![image alt](https:// "title")	Image
`Code`	`Code`	在筆記中貼入程式碼
```javascript var i = 0; ```	`var i = 0;`	在筆記中貼入程式碼
:smile:		Emoji list
{%youtube youtube_id %}	Externals
$L^aT_eX$	L^aT_eX
:::info This is a alert area. :::	This is a alert area.

CVE & Demo

講者介紹

現任經歷

Grafana

Fix Commit

Why?

What is "Rel"?

How to fix it?

Try it!

Apache 2.4.49

Fix Commit

Looks familar?

Try it!

Apache 2.4.50 (Hum?)

Why?

Fix Commit

Try it!

elFinder (zip)

How to use zip command

There are more options…

Fix Commit

How to run arbitrary code?

Try it!

Thanks

Links

Log4j

What is "`Rel`"?

How to use `zip` command