#攻击标题:uWSGI PHP Plugin目录遍历
#日期:2018年3月1日
#开发作者:Marios Nicolaides-RUNESEC
#评审人:西蒙·洛伊齐德斯和尼古拉斯·马基塔尼斯-鲁内塞克
#供应商主页:https://uwsgi-docs.readthedocs.io
#受影响的软件:2.0.17之前的uWSGI PHP Plugin
#测试依据:uWSGI 2.0.12和2.0.15
#公司代码:CVE-2018-7490
#类别:Web应用程序
概述
--------
在没有指定“PHP allowed docroot”选项的情况下,2.0.17之前的uWSGI PHP插件容易被目录遍历。
该漏洞是由于请求通过“php docroot”指定的DOCUMENT_ROOT目录下的资源时对文件路径的验证不正确造成的。
远程攻击者可以利用此漏洞,使用路径遍历序列(“..%2f”)从易受攻击的系统中读取任意文件。
这在uWSGI 2.0.12和2.0.15上进行了测试。2.0.17之前的所有版本都会受到影响。
细节
-------
uWSGI的文档指出,phpdocroot选项用于将我们的php环境囚禁在一个项目目录中(http://uwsgi docs.readthedocs.io/en/latest/PHP.html\run-php-apps-without-a-frontend-server)。
;将我们的php环境囚禁在project_dir中
php docroot=%(项目目录)
在测试过程中,观察到uWSGI在作为独立(没有前端web服务器)执行时受到目录遍历漏洞的影响,同时使用“php docroot”选项来强制web应用程序的DOCUMENT_ROOT。
uwsgi--http套接字:1337--protocol=http--plugin php--php索引索引.php--php docroot/home/testing/webapp/
攻击者可以通过使用路径遍历序列(“…%2f”)访问敏感信息来攻击此漏洞,如下所示:
http://example.runesec.com%2f….%2f….%2f….%2f/
我们注意到,当执行目录遍历攻击时,uWSGI发出以下安全错误:
[uwsgi fileserve]安全错误:/etc/passwd不在/home/testing/webapp下或安全路径下
但是,请求文件的内容(即/etc/passwd)仍然返回给用户。
在搜索了web上可能的解决方案之后,我们注意到“php-allowed-docroot”选项以前被添加到uWSGI中,以获得更好的安全性,并且可以用来列出允许的文档根,但是没有进一步的细节(http://lists.unbit.it/pipermail/uwsgi/2011-December/003180.html).
在进一步的测试中,我们发现当使用“php allowed docroot”而不是“php docroot”选项时,它不受目录遍历攻击的影响。
uwsgi--http套接字:1337--protocol=http--plugin php--php索引索引.php--允许的根目录/php/webapp测试/
在与uWSGI项目进行了一次非常有建设性和有帮助的谈话之后,他们发布了一个更新,在使用“php docroot”选项来防止目录遍历攻击时,强制执行文档根检查。请参阅缓解部分了解更多信息。
影响
------
攻击者可以利用此漏洞获取对位于web根目录之外的敏感文件的未经授权的读取权限。
缓解
----------
建议更新至uWSGI 2.0.17-https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html
参考文献
----------
https://blog.runesec.com/2018/03/01/uwsgi-path-traversal/
https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html
https://cve.mitre.org/cgi-bin/cvename.cgi?名称=CVE-2018-7490
https://nvd.nist.gov/vuln/detail/CVE-2018-7490
https://www.owasp.org/index.php/Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)
时间轴
--------
2017年6月26日-uWSGI项目告知了该问题
2018年2月26日-uWSGI项目发布了一个补丁
2018年3月1日-公开披露
phpinfo
Server API
uWSGI
可能会存在。此漏洞
https://www.exploit-db.com/exploits/44223
# Exploit Title: uWSGI PHP Plugin Directory Traversal
# Date: 01-03-2018
# Exploit Author: Marios Nicolaides - RUNESEC
# Reviewers: Simon Loizides and Nicolas Markitanis - RUNESEC
# Vendor Homepage: https://uwsgi-docs.readthedocs.io
# Affected Software: uWSGI PHP Plugin before 2.0.17
# Tested on: uWSGI 2.0.12 and 2.0.15
# CVE: CVE-2018-7490
# Category: Web Application
OVERVIEW
--------
The uWSGI PHP plugin before 2.0.17 is vulnerable to Directory Traversal when used without specifying the "php-allowed-docroot" option.
The vulnerability exists due to improper validation of the file path when requesting a resource under the DOCUMENT_ROOT directory which is specified via "php-docroot".
A remote attacker could exploit this weakness to read arbitrary files from the vulnerable system using path traversal sequences ("..%2f").
This was tested on uWSGI 2.0.12 and 2.0.15. All versions before 2.0.17 are affected.
DETAILS
-------
The documentation of uWSGI states that the php-docroot option is used to jail our php environment to a project directory (http://uwsgi-docs.readthedocs.io/en/latest/PHP.html#run-php-apps-without-a-frontend-server).
; jail our php environment to project_dir
php-docroot = %(project_dir)
During testing it was observed that uWSGI was affected by a Directory Traversal vulnerability when executed as a standalone (without a front-end web server) along with the "php-docroot" option to enforce the DOCUMENT_ROOT of the web application.
uwsgi --http-socket :1337 --protocol=http --plugin php --php-index index.php --php-docroot /home/testing/webapp/
An attacker could exploit this vulnerability by using path traversal sequences ("..%2f") to access sensitive information as demonstrated below:
http://example.runesec.com:1337/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd
We noticed that when a Directory Traversal attack was performed, uWSGI was issuing the following security error:
[uwsgi-fileserve] security error: /etc/passwd is not under /home/testing/webapp or a safe path
However, the contents of the requested file (i.e., /etc/passwd) were still returned to the user.
After searching the web for possible solutions, we noticed that the "php-allowed-docroot" option was previously added to uWSGI for better security and could be used to list the allowed document roots but no further details were available (http://lists.unbit.it/pipermail/uwsgi/2011-December/003180.html).
Upon further testing, we observed that when the "php-allowed-docroot" was used instead of the "php-docroot" option, it was not affected by Directory Traversal attacks.
uwsgi --http-socket :1337 --protocol=http --plugin php --php-index index.php --php-allowed-docroot /home/testing/webapp/
After a very constructive and helpful talk with the uWSGI Project, they released an update which enforces a DOCUMENT_ROOT check when using the "php-docroot" option to prevent Directory Traversal attacks. Please see the MITIGATION section for more information.
IMPACT
------
An attacker could exploit this vulnerability to gain unauthorized read access to sensitive files located outside of the web root directory.
MITIGATION
----------
It is recommended to update to uWSGI 2.0.17 - https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html
REFERENCES
----------
https://blog.runesec.com/2018/03/01/uwsgi-path-traversal/
https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7490
https://nvd.nist.gov/vuln/detail/CVE-2018-7490
https://www.owasp.org/index.php/Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)
TIMELINE
--------
26 June 2017 - uWSGI Project informed about the issue
26 February 2018 - uWSGI Project released a patch
1 March 2018 - Exploit publicly disclosed
672
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
