【CVE-2019-3799】:Directory Traversal with spring-cloud-config-server
source link: https://chybeta.github.io/2019/04/18/%E3%80%90CVE-2019-3799%E3%80%91-Directory-Traversal-with-spring-cloud-config-server/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Security Advisory
https://pivotal.io/security/cve-2019-3799
Reproduce
DEMO: https://github.com/spring-cloud/spring-cloud-config#quick-start
Analysis
Spring Cloud Config provides server and client-side support for externalized configuration in a distributed system. With the Config Server you have a central place to manage external properties for applications across all environments.
According to the DOC,The Config Server provides these through an additional endpoint at /{name}/{profile}/{label}/{path}
where name
, profile
and label
have the same meaning as the regular environment endpoint, but path
is a file name (e.g. log.xml)。
For example if we want get test.json
as plain text, you can send this request:
So how the backend handle this request? When we send the payload, server
will dispatcher the request to org/springframework/cloud/config/server/resource/ResourceController.java:54
:
Step into retrieve
function which located inorg/springframework/cloud/config/server/resource/ResourceController.java:104
:
Continue step into the findOne
function:
You can see the locations
value is file:/tmp/config-repo-7168113927339570935/
. The Config-Server
will pull the remote repo and use the locations
folder to store these temporary files:
Notice the path
value is ..%2F..%2F..%2F..%2Fetc%2fpasswd
,so actually the full path like this :
at the end, when call StreamUtils.copyToString(is, Charset.forName("UTF-8")
, we can read the /etc/passwd
content:
Patch
https://github.com/spring-cloud/spring-cloud-config/commit/3632fc6f64e567286c42c5a2f1b8142bfde505c2
The backend will check whether the resource paths is valid via isInvalidPath
and isInvalidEncodedPath
:
:
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK